Tim Stevens & Kevin O’Brien. The RUSI Journal. Volume 164, Issue 3, 2019.
It is not yet clear when, or on what terms, the UK will leave the EU. By 31 October 2019, the UK must decide to ratify an exit treaty, request a further extension, cancel Brexit or opt for a no-deal departure. In the latter scenario, it will depart without a formal agreement on its future relationship with its EU security and defence partners. Deal or no deal, there will be consequences for British and European cyber security, as discussed in this article. Cyber security—the technology, processes and controls supporting the protection of computer systems, networks, devices and data from subversion, theft or damage—has not been a major topic in Brexit discussions, either diplomatically or in the public domain. Indeed, given its crucial role in furthering economic prosperity and political stability, it feels rather overlooked.
It may be that parties to the UK’s withdrawal from the EU are relatively sanguine about the limited effects of Brexit on cyber security. For instance, the chief executive of the UK National Cyber Security Centre (NCSC), Ciaran Martin, has suggested that many UK-EU cyber security relationships have little or nothing to do with the EU as such. They instead rely on other bilateral and multilateral frameworks. While this is true—for example, intelligence is shared with Five Eyes partners and NATO Allies—it should not mask the potentially deleterious effects of Brexit on other aspects of cyber security contingent on the EU. The UK’s cyber security relationships with the EU are at least as complex as any comparable defence arrangements under the Common Security and Defence Policy: many cyber security competences fall across multiple fields of security, policing, justice and defence. Moreover, as bilateral arrangements with EU members may at some juncture be subject to the decisions of the European Court of Justice (ECJ), the relationship with the EU will have continuing relevance.
This article addresses a range of factors that should be considered when negotiating the cyber security components of a future UK-EU security treaty (or treaties) under any form of Brexit. This is particularly important in the event of a no-deal Brexit, as neither the UK nor the EU will be working from an agreed understanding of their defence, policing and security priorities and obligations—including those concerning cyber security. This article cannot provide an exhaustive analysis of the possible post-Brexit settlement of cyber security cooperation between the UK and the EU. Instead, it seeks to focus on the post-Brexit cyber security landscape more than existing EU cyber security frameworks. The first section suggests that the UK and Europe are working from positions of relative strength in cyber security, although this is not grounds for complacency. Subsequent sections address issues connected to intelligence sharing, cybercrime, and being ‘outside the room’ of EU cyber security decision-making. The article concludes with a call to address cyber security as a strategic priority in any future post-Brexit treaty negotiations between the UK and the EU. The conclusion is that there are reasons to be positive about future UK-EU cyber security cooperation, but this should not obscure the need for urgent and timely interventions on a range of practical and political cyber security issues.
A Positive Baseline
In the first instance, it should be recognised that the UK is in a relatively strong position in terms of its own attitudes and commitments to cyber security. Cyber security will remain a Tier One priority for the UK, as set out in the 2015 National Security Strategy and Strategic Defence and Security Review. Preparations are already underway for the fourth iteration of the National Cyber Security Strategy, following earlier versions in 2009, 2011 and 2016. Government investment in cyber security has been sustained, the most recent tranche being the £1.9-billion five-year investment programme announced in 2016. The founding of the NCSC has been a welcome addition to the UK cyber security landscape and allows for a greater range of proactive public-private interactions than ever. The NCSC is a hub around which multiple other industry, education, standards and technical initiatives gravitate and is widely considered a potential model for other countries to emulate. The UK has also adopted new data protection and critical infrastructure regulations that will improve cyber security and consumer confidence. On the commercial side, the UK has a vibrant and innovative cyber security industry worth at least £5.7 billion a year, and which works in partnership with government to deliver its strategic objectives. Concerns abound, however, as to how this industry could be negatively impacted by any form of Brexit—especially a no-deal one—due to tangible evidence of lowering investments in the UK by corporations, and a reduction in the number of cyber security professionals coming from the rest of the world to work in the UK. This is at a time when there is already insufficient cyber security talent to meet global demand, and when actual investment in cyber security services by British companies is, on the whole, rising year on year. The overall picture is one in which UK companies are increasing their demand for cyber security skills in a severely tight labour market for those skills, a significant percentage of which are sourced from the global market, which is itself already facing a deepening cyber security skills shortage.
At the international level, the UK has also demonstrated its willingness to engage with external partners in the form of intelligence sharing, norms promotion, and diplomacy around attribution of cyber operations to foreign actors. The Attorney General’s Chatham House speech of May 2018 was well-received internationally, as it set out in measured and principled fashion the UK’s continuing commitment to the rule of international law in cyberspace. These ambitions were demonstrated in practical terms by the UK’s public attribution, in coordination with security partners, of cyber operations to Russian military intelligence in late 2018. The UK’s consistency in this respect suggests that it is developing a coherent approach to both theory and practice across a number of policy areas that pertain to state behaviours in cyberspace, not least in the diplomatic domain.
The UK takes seriously its relationships with its EU partners and senior British officials have expressed their confidence that Brexit will not materially affect UK-EU cyber security cooperation. Institutions like the NCSC have received ‘clear instruction’ from the Cabinet Office to ‘cooperate unconditionally on European security’. Cyber security received specific attention in the Political Declaration of November 2018, identifying cooperation in cyber threat intelligence-sharing and continued partnerships with key EU cyber security institutions as strategic priorities for both parties. However, it is not legally binding and will be irrelevant in the case of no deal. Other structures will continue. The April 2018 transposition into UK law of the EU Directive on Security of Network and Information Systems (NIS Directive) is a crucial aspect of both UK cyber security and EU cyber resilience strategy and will persist after Brexit, with or without a deal. The NIS Directive regulates and incentivises national cyber security capabilities and critical infrastructure cyber security. In the UK, all essential sectors—such as water, energy, finance, health and transport—now have an established Competent Authority (CA), responsible for the oversight and enforcement of improved cyber security measures and reporting. In the event of preventable cyber security incidents leading to serious adverse effects on essential services, the CAs are authorised to levy large fines from offending service operators. Moreover, it encourages transnational collaboration, including through the NIS Cooperation Group and the Computer Security Incident Response Teams (CSIRTs) Network.
Government has reaffirmed many of these ambitions and initiatives in subsequent statements and more formally in the 2018 National Security Capability Review. None of these attributes and aspirations are likely to be greatly affected by Brexit, nor are they grounds for complacency. Indeed, there are already a number of issues and concerns confronting the UK’s approach to cyber security irrespective of Brexit. Recent public statements by government officials over Huawei and 5G supply-chain security indicate the complex interdependencies of telecommunications policy, industrial investment and geopolitics. Others have suggested that the UK government’s approach to Huawei, specifically, is ‘at best naive, at worst irresponsible’. This may be one clear area of divergence from EU partners, as the UK, Germany, France, Italy and other leading EU countries have each yet to settle on a consistent approach on whether to allow Huawei to participate in their 5G build-outs, in the face of similar bans enacted recently in the US and Australia.
As noted above, warnings continue about a cyber security skills shortage in the UK. At least one parliamentary committee has called into question an apparent lack of cyber security leadership at the heart of government. Worryingly, the National Audit Office’s February 2019 assessment of the current National Cyber Security Programme finds that the UK government is unlikely to deliver on most of its stated strategic outcomes by 2021. Some, or indeed all, of these could have an impact on the UK’s future cyber security relationships with the EU. And, notwithstanding warm words to the contrary, there are other problems ahead in the way that the EU and the UK interact on cyber security issues.
Cyber Threat Intelligence
Cyber security is an inherently transnational endeavour, given the nature of the internet and other information networks which sprawl across multiple jurisdictions and regulatory boundaries. Effective cyber security is therefore contingent on the exchange of high-quality cyber threat intelligence (CTI)—and consequent remediation and mitigation actions—between key stakeholders, which include government security and intelligence agencies, cyber security firms, organisations like computer emergency response teams (CERTs), and a range of other concerned actors. CTI data is mostly derived from open sources and need not be secret in origin, although may be augmented with intelligence on pronounced cyber actors gained from covert sources as appropriate. Effective use of CTI gives organisations a clear picture of the cyber threat landscape, enabling them to prevent, deter, or, at the very least, prepare for future adversarial operations. This is recognised in the Political Declaration, which identifies ‘cyber-threats’ as a specific reason for ‘timely and voluntary’ exchanges of intelligence.
One of the key EU mechanisms for the sharing of CTI is CERT-EU, based in Brussels. Its core mission is to help secure EU institutions’ information and communications systems, including through sharing CTI with member-states’ CERTs and specialist information security firms. It is unclear what form the UK’s continued interactions with CERT-EU will take in the event of Brexit, as it will not have automatic access to the data of any EU institution, CERT-EU included. Like Norway and Switzerland, neither of which is a member of the EU, the NCSC is already a member of the non-EU European Government CERTs (EGC) group and the global Forum of Incident Response and Security Teams. These organisations focus beyond the EU institutions that are within CERT-EU’s purview. The UK may look to the EGC for greater cyber information sharing—but the EGC is an informal club of only 12 (plus CERT-EU), in contrast to the CERT-EU membership of 27. The Political Declaration affirmed each party’s commitments to ‘security and stability in cyberspace’, the need to share intelligence products and to cooperate in efforts against cyber threats, and the desirability of continued UK involvement in CERT-EU and the EU Agency for Network and Information Security (ENISA). These are admirable and necessary ambitions but have no legal effect in the absence of a negotiated settlement, nor is there any precision or clarity over how these outcomes might be achieved. All the more reason, therefore, that they should be part of any future negotiations over cyber security.
The UK will therefore become a ‘third country’ in most post-Brexit scenarios, unless it can negotiate an alternative status before 31 October 2019. There is a historical precedent: the 1997 Treaty of Amsterdam afforded the UK, by virtue of its then-status as an EU member, access to Schengen Area cooperative frameworks, including the Schengen Information System (SIS) security and law enforcement database maintained under the auspices of the European Commission. Unlike Norway and Switzerland, the UK cannot fall back on Schengen membership should it withdraw from the EU; Brexit therefore threatens its SIS access. Similarly, if the UK wants access to CERT-EU data, particularly in a no-deal situation, it would have to negotiate that access, but from a significantly weakened negotiating position. At that point, it will be outside the EU and excluded from EU agenda-setting and decision-making processes. As such, it may be forced to accept EU priorities and stipulations that would not have arisen otherwise, including being bound, at least to a degree, by the decisions of the ECJ as a condition of ‘doing business’ with the EU. It is undoubtedly the case that the EU would prefer to be able to share CTI with the UK through existing frameworks because the UK is a substantial producer of CTI and a major cyber security player in its own right, but the UK cannot rely solely on its relative strengths to incentivise the creation of future information-sharing arrangements. By the government’s own admission, in a no-deal scenario ‘the ability to cooperate on cyber with the EU would be less certain and would depend on the continued willingness of all partners to share information, exchange best practice and work together to identify evolving threats’. While true, this is not an exhaustive list of requisite foundations for cooperation, not least of which must include the existence of a treaty enabling cooperation in law, rather than on the basis of aspirations alone.
Brexit will affect some forms of CTI, but not all; it will also not affect many other strategic and operational intelligence-sharing arrangements existing alongside those covering CTI. The EU has access to formal intelligence-sharing mechanisms—in the Club de Berne voluntary intelligence-sharing forum, which includes the EU member states’ intelligence agencies and the EU Intelligence and Situation Centre of the EU External Action Service—but these have often been accused of being ineffective, largely due to mistrust between national intelligence agencies. The Counter Terrorism Group of EU countries and others has been a notable success, and the UK is expected to remain part of it, but it is not an EU institution. In 2018, Director General of the Security Service (MI5) Andrew Parker drew attention to the need to deepen relations between British and other European intelligence agencies, presumably as an attempt to forestall concerns over Brexit. Brexit will not immediately affect how the UK shares most intelligence with European partners, as it can do so through existing or new relationships (such as NATO, bilateral) with no basis in EU law or institutions. Sometimes this will have a cyber component: the recent public attribution of cyber incidents demonstrates this in action, as the UK and other countries, including in the EU, banded together in various configurations to identify the perpetrators. European countries will want to maintain those relationships, as UK intelligence is highly regarded abroad. So too are its deep links with US intelligence structures, although UK intelligence chiefs have made it plain that they oppose any attempts to make intelligence-sharing a bargaining chip in EU-UK negotiations.
In one specific area of intelligence and security cooperation, Brexit may have serious and undesirable effects. In terms of volume, by far the biggest cyber security challenge is cybercrime and Brexit will impact the UK’s policing and judicial counter-cybercrime capacities. Europol, its subsidiary the European Cybercrime Centre, and Eurojust are important forums for EU-UK cybercrime cooperation. Europol’s Secure Information Exchange Network Application and Europol Information System platforms have become invaluable tools for secure and rapid exchange of sensitive data for European law enforcement, including the National Crime Agency and other forces in the UK. The UK—with Germany—is the highest contributor of information to various Europol intelligence projects, including cyber security. It also often leads on Europol operations and a Briton, Rob Wainwright, was director of Europol between 2009 and 2018.
In a no-deal situation, the UK will relinquish membership of these agencies and access to their intelligence platforms will be seriously disrupted, based on how EU law—in the development of which the UK played its part—operates. This would affect all institutional frameworks and structures with a basis in EU law, like Europol and Eurojust. In the case of a no deal, the UK would become overnight a ‘third country’ with respect to EU mechanisms and would be excluded a priori from information-sharing arrangements, including key policing databases. UK police cannot assume continued access to EU databases on an ad hoc or de facto basis after Brexit: Article 8 of the draft Withdrawal Agreement clearly states that the UK must ensure ‘it does not access a network, information system or database which it is no longer entitled to access’.
Former Europol Director Wainwright acknowledged while still in post that the UK would face ‘impediments’ to information sharing after Brexit. This is perhaps a diplomatic understatement, as it is unclear on what grounds the UK could reach an agreement on information sharing with Europol if a deal cannot be reached before the UK leaves the EU. It will not be a full member, being outside the EU, and would have to broker a third-country ‘operational agreement’ with Europol. The UK government has indicated that no third-country precedent satisfies its ambitions. It might be possible to negotiate a Denmark-style agreement, which is in the EU but not in Europol, but this would require the UK to accept the jurisdiction of the ECJ. This would be unacceptable to many pro-Brexit members of parliament, but outgoing Prime Minister Theresa May indicated her willingness to accept the remit of the ECJ in this particular instance if it means retaining some of the benefits of membership in Europol and other EU agencies. It is unclear if the post-May government will adhere even to this minimal concession with respect to the jurisdiction of the ECJ over UK affairs. There still exists the possibility for a ‘bespoke’ arrangement with Europol, but all likely scenarios see the UK relegated from the core to the periphery of Europol operations and leadership.
It is hard to find any British or European commentators who relish this prospect. At present, only EU countries are allocated a voting place on the Europol Management Board and a non-EU UK would presumably be therefore excluded. British suggestions for a bespoke arrangement, such as by the House of Commons Home Affairs Committee, propose that the UK retain its place on the board ‘with a formal say in the strategic priorities and direction of the agency’. At first blush, it is hard to imagine the EU acceding to this but the committee justifies this proposal because it reflects ‘the UK’s leadership role in [Europol] since 2009, and its world-leading strength in policing and intelligence’. There is at present no treaty mechanism to allow this to happen and it would require a European Council decision to amend facilitating legislation. The obstacle is therefore not so much legal as political, and it remains to be seen whether this British argument can persuade the Council, especially as not all in the EU accept the claims that the UK is a net security contributor. Without it or something similar, the UK’s capacity to tackle cybercrime and many other issues will be diminished over the short-to-medium term. Notably, the EU will be affected similarly.
Outside the Room?
This situation points to one of the more vexing aspects of Brexit. If the UK leaves the EU, particularly if no deal is reached, it will effectively relinquish its capacity to shape EU policy and strategy in multiple fields, including cyber security. Its negotiating leverage as a third country will be limited and its ability to contribute to internal EU defence and security debates will be severely restricted. Diplomacy will continue and the UK will still be a member of other European institutions, like the Council of Europe and the Organization for Security and Co-operation in Europe (OSCE), but it will not be a leading member of the EU as it is now. The House of Lords has noted with concern the implications of being ‘outside the room’ of security decision-making. In the absence of treaty mechanisms that outline specific arrangements to the contrary, the UK will, as outlined above, de jure be a third-party state to many of the cyber security arrangements in which it presently plays a shaping, if not leading, role. Options are possible that would enable the UK to participate in these institutions, but there is no reason to assume these will be as beneficial to the UK as before Brexit.
This break will occur just when both the EU and the UK are making important steps forward in cyber security. ENISA is in an expansion phase, with a permanent legal mandate probable in 2020, and will play a greater role in cross-EU cyber security coordination and certification, backed by higher levels of funding and resources. The UK is capitalising on increased government investment in cyber security and, through the NCSC and its programme of work, has revised how it interacts with cyber security stakeholders, an approach that seems to be bearing fruit. The UK’s Active Cyber Defence programme, for example, is a suite of technical initiatives that brings together public and private entities to tackle cybercrime in the UK and, potentially, elsewhere. The UK and the EU have found new ways of working together, albeit with the UK as a full member state. The incorporation into UK law of the NIS Directive, for instance, is an important regulatory move towards incentivising better cyber security in critical infrastructure systems. This is not to suggest that either body has ‘cracked’ the cyber security nut—no one has—but each is engaging with cyber security, and with each other, in robust and productive fashion.
Following Brexit, each party will find it that much harder to work with the other, although one should not discount the high levels of trust that pertain in information security and transnational policing communities as a mitigating factor. It will be impossible for the UK to remain a member of the NIS Cooperation Group or the CSIRTs Network without a legal foundation, or to have a formal role in the determination of future changes in EU cyber security or data protection regulation. The UK is compliant with the EU General Data Protection Regulation 2016, but what arrangements will be forthcoming for ensuring compliance, upon which UK-EU trade in services may well depend, should EU regulations change in the future? Lessons will doubtless have to be learned from EU data protection agreements with other third countries, such as the recent ‘adequacy’ decisions for Japan, Switzerland, the US and others. In these cases, the European Commission has determined that non-EU countries satisfy EU data protection requirements, thereby allowing the transfer of EU personal data to and from those third countries.
However, as senior officials past and present have correctly noted, the UK is not as reliant on the EU for cyber security purposes as some might think. The UK is an important member of NATO, which has its own cyber security objectives, although these are more ‘defence’-oriented than those of the EU. It supports the Convention on Cybercrime of the Council of Europe, which is not an EU institution, and will continue to encourage others to sign and ratify the convention, despite its flaws. The UK is involved with cyber security confidence-building measures via the OSCE, which include a range of information-sharing and crisis management initiatives. It was also the initiator of the London Process in 2011, which provides for the international exchange of views between governments, civil society and the private sector. This international role is further underlined by the 2018 Commonwealth Cyber Declaration, announced in London by Prime Minister May, which affirmed the need for international cyber security cooperation across the 53 members of the Commonwealth, particularly in the area of cybercrime. This commitment was bolstered by £15 million of additional funding to Commonwealth partners to carry out cyber security capacity reviews, in addition to the cyber security capacity-building programme already in place at the Foreign Office. The tilt towards the Commonwealth may indicate a quiet shift towards exploring export and influence opportunities afforded by deeper cyber security relationships with Commonwealth countries. This would also serve to bolster the UK’s trade portfolio under the ‘Global Britain’ rubric.
Brexit will not affect in principle the dominant position of the US in both US-UK and US-EU security relations, but it will influence the character of these relationships. The UK’s principal security partner will continue to be the US and, whether EU countries like it or not, the US will persist as their key security ally too. In cyber security policy and practice, the US is the global leader, and where the US goes others tend to follow, albeit sometimes reluctantly. Following Brexit, however, might the UK lean away from the EU and further towards the US to shore up a creaking ‘special relationship’? Will it be able to continue acting as a bridge between the US and the EU on issues like data protection and cyber resilience? Indeed, will the UK be able to fulfil this role anyway, if it ceases to be, in the minds of both itself and Five Eyes partners (especially the US), a gateway to European partners for cooperation and insight? And—given the purported recent decision by the Cabinet to allow Huawei to participate in the UK’s 5G network development, albeit at a low level—how might this both affect its security relationship with a US government vociferously opposed to allowing Chinese telecom giants to participate in the US domestic market, or the UK’s need to form renewed relationships with China in a post-Brexit trade construct?
In any of these scenarios, the UK will continue to have good relationships with most EU countries, with shared values and interests, as noted in the Political Declaration of 2018. This situation is challenged by domestic political forces across Europe, including those expressed in Brexit, but there are reasons to be optimistic when thinking about future international cyber security cooperation and coordination, although there will inevitably be some recalibration of priorities and activities. Not least, the UK and the EU will find common cause in countering active cyber threats emanating from states like Russia and China—and those states’ cyber diplomacy—and perhaps in mitigating a growing rift between the US and its transatlantic allies.
As with so much else, the contours of the future UK-EU cyber security relationship are contingent on the broader political-strategic context, including the presence of sufficient goodwill on either side as may survive the current state of uncertainty and acrimony. The mutual interest in cooperation and collaboration will be affected by the conduct and outcome of
UK-EU negotiations, but too much has already been developed—and too much is at stake—to damage irreparably, let alone abandon, the close working relationships already in place. It is true that many aspects of cyber security cooperation will continue as they did before, but the UK and the EU will have to work harder than ever to maintain the quality of those interactions, while others may vanish without formal frameworks to sustain them. As outlined above, this will be particularly necessary in the fields of information sharing and cybercrime, arrangements for which may require new legal mechanisms subject to the jurisdiction of the ECJ.
Moreover, if the EU and the UK are required to negotiate two security treaties—one on ‘internal’ police and security matters, the other on ‘external’ defence and foreign policy cooperation—how will cyber security, which is rooted in both, be dealt with? UK government statements on Brexit say little about the role of cyber security as an object or driver of defence strategy or foreign policy, and hint instead that it would fall under an internal security treaty. This is not unreasonable, but, given the diversity of cyber security issues—from cyber threat intelligence sharing to cyber defence, cyber resilience, and nation-state cyber-enabled information operations—there will need to be greater attention to cyber security in any forthcoming UK-EU treaty negotiations. In the absence of a withdrawal treaty, it is likely that at least one defence and security treaty will be needed, in which cyber security must be addressed by both parties as a strategic priority.
It remains to be seen how Brexit will affect the UK’s reputation in defence and security, particularly if a withdrawal agreement cannot be approved by Parliament. In respect of cyber security, for example, will Brexit impact the UK’s stated objective to strengthen collective cyber security through deepening ‘existing links with our closest international partners’? Britain’s international cyber security networks and working relationships will not wither away after Brexit, but it is naive to expect they can remain precisely as they did before the UK’s exit from the EU. Perhaps what is needed is for the UK to rediscover and reassert its fabled pragmatism, as a component of what Lord Ricketts has called ‘an energetic, active, distinctive British foreign policy’. Cyber security can play its part in promoting this ambition, capitalising on its undoubted strengths in this field while at the same time recognising where it needs to bolster its efforts in respect of its European partners. If, as the industry adage has it, ‘cyber security is a team sport’, the UK needs to recognise and embrace this as a matter of urgency, rather than inadvertently damage national cyber security obligations and aspirations.