All over Europe organisations of all sizes are currently scrabbling desperately to get their house in order for 25 May 2018. What happens then? Only the biggest shake-up to Europe’s data protection laws in nearly a generation. The implications are immense, both in terms of the scope of the new regulation and the companies who will now be held liable.
There’s just one problem. The UK’s Snoopers’ Charter, or Investigatory Powers Act. Its enshrining into law of mass surveillance powers could create major problems down the line, possibly putting UK firms at a competitive disadvantage precisely at a time when they need the digital economy most.
What’s the problem?
Let’s start at the beginning. UK firms will have to comply with GDPR, even with Brexit looming. That’s because the extrication of the country from the EU will take at least two years from whenever Article 50 is triggered – presumably in March – and probably much, much longer. And even beyond that, the UK government has said in its Brexit white paper:
“The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.
As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.”
This implies that the UK will broadly speaking harmonise its laws with the GDPR. But the bulk data collection powers granted by the IPA mean the regime is certainly not equivocal to that in Europe. Emily Taylor, CEO of Oxford Innovation Labs and associate fellow of Chatham House, told me that the European Court of Justice (CJEU) shows no signs on shifting its stance on bulk data collection – having recently ruled against the forerunner to the Snoopers’ Charter, DRIPA.
“Other elements of the judgment are likely to cause problems with the Investigatory Powers Act: the CJEU says that targeted data retention may be allowable, but must be restricted solely to fighting serious crime; warrants must be signed off by a court, not a minister; and the data concerned must be retained within the EU. All these will potentially conflict with core elements of the IP Act,” she told me.
If its kept as is, the Act could therefore impact the legality of data transfers between Europe and a newly independent UK, which will be bad news for most firms reliant on a thriving digital economy.
“The impact of conflicts between the GDPR and our Investigatory Powers Act may be to hamper the competitiveness of UK tech, particularly as the GDPR seeks to protect EU citizens’ data wherever it will be processed,” she argued.
Not great for America
This is a hot button issue for Europe In fact it’s the reason why data transfers to the US were put under threat after Safe Harbour was torn down because of fears of US authorities snooping on Europeans’ data. Despite a new agreement – Privacy Shield – being put in place, there could still be bumps in the road ahead.
“Transatlantic data flows will not be legal unless there is a robust framework in place to offer EU citizens’ data equivalent protection to what is enjoyed in the EU,” said Taylor.
“President Trump’s ‘America First’ policy is likely to renew tensions over Privacy Shield – a shaky compromise which was hurriedly reached following the CJEU’s obliteration of its predecessor ‘Safe Harbour’.”
KPMG’s globa privacy advisory lead, Mark Thompson, told me that firms outside of Europe that need to comply with the GDPR are better off keeping data on European citizens inside the EU so as not to fall foul of any changes to data transfer agreements.
“Despite the USA and EU having some cultural alignment, there is potential for significant culture clash between the EU’s view of a fundamental human right to privacy and the US view on what constitutes privacy, which is significantly different,” he added.
We’ll have to wait a while to see what the fallout of all this is. But with the UK government unlikely to countenance any changes to the IPA, there could be some potentially bad news for the country’s digital economy in the next few years if nothing changes.
It’s hard to find an optimist in the cyber security industry in these post-referendum days. I spoke to a fair few for an upcoming feature for Infosecurity Magazine and the consensus seems to be that a Brexit will be bad for staffing, the digital economy and the financial stability of UK-based security vendors.
That’s not even to mention the legal and compliance implications. Chatham House associate fellow, Emily Taylor, recommended firms continue on the road to compliance with the European General Data Protection Regulation. Aside from the fact that any firms with EU customers will still need to comply with the far-reaching law, she reckons that if we want to protect the free flow of digital information between the EU and UK, we’ll need to continue following European laws in this area.
Snoopers gonna snoop
However, a Brexit would cause other problems, notably in that the current Snooper’s Charter looks like it will enshrine in legislation the principle of bulk surveillance – the very thing which effectively led to the scrapping of the Safe Harbour agreement between the US and EU. If this bill goes through as is and we go out of Europe but stay in the single market, we’ll have to change that bit, Taylor told me.
“A case brought by David Davis and Tom Watson questioning the legality of bulk surveillance powers under the old DRIPA laws is currently being considered by the CJEU,” she explained.
“It’s not clear which way the CJEU will go on this, because many member states have lined up to support the British approach. However, if CJEU follows its recent decisions, it could strike down bulk data collection. If we wanted to stay in the single market, we’d have to amend our IP Bill in response.”
Even if we broke away from Europe completely and adopted the status of a “third country” like the US, we’d still have to adopt measures “to give equivalent protection to EU citizens’ data as they enjoy within the EU,” she argued. And bulk surveillance would certainly be a no-no in this scenario.
The uncertainty – which could continue potentially for years while Brexit deals are worked out – is also viewed by many as damaging to the cyber security industry, and tech in general. Immigration lawyer and partner at MediVisas, Victoria Sharkey, claimed firms may be unwilling to employ skilled workers if there’s a chance they might have to leave in a couple of years’ time.
“This is certainly going to be the case where significant training and investment is involved,” she added.
In fact, EU nationals are apparently already packing their bags.
“I am already seeing EU nationals who have been here for years make plans to leave and either go home or go to another EU country. They are worried for their jobs, are worried that they will be told to leave and so would rather leave on their own terms, and they are also being made to feel unwelcome,” Sharkey continued.
“I feel that when we do leave that it is going to become significantly harder for UK employers to encourage the best in their industry to come and work in the UK.”
This, for an industry which has always struggled with skills gaps and shortages, is potentially catastrophic.
Can we overcome?
Philip Letts, CEO of global enterprise services platform blur Group, has run businesses in Silicon Valley and the UK. He also pointed out the potential damage that political and financial uncertainty could have on the industry.
“The politicians are in unchartered territory. We don’t yet have a clear timetable for the triggering of Article 50, nor the trade deals that are going to have to be negotiated. There is a political vacuum. Business confidence is low and many will hunker down, try to avoid risk and wait for this to play out,” he told me.
“Globally, the US tech heavyweights will want to remain in the UK and the EU, and they will do both, operating across different European centres. But the EU market is more lucrative than the UK, so things may shift over time.”
So is the tech and cyber security sector really doomed? Not so, according to KPMG UK head of technology, Tudor Aw.
“I believe the resilient UK tech sector can withstand the challenges of Brexit and thrive,” he told me.
“Technology is increasingly a key sector that underpins all other sectors – whether it be back office systems or strategic enablers such as IoT and data analytics. Companies will need to invest in technology to drive efficiencies and strategic growth – one only has to look at developments across a diverse range of sectors such as healthcare, automotive, property, retail and the military to see that technology spend will only increase regardless of Brexit.”
It’s a moot point now, but I wonder how much better it could have thrived had we not voted out on 23 June.
This week I’ve been looking at the news that NATO’s set to ratify a new cyber policy which first made public back in June. So far, so boring you might think.
Well, actually this one is pretty significant in that it seeks to extend Article 5 – the collective defence clause that if someone strikes at one NATO member they strike at them all – to the cyber world.
In doing so NATO is going further than individual governments in trying to establish international principles that a cyber attack can be considered the same as a traditional military strike.
However, the chances of the alliance actually invoking Article 5 are pretty slim – as KPMG cyber security partner Stephen Bonner told me it has only happened once before, after 9/11.
“The reality is that few cyber attacks are likely to be of sufficient scale and impact to justify invoking Article 5 – and they would not happen in isolation from a broader deterioration in international security. In other words, if there was a state attack then it would have a broader context,” he added.
“This announcement is primarily a rhetorical point which is possibly aimed at having a deterrent effect.”
That said, I think it’s still an important step.
Some might argue that the lack of clarity around what would be considered an act of cyber war kind of diminishes its value, but as McAfee director of cybersecurity, Jarno Limnéll, told me, this is the right thing to do tactically.
“I think this is wise policy, spelling out a clear threshold would encourage adversaries to calibrate their attacks to inflict just enough damage to avoid retaliation,” he argued.
Elsewhere, consultancy BAE Systems Applied Intelligence also welcomed the news.
“Cyber criminals do not respect national boundaries so protecting national interests will require increasing international cooperation,” a spokesperson told me by email.
“It is therefore encouraging to see the increasing priority which cyber is being given in NATO’s agenda. This complements multiple other initiatives nationally and internationally to address a growing security risk and help secure the systems we are increasingly reliant on.”
The new policy will not just concentrate on collective defence clause, of course, and BAE also welcomed the increasing focus on intelligence sharing between member countries and with the private sector.
Whatever the efficacy of NATO’s move, it once again underscores the increasing importance being attached to cyber channels by politicians and military leaders.
As Limnéll said, these are necessary steps given the relative immaturity of the industry.
“We have to remember that we are just living the dawn of the cyber warfare era and the ‘cyber warfare playbook’ is pretty empty,” he told me.
“Most of the destructive cyber tools being developed haven’t been actively deployed. Capabilities to do real damage via cyber attacks are a reality but fortunately there has not been the will to use these yet. However, that is one option, as a continuation of politics, for countries nowadays.”
All the talk this week has been of the Russian mega-hack. A data breach revealed first in the New York Times by a security firm called Hold Security of an estimated 1.2 billion username and password combinations and 500 million email addresses.
So what can we say about it?
Well, according to the security experts I spoke to we can summarise as follows:
- It won’t be enough to push website owners into adopting more secure authentication mechanisms like two-factor authentication; passwords are just too user friendly and the alternatives would be too expensive.
- The best we can hope for is it will encourage people to use password managers, or at least stop sharing passwords across sites, and improve the strength of those passwords.
- It’s still not clear if this was as big a breach as claimed. We don’t know whether the details are current passwords, where they were obtained and exactly how. Fixating on the size is also missing the point a bit, as there are huge breaches every year.
- Online firms should see this as a wake-up call. Patch those SQL flaws and keep passwords more secure – by doing this you’ll remove the “lower hanging fruit” these Russian attackers clearly went for.
Beyond that, Thales UK head of cyber security, Peter Armstrong told me he was disheartened to see Hold Security already trying to monetise its findings by charging for breach notification services.
“Once of the key building blocks that underpins the improvement in the global cyber defence posture is the preparedness of organisations to share threat intelligence. The creed and ethos here is we are only strong if we are strong together,” he added.
“Threat Information Exchange must remain a philosophy of openness and community benefit not individual benefit. This organisation [Hold Security] has derived benefit historically from this free information exchange helping them to amass the capability and intelligence to make this discovery in the first place. This kind of behaviour is likely to trigger black listing of organisations for bad behaviours from a community perspective and under those circumstances it is only the cyber criminals who benefit.”
For KPMG cyber security director, Tom Burton, the main issue here is whether passwords are still fit for purpose. He thinks not.
“The pervasive nature of the internet means mere mortals cannot possibly remember a different password for each and every website they have registered with, let alone passwords with strength,” he told me by email.
“In the short term, individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached (bank accounts and email accounts are two such examples) while being pragmatic and using common passwords for sites that really would be little more than an irritation if breached.”
For CISOs it comes down to risk management, and in many cases fortifying the organisation against such breaches may come higher on the agenda than dealing with advanced targeted attacks, he argued.
“It is too easy with modern processing to crack a large file of password hashes, and there will always be vulnerabilities that enable criminals to gain access to those hash files,” concluded Burton.
“If there is one thing that I feel is certain it is that this is unlikely to be the last announced breach of this kind, and is probably not going to be the largest. If it doesn’t prompt businesses and individuals to rethink how they are protecting themselves then the criminals will have a bright future ahead of them.”