On June 23rd, 2016 the citizens of Britain voted for the United Kingdom to exit the European Union. Canadian corporations are trying to comprehend how this will impact their business, the economy, and politics both at home and abroad. Could Brexit also influence the integrity of our data protection measures in Canada? We sat down with Ray Boisvert, Hill+Knowlton’s Digital Resilience expert, to ask him about Brexit’s potential impact on cyber security.
Q: How will this impact data sharing between the UK and other countries?
Ray: Clearly everything that existed pre-Brexit, from trade agreements, privacy standards and related judicial rulings, along with Mutual Legal Assistance Treaties, better known as MLATs in the law enforcement community, will be subject to review and very likely re-negotiation.
The recently announced re-launch of what use to be called the “Safe Harbour” agreement on the protection of data being transferred between the EU and North America (primarily the US), renamed the EU-US Privacy Shield, is now a big question mark when it relates to data that will be transferred to and from the UK. Moving forward, the complexities and uncertainties related to data sovereignty, data transfer, liability and controls on the exercise of law enforcement agency powers to compel, and e-commerce in general, will significantly increase. As such, Canadian companies operating within North America will be directly affected.
Q: What do you think are the unintended consequences of the referendum with regards to the cyber security industry?
Ray: My first concern is brain drain. The UK, and London in particular, has attracted some important technology firms, including cyber security companies doing important R+D in this growing and economically important field. As we’ve seen from the reporting and discourse emanating out of the UK, along with pre and post-Brexit opinion surveys, the vast majority of London denizens, especially that young talented pool of knowledge workers, are now disenfranchised from Europe and possibly further afield.
Moreover, many young staffers and their leadership cadre fear that their cyber security industry will lose its natural advantage and client base as firms begin their exit plan from the UK – – including some global heavyweights in the financial sector who will no longer use London as a hub. With that in mind, I suspect the exodus or the planning for it has begun for this highly talented and mobile workforce. This will disrupt the UK economy, but my concern is for the industry itself as any dysfunctionality contributes to insecurity.
Q: Will there be less cooperation between UK law enforcement agencies and other European agencies when investigating cyber breaches?
Ray: There are currently two critical impediments to greater success in prosecutions involving cyber-crime. One is consistent and reliable attribution (ie: identifying who is behind the hack or breach). The second is inter-agency and inter-jurisdictional cooperation.
As everybody now understands, cyber-crimes primarily involve fraud events or the theft of intellectual property. Therefore, they are crimes worthy of criminal investigations and of course one hopes, successful prosecution. These outcomes, sadly, remain elusive. The attribution challenge will be eventually solved via technical means, albeit with occasional or proverbial “one step forward and two steps back” (as threat actors adjust their methodology to counter successes in identification). Collaboration, however, relies on two main ingredients: good will (i.e. credible efforts to achieve mutual collaboration), and a policy framework that is based on or is reflective of national laws and international agreements and norms.
What we have seen post-Brexit vote is a fair amount of discord between EU-based entities (from some individual governments, to private interests who seek new opportunities by accelerating Britain’s departure from the scene). And, one would suspect decreasing cooperation among agencies charged with securing networks or investigating cyber-crimes. The real or perceived acrimony between British and European governments, agencies or firms, will not be lost on threat actors. They will, as predators do, take full advantage of any gaps or reduced vigilance. They will no doubt up their operational tempo against potentially vulnerable targets, especially those immediately disrupted by the post-vote events, and most certainly against those in rapid transition.
Let’s hope that this is recognized by EU and British agencies and that the increased threat level will emboldened them to double their efforts in this time of uncertainty and transition. However, I’m never that optimistic when it comes to large organizations and bureaucracies. Therefore, expect some big cyber breach news events over the next year.
Q: Will the UK no longer be subject to the EU General Data Protection Regulation? Will this hamper the progression of current data protection initiatives?
Ray: I am not a legal expert, but as someone who pays attention to these types of rules of engagement governing the Internet, the status quo will remain. From reading the text of the regulation, it is clear to laypersons like myself that it will continue to apply to not only EU-based organizations, but to all firms or organizations doing business in the European Union (i.e. those that process data of European citizens).
From a national security or criminal investigations standpoint, and in line with your previous question on collaboration that furthers the investigation of cyber-crimes, that part is now in question. Will, for example, a UK-based law enforcement and intelligence agency have unrestricted or uniquely categorized access to the data of EU citizens? I strongly believe that the enabling aspects of that regulation will no longer apply to British security agencies. Therefore, additional gaps in the legal environment that will not make us any safer or secure when we engage on-line.
From a pure privacy perspective, not having clear and effective regulations worry me. Absent an appropriate set of rules and a guiding framework, we have seen abuse arise wherein security agencies do what they need to do to succeed in their mission to collect intelligence or to bring people to face justice. So let us hope that these gaps will be filled through the rapid negotiation of new rules of engagement.
Q: What should Canadian companies be thinking about and how should they approach their cyber security strategy moving forward?
Ray: The Brexit phenomena has been fascinating, if not chilling. The “unknown unknows”, as one famous former US Secretary of Defence once glibly stated, is a factor that we should not ignore. No politician, pundit, or academic has been able to provide a clear picture of how all of this will shake out. Rest assured, however, that there will be negative consequences affecting business and security interests – – which in the 21st Century, these two elements are now, and moving forward, inextricably linked. When instability levels rise, threats follow commensurately.
There is very little doubt that sophisticated criminal groups, most of which acting with complete impunity from their protected lairs in Eurasia, Africa and Latin America, will be actively assessing the level of cyber preparedness of a number of organizations. Not just in a post-Brexit and transitioning Europe context, but rather in a world that continues to undergo rapid technological transformation. An environment where our efforts to connect, for work and play, creates an ever expanding threat surface. And, for which, many Canadian firms and institutions have yet to recognize.
As such, areas from technology development, healthcare, including medical and pharmaceutical research, to the auto industry and food services, will be under increasing threat in the last quarter of 2016, through to 2017. The world is not getting any safer, secure, predictable or stable. Therefore, individual firms should not rely on “others”, particularly government or law enforcement, to solve the cyber security challenge. It’s well beyond the reach or exclusive role of government agencies, as threats can now come knocking directly on any business proprietor’s door – – be it in the form of pesky denial of service attacks, or a complete lockdown of one’s data via a ransomware moment. So best to engage with trusted and true subject matter experts that will help a firm raise its level of cyber security resilience.
In our globalized, digital world, failing to demonstrate diligence in protecting organizational assets has severe consequences – – from lost clients or customers, to boardroom accountability. So despite the heightened risks, Canadian firms need to move forward and continue to grow by engaging with the world. However, they must do so with eyes wide open — but equally, with the confidence that much can be done to help keep their digital and human assets secure, and their enterprise viable and sustainable.
Ray is an intelligence expert and well-respected thought-leader in the Canadian security space, providing clients with uniquely sourced insights into risk-mitigation strategies and solutions. His expertise is rooted in more than 28 years with the Canadian Security Intelligence Service (CSIS), from which he retired in 2012 as the assistant director for intelligence.