European Cybersecurity: What Happens After Brexit?

Will Brexit actually happen?

If yes, how and when? What will be the terms?

Those questions have been pondered by millions of people around the world for the past 4+ years, even after the historic vote was passed in 2016.

More specifically, questions surrounding technology and cybersecurity cooperation remain complex, and yet the importance of these topics are coming into clearer focus as the upcoming United Kingdom General election on Dec. 12 draws near.

Here’s a rundown of the issues and international coverage that this topic is getting lately:

  • Back in March 2019, Sam Curry offered this analysis of the cyber implications of Brexit in Forbes magazine. “Ironically, this could lead to the worst possible way to trigger growth in the cybersecurity sector in the U.K. Developing new cyber talent in the private sector hasn’t been constrained by nationality within Europe, and there could be issues retaining or recruiting cyber talent repatriating to their countries of origin or to the continent. There could also be a massive run on consulting and talent in the U.K. not only to staff leaving talent, but to prepare for the regulatory gap that will be created by now absent European directives and regulations. …”    
  • In July of this year, Fortune Magazine reported that Brexit is jeopardizing the U.K.’s cybersecurity — and fueling the rise of the “Splinternet.” Here’s an excerpt:

“…The National Police Chiefs’ Council has cautioned that fall-backs to current information-sharing agreements with European law enforcement agencies “will be slower, more bureaucratic and ultimately less effective. …

“‘It’s a huge administrative nightmare,’ says Ann LaFrance, a partner at the law firm Squire Patton Boggs who specializes in data privacy and cybersecurity issues. LaFrance says that some of her firm’s global clients have commissioned time-consuming and expensive 50-country data protection compliance reviews, to ensure they are abiding by current laws. But, she says, the reviews are complicated by legal definitions that vary by geography and an ever-shifting landscape of rules. Meanwhile, in the U.S., companies also face an increasingly chaotic web of state-level data privacy regulations, she says.”

  • And just a few weeks ago, ZDNet reported that after Brexit, Europe wants a cybersecurity pact with UK: “Brexit is not only about the divorce: with so many under-estimated consequences, it is also about building a new partnership with the U.K.,” said Barnier, speaking at the Web Summit tech conference in Lisbon. “Even when our deal is ratified, that will not be the end of the story. We need to keep in mind that orderly withdrawal is a step — a necessary step, but it is not the destination.”
  • Cyberexperts in Europe made a series of important statements about cybersecurity cooperation after Brexit in this article. For example: Ilia Kolochenko, founder and CEO of ImmuniWeb, said: “Unhindered and unimpeded cybercrime data exchange is indeed crucial both for the U.K. and E.U. Most governmental agencies may require a crystal-clear legal framework to proceed after Brexit, especially when the information involves legally-protected data or cases of criminal prosecution. …”
  • Last but not least, in Switzerland offers a series of videos interviewing Amy Jordan, cybersecurity delivery lead at the World Economic Forum. She describes how: “Cybercrime will cost the private sector upward of $5 trillion over the next five years. The WEF’s Centre for Cybersecurity looks to equip business leaders with the knowledge they need to stop hackers, but as attacks increase, there still aren’t enough experts in the field to help companies combat them.” Jordan offered some solutions at last week’s annual WEF Cybersecurity Summit in Geneva, including some discussions on the aftermath of Brexit on cyberdefense.

More Background on Brexit and the Cyber Ramifications

Back in early 2016, I wrote a blog (before the Brexit vote) which outlined 7 reasons why Americans should care if the United Kingdom (U.K.) leaves the European Union (E.U.).  

Even if you don’t care much about U.K. politics, I think it is still important for Americans to watch how these major organizational changes are implemented in practice in Europe. New changes are happening all the time between federal, state and local governments in the U.S., and global governments are important partners in fighting cybercrime. No doubt, most of these U.S. changes are not at the level of Brexit, but we can learn from how this process evolves.

This thoughtful article by Martina Calleri from Deloitte in Italy outlines what’s at stake for European Cybersecurity after Brexit.

Ms. Calleri states that: “The U.K.’s 20-year membership in Europol proved that the EU’s law enforcement organization provides mutually reinforcing incentives for members to contribute and to and not withdraw from it. Even more, following the growth of cybercrime, it became clear that the gathering of cyber-intelligence data could not be sustained by any national agency on its own. According to the British government’s vision for its new partnership with the E.U., the pooling of expertise and resources with E.U. partners enabled the U.K. ‘to develop some of the world’s most sophisticated cross-border systems and arrangements in the fight against crime’. Downgrading the U.K.’s involvement in the institution to that of non-E.U. countries would result in a loss both for the British government and for its European allies.

Nevertheless, the E.U.’s chief negotiator, Michel Barnier, made it clear that the U.K. could not continue to be a formal member after Brexit, which means that the country might strike a deal to keep accessing intelligence, but London will no longer have a say in operations and decisions. As a result, Europeans will lose out not only on the U.K.’s pool of intelligence in Europol, but also on the country’s role as a member of the Five Eyes – the intelligence alliance between Australia, Canada, New Zealand, the United Kingdom and the United States, which has been cooperating with Europol via London’s membership.”

I also like this YouTube video discussion from ZDNet which describes how the uncertainty over Brexit affects data privacy and security throughout Europe.

Final Thoughts

I have been meaning to come back to this Brexit topic for many months, and with the crucial U.K. elections now just weeks away, it is essential that everyone take notice of the potential impacts to fighting cybercrime, gathering intelligence, attracting and retaining talent within the U.K. and E.U., and many other related cybersecurity issues.

Numerous global companies have operations throughout the U.K. and Europe, and I have spoken with several people that are concerned about their cybersecurity careers in the U.K. Is the fear overblown? Only time will tell. But expect this topic to heat up further, especially if Boris Johnson and the Conservative Party win a working majority in Parliament. 

My view is that all of these delays and back and forth negotiations on Brexit have actually helped technology and security companies, along with impacted governments, better prepare for the likely changes to come. Also, rather than more finger-pointing and fears of doom and gloom (which we saw a lot of in 2017 and 2018), we are now seeing more European and United Kingdom organizations articulate their need to work together and ensure that operational cybersecurity is not impacted by Brexit (in the short run at least.)

Recent announcements on cooperation on cybersecurity are encouraging.