The United Kingdom’s alignment with the United States on cybersecurity takes some of the uncertainty out of the U.K.’s exit from the European Union, although details are still to be worked out on how new EU data security regulations will continue to apply to U.S. and other companies operating in Britain.
Regardless of the Brexit issue, analysts quickly surmised that the U.K. and companies operating there will be bound by EU cybersecurity rules that U.S. industry groups see as overly prescriptive and punitive.
The U.K. agreed to the EU’s “General Data Protection Rule,” which was adopted this year, and almost certainly will abide by it in the future as part of an effort to maintain access to the EU market, according to analysts.
The rule goes into effect in May 2018. The U.K. presumably will still be within the EU at that point, considering its disengagement is generally seen as a two-year process.
“The GDPR [or a U.K. equivalent] will be the prevailing data protection standard in the U.K., and companies should continue their GDPR preparation as before,” law firm Hunton and Williams said in a June 24 blog post.
The rule sets security requirements for companies that handle the personal data of EU citizens, requires notification when citizens’ information is accessed illegally and imposes stiff monetary penalties for violations.
Many U.S.-based digital privacy groups see it as a model. U.S. business groups strongly disagree and see it as contrary to the risk-management approach to cybersecurity largely embraced in the United States.
But the U.K.’s independent Information Commissioner’s Office, an official consumer watchdog, put out a statement saying: “The Data Protection Act remains the law of the land irrespective of the referendum result.”
Beyond the data rule, the U.K. has been an avid supporter and adopter of U.S. initiatives such as the risk-based framework of cybersecurity standards developed by the National Institute of Standards and Technology.
A NIST official last week cited “frequent collaboration with them on numerous topics, including the framework.”
The British government in 2014 launched “Cyber Essentials,” a program modeled directly on the NIST framework.
The U.S.-U.K. collaboration in cyberspace also extends past the framework.
The countries announced a law enforcement arrangement in March on access to electronic data in criminal investigations. Both governments have been exploring policy options around the Internet of Things and cyberinsurance, and the need to pay special attention to small businesses’ cybervulnerabilities.
President Obama and Prime Minister David Cameron at a 2015 meeting “agreed to bolster efforts to enhance the cybersecurity of critical infrastructure in both countries, strengthen threat information sharing and intelligence cooperation on cyberissues and support new educational exchanges between U.S. and British cybersecurity scholars and researchers,” according to a fact sheet released at the time.
Overall, the U.S.-U.K. cyberrelationship has been marked by philosophical agreement on approaches, extensive collaboration and less head-butting over policy than has been seen in the U.S.-EU relationship on cyberissues.
Meanwhile, Larry Clinton of the Internet Security Alliance took away a broader lesson from Brexit for U.S. companies: Take responsibility for enhancing cybersecurity.
“The Brexit vote demonstrates that even the most stable of governments may not be reliable partners due to macro-political forces that have nothing to do with cybersecurity,” Clinton said.
U.S. companies need to ensure the private sector has its own sturdy cyberprograms in place that can endure, regardless of political changes or upheaval, he said.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
