When ‘Simulating’ Cyber Preparedness, Look Around the Globe

There’s been lots of cyber developments in Westminster: UK pulled a Brexit, David Cameron followed, and most recently, Theresa May stepped in.

But how is cyber a link in this chain? And what do these developments suggest about the future of cyber in the UK?

Was Cameron fully in-tune with how cyber affects the UK? How much (and how) does Brexit augment the UK’s threat landscape — and what should we expect (and hope) from Theresa May?

Cyber Simulations Must Always Be Up-to-date

David Cameron

Outgoing UK Prime Minister (PM) David Cameron was never doubted in terms of his cyber awareness. Since taking office as PM in 2010, Cameron has had cyber on his agenda; securing 500 million GBP in 2010 to “push cybersecurity forward”, he pledged a ‘national cyber security programme’, with the goal of solidifying Britain’s ability to “detect and defend against cyber attacks”.

National Defense via Cyber Simulations

As time has progressed, Cameron’s cyber awareness has always been in the sidelines: In 2014, he pledged 1.1 billion GBP — against cyber terrorists, and the “global terrorism and unseen cyber criminals”. Not to mention that he invested an extra 800 GBP in an “intelligence, surveillance, target acquisition and reconnaissance package.” Once November 2015 kicked in, Cameron renewed his cyber awareness, by allocating an additional 1.9 billion GBP to cybersecurity.

Another bi-product of Cameron’s cyber strategy included a simulated cyber attack on bank computer systems in New York and London, a ‘joint war games’ campaign organized by the U.S. and U.K. governments, recognizing the vulnerability levels that banks and financial institutions maintain in the face of cyber. Ultimately, these war games included “a range of collaborative cyber-initiatives that include staging “war games” to test banks’ readiness.”

Ironically enough, although the first war game in this cyber-initiative targeted the City of London and the Bank of England, the message behind this simulation didn’t seem to fully resonate until after the discovery of the notorious SWIFT cyber-heist this past May.

It was only after the Bank of Bangladesh was intercepted via the SWIFT messaging system that the Bank of England and the British Bankers’ Association were each lobbied by UK banks to “press SWIFT into adopting new security measures”.

It seems that although cyber awareness was evidently appreciated among UK big wigs, they weren’t sufficiently updated with the evolving threats on the threat landscape, and only realized the risk levels of the SWIFT messaging system once a fellow bank fell victim.

But the takeaway from the SWIFT cyber-heist is plentiful: international communication forums (such as the SWIFT messaging system) not only need to be mutually updated on the threat landscape’s latest developments, these forums and partnerships must be well synchronized on the governance level, too.

The Brexit Era: Can We Simulate the Outcomes?

The bucket of sentiments had by Brits towards the value (or lackthereof) in the vote to Brexit, many do indeed agree about one thing: the referendum will generate a “rise in cybercrime”.

Some of the risk repercussions were defined as follows:

• Cybercriminals will “likely take advantage of any confusion that is created by changes in laws etc through phishing and targeted campaigns to UK Citizens….the odds of cybercrime going up are decidedly better than 50/50”
• A spike in cyber crime, a characteristic outcome caused by large natural disasters and events impacting world economy.
• As per the ‘Routine activity theory’ in criminology, (cyber) crime is likely to happen when suitable targets are present, yet capable guardians are absent.
• The seamless cooperation of cybercrime task forces across Europe is now ‘seam-with’, an effective split in the consented-to priority of criminal threats in cyberspace.
• The list goes on…

The EU and Cyber: Working Together Since the early 2000’s

Since the early 2000’s, the Union has issued information security directives which address topics like e-commerce, data protection, data retention, and cybercrime…”the UK has adopted these into national legislation”, says ABI Research director Michela Menting.

Effectively, a dire priority for UK cyber defense is now privacy compliance laws. Once the UK would choose to implement less restrictive privacy measures than the EU, their entire cybersecurity strategy would need to confront its fate.

On some level, the decision boils down to this: UK decision makers (hint: Theresa May) will need to decide whether or not to align with the EU’s incoming General Data Protection Regulation and Network and Information Security Directive.

Forrester Says: Brits, Learn from your Neighbors

Forrester research analyst Laura Koetzle believes that the post-Brexit reality for UK and its data protection (that means you, cyber) proposes two options:

1. Become a trusted entity like Switzerland or Canada.
2. Pass new privacy laws that meet the GDPR requirements.

If the UK does neither, firms in the UK “will need to repatriate data to EU data centers”, writes Koetzle. What’s more, EU companies “will now demand that their cloud vendors move data out of the UK and into EU data centers to comply with the EU GDPR.”

Prime Minister May: Here’s What We Suggest

Get in touch with your friends over in Switzerland. To be exact, the KPMG Switzerland blog explicates: the assumption that GDPR regulations are an EU regulation and therefore not relevant to Switzerland nor to Swiss organizations is false.

GDPR is “not only applicable for companies based in the EU (or their subsidiaries in the EU), but also for Swiss based companies that are offering goods or services to EU data subjects….numerous Swiss organizations that have no local presence in the EU will now also be in scope of the EU GDPR legislation.”  

Governance, Governance

An additional takeaway for Prime Minister May to keep in mind is that jurisdictions like Hong Kong, Canada, and Australia have all released jurisdictions that aim to align themselves with the backbone of the EU regulatory framework — ‘Accountability’. Each of these national bodies have followed the trend of comprehensive governance programs which are “becoming increasingly common — and obligatory”.

What we hope to see in Prime Minister May’s cyber files? A comprehensive governance framework that facilitates partnership and cyber preparedness throughout the international community.