The clock is ticking for the United Kingdom, as we enter the final month of the two-year Article 50 negotiations period, which allows the UK to secure a Withdrawal Agreement from the European Union. While at this stage in the process the output of the negotiations seems to suggest that the UK will unavoidably leave the Union without a deal, little has been said with regard to post-Brexit security relations – let alone cooperation on cybersecurity. The latter constitutes a cross-border and cross-sectorial challenge for EU member states, whose critical infrastructure has been increasingly digitalized and hence more interconnected and interdependent. Consequently, potential systemic cyber-attacks will need to be prevented and managed, starting from prompt cooperation between national intelligence teams. So far, this has been the aim of the EU’s cybersecurity initiatives, which envisage a new level of coordination at the EU level. In the aftermath of Brexit, will it still be possible for the EU and the UK to build trust, strengthen cyber capabilities, and manage cyber-crises jointly were they to occur?
No clear assumption has been made during Brexit negotiations indicating what will need to change in order to keep the UK in the EU’s cybersecurity framework. This absence did not go unnoticed, attracting criticism of the EU’s negotiating strategy. However, the issue was intentionally kept out of the agenda. The reason being not wanting to spoil the menu of trade and economic negotiations with the salty UK bargaining chip of security and defence policy. The 2019 Munich Security Conference (MSC), a sort of “Davos” on security starting on February 15, might challenge this. Indeed, Theresa May, Prime Minister of the UK, could use the platform – as she did at last year’s MSC – to remind European allies of the importance of a close security relationship after Brexit. In her 2018 speech, she stated that threats of cyberwarfare, terrorism and organized crime demand close cooperation among countries and called for a new security treaty. However, this commitment to the security of the Union was pushed back by EU member states that unanimously agreed on not mixing security issues with Brexit negotiations.
While negotiations on the future relationship remain fraught with hurdles, it is compelling to try to foresee how co-operation on cybersecurity between the UK and the EU will evolve after Brexit. Some experts have argued that to deal with the emerging threats of the XXI century, the EU and the UK will need each other after Brexit more than ever before. Overall, three pieces of evidence build up a strong case for the UK to side with EU countries to keep fighting the emerging cybersecurity challenges. Firstly, the UK’s share of military capabilities, which accounts for almost 30% of the overall EU arsenal, is too little for the UK to stand alone and yet too extensive for the EU to attempt to build forces to meet transnational challenges without them. Secondly, crisis responses to major cyber-attacks will require interoperability between NATO’s defence of military assets and the EU’s political cooperation on the protection of civilian assets. Finally, the end of the UK’s formal membership in Europol - the EU’s law enforcement agency collecting cyber-intelligence - would leave the UK unable to both gain information from EU members and contribute to their joint efforts in countering cybercrime.
In terms of military capabilities, European countries would need a greater pool of resources to build a cyber-arsenal. There are currently some 2,500 to 3,500 soldiers in the European cyber-forces, with significant differences between countries in terms of national cyber capacity. The number is low when compared to the size of the US Cyber Command that is about twice as large and is expected to grow substantially in 2019. To maximize European efforts in cyber capacity-building, an estimated $2 to $3 billion annually invested in cyber-means will be required.
Since the cyberspace in which the UK and the EU operate is single and global, investing energies and resources in common law-enforcing initiatives will be vital to all European states. There are great chances that cyber-incidents causing disruption across EU countries will occur in the future, which is why swift collaboration between the EU and the UK will remain the key to the security of EU citizens. The UK is currently the largest European defence spender in NATO, and also one of the two European countries with permanent membership in the United Nations Security Council. In the case cyber operations with highly disruptive effects spread over the European continent, the UK will still be able to intervene in collective defence through Article 5 of NATO and, in particular, by activating NATO’s Crisis Response System. However, the UK would no longer be assisted by the European Coordinated Response to large-scale cyber-incidents that provides for the EU’s Integrated Political Crisis Response (IPCR). Accordingly, while the UK after Brexit would still be able to play a role in the defence of military networks, a domain currently controlled mainly by NATO, it would struggle to join political responses to cyber-attacks directed at critical civilian infrastructure which “require timely policy coordination and response at the Union political level”. In other words, the UK would find it hard to influence the texts of declarations, considering that non-member states are allowed to side with the EU in a statement but not to amend its content.
So far, operational coordination between the EU and NATO has consisted of exchanges of information and warnings in real-time. This was the case with the 2017 Wannacry cyber-attack, when a ransomware infected over 230,000 systems in more than 150 countries. Following the attack, the UK has been actively supported in cybercrime investigations and campaigns enabling hundreds of arrests by the Joint Cybercrime Action Taskforce (J-CAT) - part of EC3, the Europol Cybercrime Centre since 2014. To ensure an effective response to crises caused by cyber-incidents, concerted work should be built upon between defence operations in the military and civilian domains to ensure that the UK would both benefit from and contribute to European cybersecurity.
Lastly, the UK’s 20-year membership in Europol proved that the EU’s law enforcement organization provides mutually reinforcing incentives for members to contribute and to and not withdraw from it. Even more, following the growth of cybercrime, it became clear that the gathering of cyber-intelligence data could not be sustained by any national agency on its own. According to the British government’s vision for its new partnership with the EU, the pooling of expertise and resources with EU partners enabled the UK “to develop some of the world’s most sophisticated cross-border systems and arrangements in the fight against crime”. Downgrading the UK’s involvement in the institution to that of non-EU countries would result in a loss both for the British government and for its European allies. Nevertheless, the EU's chief negotiator, Michel Barnier, made it clear that the UK could not continue to be a formal member after Brexit, which means that the country might strike a deal to keep accessing intelligence, but London will no longer have a say in operations and decisions. As a result, Europeans will lose out not only on the UK’s pool of intelligence in Europol, but also on the country’s role as a member of the Five Eyes – the intelligence alliance between Australia, Canada, New Zealand, the United Kingdom and the United States, which has been cooperating with Europol via London’s membership.
Finally, EU and UK co-operation on cybersecurity after Brexit will be mutually needed and beneficial. As cyber-threats from hostile governments and non-state actors intensify from the proliferation of sophisticated means of attack, the EU will need to invest more in joint cyber capabilities to avoid costly duplication of military capabilities at the national level, while ensuring the synchronization of its crisis response mechanism with NATO’s operational structures. Erecting barriers to keep London out of intelligence and info sharing will be detrimental to the European Union’s member states since cyber threats transcend physical barriers. As the Brexit chapter comes to an end, Brussels needs to move on to discuss the security of the European continent amidst cyber threats, and quickly.