Cybersecurity has risen rapidly up the political agenda in recent years, what with major attacks like Wannacry and notPetya; more businesses and individuals hit by cybercrime; attempts to grapple with illegal activities and content online; and accusations of attempted political interference in elections.
These have all contributed to a growing awareness of the importance of securing our digital lives, protecting the critical digital infrastructure – the plumbing – and tackling those who misuse and abuse it to cause us harm.
There’s a limit to what a country can do on its own; inevitably there’s a lot of cooperation, and a good deal has been done in the EU. So how will Brexit affect that cooperation?
The UK’s experience and expertise on cyber is widely respected in Europe. In 2019 the EU Member States came together to analyse the security risks and potential vulnerabilities of new and planned 5G networks across Europe.
Against a highly politicised backdrop of US/China tensions, the national authorities produced the most comprehensive assessment that existed at the time, covering technical and, crucially, political risks, particularly around suppliers potentially liable to ‘interference’.
The UK was one of the leading voices in this work, and subsequently a number of countries across Europe decided to reduce or eliminate their exposure to Chinese 5G.
The UK has worked hard with likeminded European countries to attribute clearly responsibility for some of the big cyber attacks of recent years, encouraging others to name the groups and the states behind them, and be ready to sanction those responsible.
Over a number of years, the UK supported work to develop a network of cyber incident response teams across Europe and draw up contingency plans for handling cyber attacks in key sectors like energy, water, transport, as well as healthcare and financial services. UK government and NGOs have been at the forefront of European wide efforts to tackle illegal activities and illegal content online, from child sexual exploitation to terrorism.
In the run up to the European Parliament elections the UK’s National Cyber Security Centre led work with other national election security experts and the European institutions to build up resilience against potential electoral interference and establish an early warning and response network.
But cyber has hardly featured in discussions around Brexit. Mentioned briefly by both sides in their initial positions, it hasn’t taken up much time in the negotiations, as far as one can tell.
The two sides seem to be content for future cooperation in this area to be essentially on an ad hoc basis, as the UK has proposed for wider defence and foreign policy cooperation.
If that is the outcome, both sides stand to lose out, unless they are able to build alternative frameworks for cooperation to backfill at least some of the effective collaboration built up over recent years.
Outside the EU and outside of any formal, structured framework for cooperation, the UK will obviously not have the same involvement in EU cyber security policy, nor in the growing industrial policy strand linked to cyber. And the EU will miss out on the kind of contribution, practical and on policy, that the UK has made to date.
The industrial policy strand of cyber is increasingly important. It’s not just a question of funding, though there are tens of millions of EU funding available to support capacity building, including training, coordination, and public/private partnerships, and this will increase significantly in the years to come.
Last year’s EU Cyber Security Act set out the basis for a European cybersecurity certification scheme covering digital products and services, intended over time to set cyber standards for critical infrastructure, digital services, right down to digital devices.
This set alarm bells ringing with, for example, US business warning strongly that this shouldn’t lead to protectionist measures that lock out non-EU digital services or products.
So what possible alternative frameworks for cooperation might exist?
Well, if we’re in a deal rather than a no deal scenario, there will be scope for the two sides to build some kind of third country relationship in the key areas of practical cooperation on cyber.
Building links with Europol’s cyber crime team and ENISA, for example; possibly continuing to contribute to work on countering cyber attacks, on critical infrastructure or on elections; working to leverage the collective weight of like minded European countries to counter terrorism or child sexual exploitation online.
A chunk of the funding on cyber will be channeled through the European research budget, possibly still open to cooperation with UK universities and other research bodies.
UK business, heavily and increasingly invested in cyber, will need to make common cause with other concerned non EU businesses to work to counter any tendency for, legitimate, efforts to raise cybersecurity standards around digital services and products to morph into something more protectionist.
Some of the cooperation in this area will migrate to NATO. After what was, arguably, a slow start, NATO has significantly picked up its act on the need to address the wider, societal implications of cyber security, for critical digital infrastructure for example.
But NATO will inevitably remain first and foremost focussed on the military dimensions of cyber, offensive and defensive, and work most naturally with military and defence industrial partners, while much of this agenda will continue to require engagement with a wider spectrum of civilian and private sector actors, and a broader approach to building deterrence and societal resilience.
There may be renewed calls to build a wider international alliance of like minded democratic countries on some of these issues, which could indeed be useful, but it doesn’t necessarily address the need to maintain and indeed build on the existing links with the UK’s immediate neighbourhood.
At the hardest end of the spectrum of cyber threats, cooperation between national intelligence agencies will not be directly affected by Brexit. GCHQ will continue to play its role, including through its extensive network of international partnerships. The UK will still wield significant influence.
Overall, the picture is mixed. There are ways to mitigate the disruption to the excellent cooperation on cybersecurity built up with European Partners over recent years, but it’ll require imagination and some effort. And there’s an important industrial and commercial dimension, around digital standard setting, that shouldn’t be overlooked, even as we work though issues of quotas, tariffs and rules of origin.
By Sir Julian King GCMG, KCVO, Oxford Internet Institute and RUSI fellow and ex-European Commissioner for the Security Union.