Well Britain, you’ve done it. The referendum is over and it's time to start thinking ahead about how the UK will reconcile its new laws and regulations. I believe that the UK could be at the beginning of a cybersecurity Renaissance, and I’ll explain why.
At this point, it is uncertain how long it will take the United Kingdom to fully leave the EU, although the plan is that there will be a two-year transition phase. The next step in the process, according to Article 50 of the Lisbon Treaty, is for the UK to notify the EU council, although I’m sure this will come as no surprise.
Discussions will ensue that negotiate the process of the departure. If no discussions take place and no agreements are in place in two years, the UK will no longer fall under EU jurisdiction.
Let’s take a look at some of the EU cybersecurity laws, directives and initiatives and how their absence could affect the UK.
What is it?
Directives, laws and regulations are best implemented when there is an overarching strategy in place to support the plans, ideals and goal or the legislation. The EU Cybersecurity Plan is a bit antiquated, and the UK government has a real opportunity to put forth a new, strong, technically savvy plan that addresses cyber-resilience in this new age of cyber threats.
What is the UK’s next move?
Much like the United States’ Cybersecurity National Action Plan (CNAP), the UK should focus on building up its cybersecurity workforce and building new ways for businesses to detect, respond, track and share information on threats. The UK has an opportunity to not only bolster its security posture, but become a major cybersecurity player in the world by encouraging information security businesses, professionals and educators to work toward a common goal to address and respond to threats.
What is it?
Stemming from the EU’s Cybersecurity Plan, the NIS is a directive that was adopted on 17 May 2016 to go into full effect in August 2016. The NIS seeks to improve the EU’s cyber-resilience by:
- Identifying critical industry sectors, such as energy, transport, finance and health. Within each of these sectors, member states must identify which organisations are providing essential services. This falls right in step with standard security procedures, beginning with: identifying your critical assets and services. These critical industries will also be required to report cyber-incidents to their national authorities (see below)
- Identifying providers of digital services, including e-commerce platforms, search engines, cloud services, etc. Naturally so, these providers will be treated differently than critical industry providers and subject to different rules and regulations. The EU recognises that these businesses depend on the freedom of information (and transportation thereof) between member states.
- Each member state will be responsible for designating (or creating) national authorities to be responsible for cybersecurity.
- These authorities will also be tasked with creating national Computer Security Incident Response Teams (CSIRT)’s to track, report and share information on cyberattacks.
What is the UK’s next move?
The UK is on track with creating its own CSIRT as the UK-CERT already exists. As for classifying critical businesses and organisations, if they haven’t already done so, this should be relatively easy for the UK. The hard part will be in introducing legislation to parliament that will focus on the laws that will govern them. This would naturally include information and technology standards, guidelines, policies and response plans.
There are three recommendations that I have for the UK in replacing the NIS with its own directives:
- The cyber posture of the UK’s critical infrastructure should be heavily scrutinised with technically competent oversight. There should be a strong partnership between private critical infrastructure providers and the government, UK-CERT and even, yes, the military. Foreign adversaries have increasingly targeted critical infrastructure and cooperating with the military can provide a lot of forewarning into upcoming attacks. In my controversial personal opinion, more critical infrastructure organisations should conduct studies around pulling the plug and air-gapping their most sensitive systems.
- The UK-CERT should ensure that relationships that have been made with other EU CSIRT’s are kept intact, even strengthened. Cyber threat intelligence sharing has become a critical tool for predicting, detecting and responding to large-scale attacks. I would hate to see EU CSIRT’s or the UK-CERT fail to share critical information indicators or intelligence simply because of Brexit. Just as the Internet is without borders, so should the sharing of cyber threat intelligence.
- While we should always strive for preventing cyberattacks, we have seen that the most destructive and clever attacks have thwarted preventive technology. Therefore, I would urge the UK to focus more on the detection and response to these threats. This not only includes emphasising the importance of full network and endpoint visibility technology, but the education, training and development of the nation’s cyber-response professionals. This includes, but is not limited to:
- Fostering innovative approaches to getting the next generation workforce interested, and subsequently trained, in cybersecurity. I would recommend that this not just be aimed at university-level, but even younger kids in high school. I would love to see more organisations like 1nterrupt, which is focused on educating this age-level on security, popping up all over the United Kingdom.
- Creating education programmes to recruit (or create) cybersecurity professionals to join the UK government to help create new policies, technology and defend against threats.
- Create attractive new financial programmes for cybersecurity companies to innovate and operate in the United Kingdom. This could include tax incentives for foreign companies to locate offices in the UK or visa sponsorship for those considering cybersecurity as a profession. These types of proactive economic plans could position the UK as Europe’s cybersecurity capital.
What is it?
The GDPR is the EU’s latest legislation and its aim is to alleviate the continent’s privacy concerns by:
- Establishing data privacy rights around the use and protection of personal data (as per the EU website) including the right 'to be forgotten’, the right to object and the right of data portability from one service provider to another.
- Mandating companies that process personal data appoint a Data Protection Officer, whose responsibility is to ensure that proper controls are in place, being monitored and reported to the government.
- Formation of an independent supervisory authority in UN member states that are responsible for reporting and enforcement of the data protection regulations.
- Requiring companies of each UN member state to report material data breaches that involve personal information to their national authorities mentioned above, or face fines of up to €20 million or 4% of their annual revenue.
What is the UK’s next move?
Historically, from compromises such as last year’s TalkTalk breach, we have seen that UK citizens take their personal data very seriously. It will be imperative for the government to act quickly in establishing personal data protection regulations, standards and authorities. The first step should be for the UK to form a comprehensive definition of what personal data actually is. Once completed, this should naturally lead to a ‘domino effect’ for laws and regulations to fall into place to support the confidentiality, integrity and availability of the data. Perhaps the United States and the United Kingdom could work together on this, since the US hasn’t completed this first step yet!
What is it?
Finally, we come to the long anticipated Safe Harbor Framework which was designed to facilitate the exchange of personal data between the United States and EU member states. Since the EU data protection directives differ from the United States’ privacy laws, it was necessary to streamline this process between the two. In October 2015, partially stemming from the Snowden Revelations, the EU issued a judgment declaring Safe Harbor as invalid. Since then, the EU and the US have been working closely on a new framework called Privacy Shield.
What’s next in the UK move?
The UK could be in congruence with the EU-US Privacy Shield agreement. Transfer of sensitive data across borders has become critical in this new cloud and mobile age, and having a tri-lateral agreement on this subject would be very beneficial for all parties involved. Too much investment is at stake for the UK not to be in the middle of these agreements by participating and influencing the next iteration of the framework.
Summing it All Up
For right or wrong, good or bad, the UK has decided to leave the European Union. The sole intent of the referendum was to make the right decision for the government, businesses and citizens. Now that the decision has been made, it is critically important for all of us to look ahead and challenge ourselves to make the best decisions and plans…not just for today, but also for tomorrow.
With that in mind, I think that the UK has a chance to reinvent its economy and identify itself as a world leader when it comes to cybersecurity. Because threats know no borders. Threats do not respect laws, regulations, directives, frameworks or referendums. Threats transcend privacy and confidentiality. It will be a paramount for the UK and EU to find common-ground, and keeping the lines of sharing open, in a post-referendum world.
Fidelis stands with both the United Kingdom and the European Union in leaving attackers no place to hide.
God save the Queen.
-- Justin Harvey, Fidelis Cybersecurity CSO