How Will Brexit Affect Cyber-security? Total Security

Brexit is here. While the first noticeable consequences in the form of long truck lines, high customs duties, and spoiled food is making the headlines, one important question still remains unanswered: How will Brexit affect cybersecurity and data protection?

 

So far, the EU's cybersecurity strategy has focused on a transnational digital infrastructure, the exchange of information between secret services, and coordinated actions by law enforcement agencies. As of January 2021, Europol, the EU law enforcement agency, and Eurojust, the judicial cooperation agency, have one less member. The European Arrest Warrant (EAW) is no longer valid on the island. And the exchange of important data also entails a huge number of forms.

More Bureaucracy when Exchanging Information

However you turn it around: With Brexit, Great Britain will lose immediate access to real-time data and thus an important weapon in the fight against crime. This includes the exchange of DNA, fingerprints, vehicle registrations, and passenger data. The British Home Office announced that the Brexit Deal would give authorities more control over the disclosure of this information and more freedom in implementing processes. Still, both the National Crime Agency (NCA) and the National Police Chiefs Council (NPCC) have raised concerns about post-Brexit security. The NCA, which is mainly responsible for international cross-border cases, is expected to have to reorganize hundreds of operations,

The media also confirmed that there was an agreement on the extradition of criminal suspects and that the UK could still attend Europol meetings. According to the reports, the cooperation is regulated in a similar way to that with other third countries. Nevertheless, it is foreseeable that it will take some time before the new agreements take effect and the cooperation can continue with the same effectiveness and speed. There will be no more inquiries via the short official channels anytime soon. Instead, the processing time and the bureaucratic effort for official requests for information have increased significantly - which borders on irony given the main argument in favor of Brexit (“EU bureaucratic madness”).

No More Access to The Schengen Information System (SIS)

Perhaps most painful for the UK authorities is the loss of the Schengen Information System (SIS). The database stores information on unwanted, missing, or wanted persons, vehicles, identification documents, weapons, and banknotes. The system is used both for border controls and for investigative work by the police and security authorities. Europol and Eurojust as well as the respective judicial and security authorities of the Schengen countries are entitled to access.

Great Britain was also able to access the more than 90 million data records (as of 2019). This access has been over since January. Now the around 4.6 million searches fed in by Great Britain even have to be eliminated. The exchange of information, which is regulated based on the Prüm Treaty between several European states (including Germany), is a little better off. Great Britain left the contract in 2014 but later took part in the decisions. Since the Prüm Treaty is not an EU agreement, it remains to be seen how the situation develops here.

Cooperation with Europol Under New Conditions

As a member of the EU, Great Britain was able to send a so-called “European Investigation Order (EIO)” to countries within the EU. The EEA is a legally binding request to collect and surrender evidence against suspected or accused persons within a certain period of time. That is also the end of it now. Now a request for mutual legal assistance must first be submitted on both sides, which is usually sent through diplomatic channels. Of course, this is not the end of cross-border cooperation. However, the bureaucratic effort will probably take up significantly more time - time that is not only decisive for success in investigations in cyberspace.

This is particularly annoying because Europol has shown in recent months how effective rapid cooperation can be in the fight against cybercrime. Be it with the shutdown of DarkMarket, the largest trading platform in the Darknet, or with the takeover of the Emotet infrastructure, which temporarily put an end to one of the most dangerous ransomware variants. The "DisrupTor" operation, which was successfully carried out in autumn 2020, represents, according to the authorities, "the end of the golden age of marketplaces". The operation led to the arrest of a total of 179 people and the confiscation of 6.5 million US dollars and 500 kg of illegal substances.

Europol did not carry out these operations alone, but with the support of various international authorities - including the UK. An end to such cooperation at the international level will also be possible in principle after Brexit. For example, the US and the EU have long had agreements regulating the exchange of information and the appointment of liaison officers. The UK will likely conclude similar agreements. However, the third countries do not have a general right of co-determination in strategic and operational measures by Europol.

Data Protection and Network Security: GDPR & NIS

The General Data Protection Regulation (GDPR) is currently to be transferred from Great Britain to a national law with minimal changes. The "UK-DSGVO" (or UK GDPR) seems to have some special features that can also be relevant for European companies. This includes, for example, the appointment of a data protection officer. Affected are companies that process and store personal data of British persons in the context of marketing measures and customer management and that do not have a branch in Great Britain. The data protection officer must be based in the UK, legally represent the company, and be able to negotiate with data protection officers from the Information Commissioner Office (ICO).

The NIS directive (network and information security) aims to guarantee the security level of network and information systems in the European Union. The measures include the EU-wide development of national cybersecurity capacities, the definition of minimum security requirements, and the reporting obligation for critical infrastructures (KRITIS). The uniform legal framework should continue to exist after Brexit, albeit with a few changes. The focus is primarily on providers of digital services such as cloud services and online marketplaces (digital service providers, RDSPs) operating in Great Britain, who may have to appoint NIS representatives.

Shortage of Skilled Workers Also in Cyber Protection

The cybersecurity industry has been battling a shortage of qualified security, threat intelligence, and IT experts for years. According to the ISC2 study, the number of vacant cybersecurity positions fell for the first time last year, but the deficit is still enormous with 3.1 million workers missing. In Europe, there is a shortage of 168,000 skilled workers, with Germany looking for a total of 61,525 experts in the security sector. There are currently 27,408 cybercrime vacancies in the UK. In the next few years, the situation is hardly expected to ease: 49% of the companies surveyed plan to hire cybersecurity experts within the next 12 months. In a year marked by COVID-19 and shrinking IT budgets, this discrepancy between supply and demand is remarkable. Here too, Brexit could have far-reaching effects on the labor market: while the talent pool in Europe is increasing due to the return of ex-pats and the greater willingness of the British to work on the continent, the shortage of skilled workers in Great Britain will worsen.

The Security Situation Continues to Be Tightened

The timing of Brexit is very bad. Not only because of the ongoing global corona pandemic and the tense economic situation but also from the point of view of cybersecurity. In the past year, the number of ransomware attacks on companies exploded. Cybercriminals have made enormous profits that provide enough capital to continue to terrorize the digital space in the months to come. State-controlled cyber campaigns also reached a new high at the end of the year with the successful attacks on SolarWinds. The economic and political consequences cannot yet be assessed here.

On the other hand, there is at least a small streak of light on the horizon at the border controls between the EU and Great Britain. The higher bureaucratic effort and the stricter rules mean that papers and documents are checked more carefully and more frequently. After just a few weeks, customs officials were able to confiscate an above-average number of forged visas, passports, driver's licenses, proof of insurance, and green cards. No doubt future relationships will also change over time. It is to be hoped that cooperation between law enforcement authorities, in particular, will be expanded and thus become faster and more effective. That would be more than desirable for everyone in the fight against crime and cybercrime.

To prevent cybercriminals install total security.