The likelihood of the United Kingdom exiting the European Union will put a huge strain on agencies tasked with protecting citizens, businesses and government entities from cyberattacks, said security experts.
Assuming a Brexit does take place — and many are still hoping it will not — expect a rise in hacktivism, a reduction in tech talent, a decrease in information-sharing and increase in regulatory complexity, at least for the foreseeable future, they said.
Hackers thrive in environments of chaos and uncertainty, and the political and economic turmoil the UK finds itself in presents an opportunity.
"Cyberspace is one place where people vent their steam and take action with relatively few risks of consequences," said Stephen Cobb, Senior Security Researcher at ESET, a Slovakia-based internet security software firm. "It does not take many activists to cause a lot of problems."
It is already happening. On Monday, hackers hijacked an online petition calling for a second EU referendum, erroneously adding more than 77,000 votes (which have since been removed.)
And even as armies of malicious hackers add to their ranks, cybersecurity experts are in short supply globally. The UK has been a foothold for international firms looking for an entree to Europe, and uncertainty around how Brexit will impact work visas for non-UK residents could dampen its appeal, said Bill Ho, CEO of secure communications provider Biscom.
"If the talent pool is reduced by travel and employment restrictions, firms may experience some tech-focused personnel shortages which could impact a firm's cybersecurity stance," said Ho. "Technical skills are always in high demand around the world, and it's no different in the UK – Brexit will have a negative impact on firms trying to bring on smart people who may not reside in the UK."
Exiting the EU will also pose new challenges for the UK when it comes to combating organized online criminal activities, which experts agreed are best tackled from a cooperative, supra-national approach. In recent years, the European Union published the EU Cybersecurity Strategy and created the European Cybercrime Centre (EC3) to bolster defenses against attackers. EC3 had become a cornerstone in the Union's fight against cybercrime, supporting member states and institutions in building operational and analytical capacity for investigations and international cooperation, said ABI Research director Michela Menting.
"The UK's isolation that may result from Brexit would be an unwelcome development in the fight against cybercrime," said Menting. "Further to this, new cybersecurity information and asset sharing structures will need to be put in place between the EU and the UK."
Ironically, escaping EU security and privacy regulations may not be easy or desirable, Brexit or no, said experts.
"Privacy compliance just got way more complex," said Cobb.
If the UK chooses to adopt less restrictive privacy measures than the EU, it will be free to negotiate its own agreements with other countries, said Cobb. But since the UK and EU economies are already so deeply intermingled, adopting the continent's regulations might be Britain's path of least resistance, he said.
The Union began issuing information security directives addressing things like e-commerce, data protection, data retention and cybercrime starting in the early 2000's. The UK has adopted these, in some form, into national legislation, said Menting.
Following a Brexit, the UK will be free to decide whether to align with the EU's incoming General Data Protection Regulation and Network and Information Security Directive, but may have little flexibility.
"It will have to either: 1) become a trusted entity like Canada or Switzerland; or 2) pass new privacy laws that meet the requirements of the EU General Data Protection Regulation (GDPR)," said Forrester research analyst Laura Koetzle. "If the UK does neither of these, firms operating in the UK will need to repatriate data to EU data centers."
"Additionally, EU companies will now demand that their cloud vendors move data out of the UK and into EU data centers to comply with the EU GDPR," said Koetzle.