Cybersecurity – the pursuit of security of, in and through computer networks – is probably not the first thing that comes to mind when thinking about Brexit. It can be an obscure technical affair, after all, associated in the popular imagination with computer scientists, hoodied hackers and the arcane world of secret intelligence.
However, cybersecurity is threaded through many of the major social, political and economic challenges of the 21st century. From foreign interference in electoral processes to data breaches and cybercrime, and from the integrity of online commerce to cyber-espionage, digital surveillance and visions of cyberwar, cybersecurity has diverse aspects that concern government decision-makers, businesses and citizens alike.
It is often observed that security thrives on certainty and stability. If we can understand the road ahead, we can better plan and prepare for the future. If we cannot, we struggle to develop policy and strategy to guide our actions and deliver benefits to our citizens and our allies.
Given the uncertainties around Brexit, how should we understand the likely impacts of the UK’s departure from the EU on cybersecurity?
The answers to this question are understandably complex and varied, and we will be publishing a full report in due course. In the meantime, though, here are some core themes that have emerged from our research and engagements.
Cybersecurity is an inherently transnational enterprise and ‘team sport’. As the internet is global and extends across national borders, as well as blurring conventional distinctions between ‘public’ and ‘private’, securing computer networks and the services dependent upon them involves many countries, industrial sectors and expert networks of multiple types.
Brexit does not mean that the UK will withdraw from these structures overnight, or at all. For a start, many of the frameworks that drive better cybersecurity are not dependent on the EU.
The UK’s intelligence agencies will continue to contribute to and derive benefits from the Five Eyes partnership with our closest Anglophone allies. Our armed forces will maintain their intimate cyber defence relationships with NATO and its members. Neither is contingent upon the EU for their effectiveness.
These forms of cybersecurity cooperation will persist, Brexit or no Brexit.
However, there are questions around transnational policing, which involves UK membership of EU organisations such as Europol – the EU’s agency for law enforcement cooperation – and its subsidiary the European Cybercrime Centre (EC3). The UK will lose its seat on Europol’s management board and has yet to secure any special status that would ensure continued close cooperation.
In practice, it is highly likely that these forms of cross-border policing and intelligence cooperation will be deemed ‘too big to fail’, but the simple fact is that we do not yet know what this will look like post-Brexit and what the potential impact on UK counter-cybercrime activities will be.
As with Europol decision-making, the UK will no longer be in a position to shape EU cybersecurity policy and regulation from the inside.
The UK has, for instance, recently incorporated EU data protection regulations into national law, but it will not be able to directly influence how those develop in the future. The UK has committed to maintaining ‘equivalency’ between UK and EU data protection frameworks, and may find itself in the position of taking future rules, rather than making them. How will this play out if ‘regulatory alignment’ continues to elicit stridently negative responses in political discourse?
There are other examples of the potential negative impacts of Brexit on UK cybersecurity, such as the ability of UK firms to attract EU cybersecurity talent to meet domestic demand, already a matter of government concern.
But this is not a counsel of despair. In many respects, the UK is well-placed to weather the short-term effects of Brexit. It has strong working relationships with EU partners, particularly at the operational level, and a robust internal policy and regulatory framework driving cybersecurity improvements in many fields.
Neither need be radically affected by Brexit, even as some legal and regulatory adjustments will doubtless be required. There is sufficient trust between the professionals that actually ‘do’ cybersecurity across Europe that the UK will continue to assist and be assisted by its EU partners, whatever the final settlement looks like.
These assessments suggest the utility of two guiding principles for UK cybersecurity as we move beyond Brexit.
The first is that we should not become obsessed with the short-term effects of Brexit for UK cybersecurity. It is not in the interests of the UK or the EU to terminate their long-term cybersecurity partnerships. Where specific lines of engagement and information-sharing require renegotiation, mutual interest should prevail.
The second principle is closely related to the first. Cybersecurity is, after all, a means of protecting and promoting the national interest. The UK has, since 2009, gradually developed a more strategic approach to cybersecurity that recognises these imperatives and attempts to harness resources in pursuit of national goals.
Taking a long-term strategic view of cybersecurity is therefore essential, regardless of Brexit. Even were Brexit not to happen, the present uncertainty is an opportunity for the UK to test its planning assumptions and revise its cybersecurity ambitions for the next decade or so, not least as we enter the planning phase of a new national cybersecurity strategy. Brexit may thereby prompt a welcome re-evaluation of the international dimensions of UK cybersecurity.
We must not allow these considerations of mutual and national interest to be derailed by ideological myopia, political horse-trading or, indeed, schadenfreude. The everyday cybersecurity on which the UK and our European neighbours depend is too important to be a casualty of Brexit.
There is zero room for complacency in UK-EU cybersecurity but, equally, there are few grounds for despondency.
Ultimately, what is perhaps required is a reassertion of the pragmatism with which the UK has traditionally identified itself. This has seemed in short supply of late but cybersecurity is one field in which it has deep foundations and upon which we should capitalise.