Experts warn of 'brain drain' if intelligence sharing is absent from Brexit deal

The Union Jack and the European flag with a diagonal tear spitting the apart.

All businesses, regardless of their size or location in the world, operate under the constant threat of cyber crime. Hackers are forever finding new ways to control devices, take down critical infrastructure and gain access to sensitive information, and it seems everyone is a target.

You only need to look at rising global cyber crime crises to get a sense of the severity of the situation. The WannaCry ransomware attack in 2017 proved to be one of the widest reaching attacks in history, thought to have affected around 200,000 systems in more than 150 countries.

In terms of lost data, the two separate breaches on Yahoo in 2013 and 2014 still hold the record at 2 billion affected customers. However, since then we've seen major hacks on, which exposed 412 million accounts in 2016, and a hack on Equifax a year later affected 143 million customers.

Yet the proportion of attacks is far from equal across the world, and although governments around the world are taking the steps to prevent these attacks, some countries appear to be more vulnerable than others.

The UK is now the world's most targeted region for cyber threats, according to Malwarebytes, with a 134% rise in the number of hack attempts over the past year, double that of the US. Ransomware remains the most popular form of attack, seeing a 165% rise during the period.

The Office of National Statisticsrecently revealed that cyber crime specifically targeting businesses grew by 63% in 2017, while privacy campaign group Big Brother Watch found that almost 100 million cyber attacks have been levied against British councils in the past five years.

It's a worrying situation, one that's compounded by the UK's impending departure from the European Union, with some industry watchers remaining concerned that Brexit may place greater strain on the talent pipeline.

Job opportunity gulf

Ian Hughes, a senior analyst at 451 Research, believes that the complexity of the UK's withdrawal from the EU is likely to make it more difficult to attract the international talent that's so desperately needed.

"Security skills are in short supply globally, which means countries in organisational churn, such as the UK during Brexit, may not be attractive places to work, or even possible to work in due to visa quotas," he explains.

There's also concern that, in a 'no deal' situation, the lack of cooperative cyber security strategies and investment between the UK and EU member states may see the number of attacks skyrocket.

"The confusion, uncertainty and organizational shifts in enterprises that are based in the UK and EU will create targets for opportunist activity such as spear phishing too," says Hughes.

"One of the biggest concerns for Brexit should be a lack of investment in keeping infrastructure up to date and secure while funding is still being agreed or replacements decided upon, in both the public and private sector."

However, Hughes highlights that a great deal of work has already been done in key areas of cyber security, chiefly privacy and the EU's General Data Protection Regulation (GDPR), standardisation that's helped to reduce the need for ongoing strategy alignment.

Brain drain

Dr Ben Silverstone, who runs degree apprenticeships and quantitative business at Arden University, says Brexit will result in a plethora of wide-ranging challenges for the British cyber security industry. These include intelligence gathering, recruitment and organisational security. But he says the industry should remain calm.

"There are legitimate concerns associated with Brexit and its impact on cyber security, most notably the arrangements for intelligence sharing once Britain leaves the union," says Silverstone.

He suggests that the UK may experience what he calls a 'brain drain', in which highly-qualified applicants may choose to move to mainland Europe to access a wider variety of job opportunities.

"Another concern is that businesses outside of the UK remit will not be as strict in terms of their application of security practice, leaving UK businesses open to issues when working across borders," explains Silverstone.

Despite these concerns, he believes the UK will remain a "leading light" for the cyber security industry.

"There are strong reasons for the EU to retain intelligence-sharing ties with the UK, especially in relation to cyber security, as the UK has world-leading expertise in the area and fantastic training and development opportunities for security professionals. Evidence suggests that practices pioneered by UK Cyber Security professionals will continue to be the norm regardless of the political situation."

UK a 'third country' in data security

Sharon Heys, a lawyer at the SANS Institute, says there will be serious implications around data security in the UK. She suggests that other countries could view Britain as a dangerous place to store personal and business information once it leaves the EU, and changing this perception could be difficult.

"From a legal standpoint, the exit of the UK from the European Union in March 2019 will make it a 'third country' when it comes to data and data security in relation to other EU countries. This means we will have to prove our data protection provisions in the same way that the US does at present," she says.

"This is potentially an issue for many companies, including cyber security companies, as we could have difficulty being seen as a safe place to process data unless we can secure an adequacy decision from the EU and we can satisfy the EU that we have protections in place to provide reassurance to data controllers and processors."

While the government has been trying to negotiate the UK's data powers, Heys believes that its hands are tied.

"The Prime Minister has stated that she will seek an 'adequacy plus' arrangement with the EU. However, they have resisted this suggestion to date and our ICO could potentially be left with no voice at the table of the new European Data Protection Board. The threat of not receiving an adequacy decision could be disruptive for business and is a risk to [the] continuity of data flows," she continues.

Addressing this issue was one of the reasons the UK chose to introduce an updated Data Protection Act 2018, which sought to harmonise domestic law with that of the EU.

"The GDPR did, however, allow for a number of exemptions (within DPA), which is where the difficulty lies," explains Heys. "While we are currently governed by GDPR, the UK DPA will apply after we leave the EU. Companies in the UK must currently comply with the new data protection provisions and this will remain the case even after we leave the EU if they wish to trade with our European partners."

As we enter an era where more people and devices will connect to the internet, it's clear that cyber security threats will only increase in rate and complexity. However, as a result of Brexit, the UK could find itself more vulnerable than ever when it comes to mitigating these risks.

A great deal of that will depend on the result of the Brexit negotiations, but in the event of a no deal, it's possible there will be a critical lack of harmonised security strategies.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, the Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan. You can follow Nicholas on Twitter.