On 24 June the UK made history by voting to leave the European Union. As the world now comes to terms with the historical decision, experts predict the political, social and financial implications which are likely to follow, could have a domino effect on cybersecurity.
Researchers feel that the UK would witness a notable rise in cybercrime as an after effect of Brexit.
To understand how Brexit could impact cybersecurity, IBTimes UK spoke to Eset security researcher Stephen Cobb, Cyphort co-founder and chief strategy officer Dr Fengmin Gong and CounterTrack CTO Mike Davis.
Both Cobb and Gong opined that the odds of cybercrime surging post the Brexit vote could be significant.
Although Davis said the likelihood may not be as dire, he cautioned that cybercriminals will likely "take advantage of any confusion that is created by changes in laws etc through phishing and targeted campaigns to UK citizens". Cobb added that "the odds of cybercrime going up are decidedly better than 50/50".
Why is cybercrime likely to increase?
Explaining the root cause of the possibility of a surge in cybercrime, Gong said: "Historically we have seen cybercrime rise after large natural disasters and events impacting world economy; Brexit qualifies for the latter."
Cobb backed up this claim and added, "Routine activity theory in criminology suggests crime is likely to happen when motivated offenders encounter suitable targets in the absence of capable guardians. Brexit impacts all three elements, none in a good way.
"Brexit has increased the supply of targets because it has created uncertainty, which markets hate but some criminals embrace. Uncertainty creates opportunities, like the opportunity to target people who are fearful or confused, perhaps through online scams and social engineering attacks related to immigration status, state benefits, and so on."
Catch me if you can
Brexit and the consequential possible changes in laws could affect how malicious entities are captured and prosecuted. Cobb highlights: "Brexit is likely to have a negative impact on capable guardians, given that the seamless cooperation of cybercrime task forces across Europe, considered a priority to address criminal threats in cyberspace, now has a seam in it.
"This could hamper prosecution of cross border cybercrimes, and most such crimes cross borders. Complex issues of transnational law enforcement funding could degrade police performance, and the UK's need to renegotiate 80,000 pages of legal agreements with the EU may strain legal resources."
'Chaos breeds opportunity'
When asked what kinds of cyberattacks were most likely to increase, Cobb responded: "Hactivist tools of choice, such as DDoS and system compromise via SQL injection, may be deployed if the social divisions exposed by Brexit enter the cyber realm."
However, Gong opined: "Malware for financial fraud, targeting identity theft, and ransomware are among the most likely; chaos breeds opportunity for these kind of cybercrimes."
Davis agreed with the theory and added that phishing attacks "will grow, [and they] usually include malware of some type". He differed with Cobb on the prospect of DDoS attacks rising.
Brexit's impact on user data and privacy
According to Gong, "The EU is known for its strong regulation for protecting the privacy of its citizens. The UK is known for its traditional 'state security first' system. The two are not necessarily congruent by any means. So if the UK deviates from the EU practice, a more detrimental impact on users' privacy is expected."
Davis backed up the claim and pointed out that there are in fact "big differences" between UK and EU data privacy laws. "Companies will have to comply with both, potentiality more if other countries leave. Whenever there are competing or multiple laws around a specific topic, the confusion usually leads to mis-implementation of security controls, and I expect the same here. The side effect is more breaches of consumer data," he explained.
Cobb also highlighted the downside of the possible conflict between UK and EU laws on data and privacy. "As we saw with the breakdown of Safe Harbor, failure to meet those standards can have negative consequences for transnational data flows. To the extent that, if any country lacks a data protection regimen equal to that of the EU, it will have to plead its case for continued access to data about EU residents."
However, he claimed that the "immediate impact" on UK's data privacy was unlikely "as the UK has had data protection laws for several decades".
Impact on UK businesses
Davis suggested that though UK businesses are unlikely to be affected immediately, "as the separation of UK data privacy laws and the EU data privacy laws widens, more companies are less likely to comply as they are confused and unsure what laws to follow which will lead to [cybercriminals] targeting [UK business] in 12-24 months".
Gong explained, "Targeted attacks on companies are typically motivated by activism, espionage, or extortion. It's not apparent that Brexit is particularly adding to such motivation. But as the UK makes decisions as to its own rules and regulations regarding cybersecurity and privacy, how these relate to what it had under EU and how these impact people in UK as well as other EU countries, could create different sentiment."
Cobb corroborated this theory, but was of the view that it is possible for criminal elements to feel "resentful of the UK's attitude" and would be "less hesitant to target UK companies".
How best to prepare and protect from becoming victim?
It is imperative that clear guidelines and security measures are implemented to ensure that UK is protected from prospective cyberattacks. Gong stated: "It's most important to minimize interruption and chaos associated with Brexit. Accelerating the adoption and implementation of best security practices like consistent implementation of threat defense, from prevention all the way to incident response and resolution."
To which Cobb agreed and highlighted that the biggest challenge will be "to stay focused on current efforts and initiatives to combat cyber threats in the face of all the distractions that Leave has created."
Davis called for the implementation of "the various data privacy laws and provide a simple and easy-to-follow roadmap for meeting EU and UK data privacy laws".