regaining national sovereignty poses problems for cybersecurity because the internet is inherently transnational
Cybersecurity experts have long focused on protecting the information and networks of individuals and organizations. Now in addition to that never-ending task, they must also devote attention to organizational arrangements threatened by the political trend of multi-national rejectionism, such as the British exit—“Brexit”—from the European Union (EU). This broad push for regaining national sovereignty poses problems for cybersecurity because the internet is inherently transnational. Fortunately, there are models for preserving cybersecurity cooperation even as international ties weaken.
At present, cybersecurity matters within the United Kingdom (UK) are addressed by an array of national and EU institutions, which are largely able to cooperate successfully among themselves. The EU has the European Union Agency for Network and Information Security (ENISA), the principal agency and the only centre within Europe equipped to counter cyber threats. It coordinates and cooperates with national security initiatives and the private sector providing both timely information and real-time threat assessment. Within the EU, intelligence exchange occurs mainly through Europol which assists member nations in countering threats emanating across the border.
The UK has its National Cyber Security Centre (NCSC), whose functions are similar to those of ENISA. The NCSC is responsible for protecting critical institutions from cyber-attacks and coordinates with sister agencies within the UK government (e.g., Government Communications Headquarters or GCHQ, Britain’s intelligence agency). In order to further strengthen the UK’s defensive capabilities, the NCSC’s Active Cyber Defence programme will update necessary security protocols and enhance coordination with relevant stakeholders. The implementation of cybersecurity policies and legal mechanisms in EU are primarily undertaken by the National Data Protection Authorities and the Computer Security Incident Response Teams that operates under the European Cybercrime Centre. Whereas in the UK, this responsibility is mostly undertaken by the National Crime Agency, supported by GCHQ and other designated cybercrime centres operating at the regional level. However, EU’s Network and Information Security Directive (NISD)’s intelligence exchange with foreign and member states are restricted in nature, and only countries having NISD can access its services. Incidentally, U.K has already implemented NISD this year.
There are specific domains such as cybercrime that have a transnational presence, with its servers located elsewhere could threaten both the internal and external security of the nations. Hence, an adequate technical assistance coupled with timely response mechanism is the need. This provides the case for UK-EUROPOL cooperation given that most cybercrime related cases handled by the EUROPOL originate from Britain.
Brexit threatens to sever these cooperative arrangements. The task for policymakers is to retain as much of the synergy between the UK and the EU without compromising the UK’s ability to counter cyber threats.
A mutual legal assistance treaty (MLAT) is one possible mechanism for fostering formal cooperation. These treaties are initiated when international cooperation or intelligence exchange is insufficient, as might be the case in cybersecurity. Under such an arrangement, the UK could issue a letter of request that brings nations together to address a common threat. The treaty could also specify how the parties would apply resources during criminal proceedings or seek necessary guidance for intra-national investigations such as: the preservation of procedural documents, holding of necessary evidence, confiscation of perpetrators assets, jurisdictionally transferring evidence and critical witnesses, and issuing formal appearance of case officers. This opens the door for other regional law enforcement and intelligence cooperation enabling relevant agencies to maximize their capacity in countering transnational organized crime, drug trafficking busts, cybercrime and illegal weapons trade. Under the Act of Crime (International Cooperation) enacted in 2003, there are seven legal mechanisms that ensure mutual legal assistance within the EU.
When broad political ties are severed, mutual legal assistance treaties specific to cybersecurity will have to fill the resulting void
Clearly, Post-Brexit cooperation between UK and EU will depend on the establishment of an MLAT that satisfies both the UK’s and EU’s interests and facilitates seamless cooperation. There are numerous multilateral MLATs already in place such as the Convention on Mutual Assistance in Criminal Matters, 2000 which was ratified between EU member nations, which policymakers could further strengthen during Brexit negotiations. Cooperation, both bilateral and multilateral, is essential if the UK and EU are to combat successfully the threats of transnational organized crime and cybercrime.
The rules of engagement in the domain of intelligence exchange between the UK and the EU, has implications for the US as well. Even though the EU’s relationship with the US is different than with the UK, there are potential insights that could help the US strengthen its own cooperation with the European Union. The bilateral relationship between the US and UK is a valued one and both had been cooperating across the Atlantic, with the UK providing the US a gateway to the European community. This could also change as a result of Brexit, and the US may generally have to engage with the EU more directly than before. While Washington can continue to share some forms of intelligence bi-laterally with London so long as the latter remains a member of NATO, intelligence sharing on matters of cybersecurity could become more complex and difficult. The US may have to find a new gateway to Europe – Berlin? Paris? Or other? To what extent can the US, UK, and post-Brexit EU continue to cooperate against growing and persistent cyberthreats? The US must prepare now for the worst-case scenario, where Brexit leaves temporary institutional gaps that cyberthreats could exploit.
As the impulse to assert sovereignty is not limited to the UK, the reworking of cybersecurity arrangements among the UK, EU, US, and other partners will likely have the opportunity to apply lessons learned in Brexit elsewhere. When broad political ties are severed, mutual legal assistance treaties specific to cybersecurity will have to fill the resulting void. This will require active engagement from the cybersecurity community to identify the specific gaps. Aside from the technical aspect, cybersecurity experts will also have to communicate the urgent need for these kinds of arrangements because there are a number of political challenges to overcome. As Brexit demonstrates, a significant rupture does not create a mood fostering cooperation. Also, countries often hold quite different views on the politically charged topics of intelligence sharing and privacy, both of which are critical for cybersecurity. Nonetheless, the failure to cooperate can lead to far worse outcomes.
Anant Mishra is a researcher in homeland security and counterterrorism at the Gujarat Forensic Sciences University in India. The views expressed in this article are those of the author and do not necessarily reflect those of the U.S. Army War College, U.S. Army, or Department of Defense.
Image: Laptop from Markus Spiske via Pexels.com under creative commons license. Flags via FlagsOfTheWorld.info under creative commons license
Photo Credit: Image composed by Tom Galvin