Cybersecurity and Brexit: What does it mean for the fight against hackers?

Brexit could mean new challenges in the fight against cybercrime, from changes to international police agencies and more headaches for companies recruiting security staff.
Written by Danny Palmer, Senior Writer

Brexit means Brexit, according to the prime minister, but with little more than a year until 29 March 2019 -- the date the UK is due to depart the European Union -- there are still many questions to be answered for cybersecurity professionals.

One thing that is certain is that the upcoming General Data Protection Regulation (GDPR) will still apply to the UK after Brexit, but aside from that, there's little solid detail on the sort of deal that's going to be reached with the European Union; much will depend on the ongoing negotiations.

The cybersecurity industry shares many of the same concerns over Brexit as the wider technology sector does, including a fear of skill shortages, but there's also the looming issue of what happens in the fight against cybercrime if Brexit means the UK is no longer part of Europol.

As the European Union's law enforcement agency, Europol helps foster cooperation between law enforcement agencies across Europe in the fight against crime, including cybercrime.

SEE: The Brexit dilemma: Will London's start-ups stay or go? (TechRepublic cover story)

It's not clear what the UK's relationship with Europol will be after Brexit. The UK currently leads Europol's cybercrime initiatives and the agency's outgoing chief Rob Wainwright said that post-Brexit the UK's influence is likely to be "less direct, less pronounced and probably less successful than they are now," he said in an interview with the BBC.

Despite this, Wainwright told ZDNet he's "positive" about the prospects of the UK and EU meeting "significant agreement" on security.

"I believe there is a common understanding about the seriousness of current threats in Europe, especially in relation to terrorism and cybercrime, and of the need for the closest possible cooperation between all countries in Europe as the best means by which to counter these threats," he said.

"There is a good prospect of the UK continuing to have a close relationship with Europol after Brexit," he added.

The government, remains confident that it can come to an agreement which sees the UK continue to have a strong relationship with Europol, even after leaving the European Union.

"We have always led from the front when it comes to the security of Europe, and we want this cooperation to continue after we leave the EU," a Department for Exiting the European Union spokesperson told ZDNet.

"UK law enforcement works closely with Europol and European partners to coordinate international action against serious organised cybercrime, and we will be seeking a bespoke relationship with Europol as part of our future partnership," the spokesperson said.

But, depending on what happens during negotiations, it's entirely possible that by removing itself from the European Union, the UK could lose access to Europol, along with the seamless cross-border cooperation and regulation it provides. That could make it that little bit easier for cybercriminals to get away with their schemes.

"There's no question that [being in Europol] makes it easier, not necessarily just for us, but dealing with the problem across borders, because wherever there's a border, there's a crack for the criminals to hide in, so it's important from that point of view," David Emm, principal security researcher at Kaspersky Lab, told ZDNet.

Kaspersky Lab is one of many cybersecurity firms involved with Europol's No More Ransom initiative, which looks to help halt the spread of ransomware with multilateral cooperation and free decryption tools.

"It's just harder if you have to do paperwork and the paperwork has to go through before action is taken. Whereas, within the EU, there's not the paperwork, it's a single jurisdiction," said Emm.

For now, it's business as usual for the authorities, which are still currently operating under the same regulations and conventions as always.

"We've not seen any particular impact on operations, but it's too early to say if Brexit is going to make a big impact or not," said Paul Edmunds, head of technology at the National Crime Agency's National Cyber Crime Unit (NCCU).

See also: Tech's leaps, limps and likes: The 7 trends that defined 2017

Speaking at the recent TEISS 2018 security conference in London, he said that operations to fight cybercrime are cross-border, with the those looking to commit cybercrime against UK businesses and individuals not always being located in the UK.

"International operations are pretty much standard now for dealing with especially high level and more dangerous types of cybercrime," Edmunds said.

That international perspective isn't limited to the borders of the European Union -- Europol will regularly work with the FBI and other law enforcement bodies around the globe in order to fight a worldwide threat.

"Irrespective of what happens during Brexit, the international nature of the attacks and where the attackers come from is going to be really prominent going forward," said Edmunds.

But there's one area where some are already worried that Brexit will have a negative impact -- hiring new tech professionals, which is especially worrying for cybersecurity as many organisations already find it difficult to fill information security roles.

Some have concerns that a Brexit deal that heavily restricts freedom of movement could have repercussions for UK firms when it comes to hiring talent.

"Cybersecurity is already suffering from a skills shortage, making it difficult to find qualified candidates," said Laura Jones, senior cyber intelligence analyst at Barclays, speaking at the same event.

Noting that around half her team is from continental Europe, she said it's still too early to say if Brexit is going to have a direct impact on them, but that there's an aura around it that's "certainly discouraging people from coming to the UK".

Download now: EU General Data Protection Regulation (GDPR) compliance checklist

Jones herself is from New Zealand and says that if she'd taken up the role with Barclays after the referendum result came through the morning of June 24, she doesn't know if she'd have come to the UK.

"I bought a one way ticket to London the day before Brexit -- now I honestly don't know if I would've made the same decision. If it was the day after or the day after that, perhaps I might have chosen Australia," she said.

"I do think there's a perception that the UK, London as a financial centre might becoming slightly less welcoming to outsiders," Jones said, adding: "We need to widen the scope of people that we are trying to recruit, as there are lots of reservoirs of groups of people who are not being brought in."

Regardless about whatever agreements the UK and the European Union come to over Brexit and how it affects working relationships around cybersecurity, there's one thing we know for certain: those who are plotting hacks and cyber-attacks aren't going to give up.

"Cybercriminals won't be worrying about Brexit," said Emm.

Recent and related coverage

'Brexit gave us the impetus': How 5G innovation has surged within the UK

With the 'cushion' of the EU's 5G R&D programs removed following the Brexit decision, the UK government is experiencing a resurgence of productivity in pushing towards 5G through its innovation lab at the University of Surrey with industry and research partners.

Will Brexit let Paris overtake London as Europe's Silicon Valley?

On top of Brexit, the optimism coursing through France's startup ecosystem could alter Europe's tech status quo

Foreign cyberattack may have been behind Brexit website crash, says MPs report

New report by MPs 'does not rule out the possibility' that foreign actors worked to take down the EU Referendum vote registration site -- but government and cybersecurity experts disagree.


Editorial standards