Alliances and partnerships are therefore critical to maintaining UK cybersecurity, including those with our European neighbours. As a member of the EU, the UK has been integral to developing EU cybersecurity policy over many years, a role from which it has benefited and which it now relinquishes. Brexit will not irrevocably damage either UK or EU cybersecurity, but it will reduce the operational effectiveness of each, introduce uncertainty into a number of areas important to security and policing, and exclude the UK from EU cybersecurity decision-making.
Where are we now?
Some recent EU cybersecurity measures will remain on the UK’s statute books. For instance, the EU Security of Networks and Information Systems (NIS) Directive was transposed into British law in May 2018 and regulates the cybersecurity readiness of the owners and operators of UK critical national infrastructure. This is a work in progress but early signs are that firms are responding positively, thereby reducing the overall cyber risk to the UK. Similarly, the EU General Data Protection Regulation (GDPR), which has done so much to raise the awareness and protection of citizen and consumer data, will continue to be an important part of the UK data protection landscape.
That said, the UK’s cybersecurity posture is mostly independent of EU competences, which is why the Government had ‘no ask’ during the cybersecurity component of negotiations. The mood music in Whitehall and Westminster has long been ambivalent on the benefit of continued UK EU cybersecurity cooperation. It will continue to benefit from other strategic partnerships, like the Anglophone intelligence alliance, the Five Eyes (FVEY).
The overlap between cybersecurity and signals intelligence (SIGINT) is substantial and FVEY SIGINT agencies, like UK’S GCHQ, are key conduits for the exchange of cyber threat intelligence (CTI) essential to UK national cybersecurity. For example, the UK’s National Cyber Security Centre (NCSC) is part of GCHQ, where much ofBritain’s cybersecurity experience and sovereign capabilities reside. CTI will also flow between FVEY and European partners like France and the Netherlands through the ‘Nine Eyes’ arrangement and with the wider SIGINT Seniors Europe (SSEUR) group. Similarly, most EU states are also members of NATO, which has its own cybersecurity agenda and responsibilities.
Where are we heading?
Nonetheless, Brexit poses challenges to British and European cybersecurity which were not resolved in the Trade and Cooperation Agreement. For instance, the UK’s level of access to EU policing and security databases, essential to fighting cybercrime, will be seriously diminished. Together with the UK’s withdrawal from the European Arrest Warrant, post-Brexit cooperation on crime will be‘clunkier, clumsier and more expensive’, in the words of the Metropolitan Police Commissioner. UK negotiators’ overtures to avoid these eventualities were characterised by Germany as ‘impossible demands’ the EU could not meet.
This at a time when existing mechanisms are already struggling to cope with cybercrime volume and diversity, a situation exacerbated by the pandemic. British citizens are more likely to fall victim to cybercrime than any other form of criminal activity and the new arrangement will not improve that situation. So, while the UK will remain a signatory to the Budapest Convention on Cyber crime,Brexit means it will no longer be a formal participant in the transnational cooperation mechanisms it recommends. Both parties, however, have agreed to a new Security of Information Agreement(SOIA) that will facilitate the exchange of classified information as appropriate.
Brexit introduces uncertainty into high-level cybersecurity decision making, as it does in other security fields. The UK has lost its seat on Europol’s management board — which it once led —and thereby its ability to shape pan-European policing priorities and to lead Europol cyber crime operations. It will also forfeit its position in the EU Agency for Cyber security (ENISA), which plays an important role in improving member states’ cybersecurity. Some operational cooperation will persist, not least as the Agreement allows for re-engagement with ENISA, EU-CERT (EU Computer Emergency Response Team) and the NIS Cooperation Group. However, this will be on a mutually consensual basis and the UK will be a ‘third country’ under these arrangements and excluded from most, if not all, of the EU’s strategic cybersecurity decision-making.
The UK is also now a ‘rule-taker’ on data protection if it wishes to maintain the ‘adequacy’ under GDPR that UK companies need to share personal data with EU firms and organisations. An inter-improvision for data exchange has been negotiated but if the UK diverges from it, the arrangement will cease with immediate effect. The UK Government continues to consult on how firms wishing to sell into the EU Digital Single Market should meet the certification requirements of the EU Cyber Security Act, legislation the UK helped develop.
A recent Harvard study ranked the UK third — after the US and China — in its index of 30 ‘comprehensive national cyber powers’. It is doubtless better placed than most countries in terms of national intent, capabilities and partnerships to meet the diverse challenges of cyber security. Enthusiastic noises about the UK being ’safer’ moving forward are, however, misplaced. There are significant operational and strategic challenges for UK cybersecurity cooperation and information sharing in the years ahead. The EU is also losing a highly capable member of relevant EU institutions,although it has been distancing itself from the UK for a while.
The Agreement indicates a lukewarm willingness to cooperate but does little to knit the two parties together functionally. The UK will look to NATO, FVEY and new bi- and multi-lateral relationships for cybersecurity gains, more than to the EU, albeit the participants may often be EU states. The hope in the cybersecurity community is that citizens, firms and national security will not be compromised as a result.
Dr Tim Stevens is a Senior Lecturer in Global Security and head of the King's Cyber Security Research Group.
This piece was originally published in the UK in a Changing Europe's new report Brexit and Beyond.