Ok I’ll admit it, I feel pretty sorry for Boris Johnson. That doesn’t appear to be a particularly common consensus based on what I’m reading on social media, but from the cards he’s been dealt for his first year in the big seat, he’s had a particularly rough start. There’s been the ongoing COVID-19 pandemic, protests over civil rights concerns, and the little issue of drafting a deal for the UK’s exit from the European Union. Talk about throwing yourself into the deep end? 

At first glance, the Brexit deal seems like a good one. Britain is keeping close ties with Europe, allowing tariff free-trade and quota-free access to the single market, while operating a level playing field on social, environmental, and labor standards. Britain will also be free from the jurisdiction of the European Court of Justice (ECJ), with monetary contributions to the EU also set to end. 

There is one area of the deal that hasn’t been universally praised, however, regarding the future of Britain’s security. There will be some real adjustment challenges, starting with Britain forfeiting its membership of Europol, Eurojust, the European arrest warrant, and sensitive data sharing agreements like the Schengen Information System (SIS2). There will need to be a sense of proactivity and good faith on both sides, particularly in the first six months after this new arrangement begins. Let’s go into a little more detail on how the deal may affect the UK’s security going forward.

An Evolving Partnership with Europol

Whatever way you slice it, the UK will have a reduced capacity to receive real-time data, and influence over the organizations it previously sat on, including Europol and Eurojust (European Union Agency for Criminal Justice Cooperation).

The Home Office has said the post-Brexit agreement will include greater control over certain information and processes, such as streamlined extradition arrangements, fast and effective national DNA exchange, fingerprint and vehicle registration data, and continued transfers of Passenger Name Record data. Yet both the National Crime Agency (NCA) and National Police Chiefs Council (NPCC) have previously expressed concern over security post Brexit. The NCA is likely to have to reorganize hundreds of operations that typically would be conducted in partnership with Europol. 

Increased time on Europol investigations

Previously the UK could send a “European Investigation Order” to countries within the EU, a legally-binding request to gather evidence by a specific deadline. On  January 1st, this power was lost. The UK must now submit  a “Letter Rogatory”, an internationally-recognized diplomatic request for assistance. These have typically been slower, and nations have been known to take too long to respond. As with any investigatory process, timeliness is one of the critical components; if critical information is received too late to act on, it is ultimately worthless.

This is a critical blow to the security landscape, as Europol-coordinated efforts have resulted in remarkable successes for the arrest of cybercriminals in recent years. In our blog Recent arrest and high-profile convictions, we analyzed the impact of the “DisrupTor” operation on the cyber threat landscape. This joint operation was conducted by the US Department of Justice in cooperation with Europol, which resulted in the arrest of 179 individuals’, and the seizures of USD 6.5 million and 500 kilograms of illicit substances.

The successful operation was summarised by Europol’s European Cybercrime Center (EC3), who stated “the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” and that “the golden age of the dark web marketplace is over.” The DisrupTor operation highlighted the importance of cooperating with Europol to conduct critical security operations.

Giving up the possibility to orchestrate and influence this kind of operation undoubtedly constitutes a significant setback for the UK. However, DisrupTor demonstrates that it will still be possible to establish fruitful partnerships between Europol and third parties to conduct critical operations. The UK could seek an arrangement with Europol in the same way the U.S does (i.e. an associative relationship), in which Britain can borrow Europol’s investigatory powers but not ultimately influence the organization. I’d like to hope the UK government looks at that as an option. 

Decreased participation in Europol meetings

The BBC have also confirmed that the UK has reached an agreement on extradition and will be able to sit in on meetings of Europol , which also is reportedly “on a par with the best other [third party] countries have achieved”. There is also the possibility for new relationships to be conducted with partnerships outside of the EU in due course.

I think the point to take away from this is like with any new arrangement, there will be many headaches for those who are used to the old arrangement, but this is just something that’ll need to be factored in when conducting new investigations. Those requests will need to be made in as good a time as possible, with appreciation given for, ironically, an additional level of bureaucracy. Europol themselves have commented on the need for transparency and effective intelligence sharing to combat cyber threats, so in an ideal world close cooperation will continue.

Coping with the Schengen Information System (SIS2) Loss

The loss of SIS2 will be particularly difficult. The database is used for border management by front-line police officers, including information on missing peoples, cars, or other items of interest. This database was reportedly used half a billion times in 2020, with the database used to inform police officers of intelligence surrounding persons of interest (including criminals and terrorists), vehicles, and prohibited items. 

However, the UK will continue to receive data from the Prum Convention System, which includes exchanges of DNA, vehicle registration data, and fingerprinting information. For some international criminal gangs, the new relationship between the UK and EU may actually restrict their activities. Greater scrutiny of personal papers, passports, and driving documents (which are often fraudulent or stolen) can be expected at UK border controls. Due to these new processes, evidence of fake and forged passports, driving licences, international driving permits, insurance certificates, and green cards has been already discovered. 

Fake UK passports for sale on Corona Market
Fake UK passports for sale on Corona Market

The Impact of Brexit on Cyber Security

From a regulatory perspective, many of the initiatives that the UK opted into as part of the EU, will continue to apply after the transition period including:

  • The General Data Protection Regulation (GDPR), which has since been adopted into UK law. However, I would like to hope the UK finds a way out of those annoying GDPR popups regarding data privacy and cookie policies – everybody hates those.
  • The Network and Information Security (NIS) Directive, which was the first piece of EU-wide legislation on cybersecurity, will continue post-Brexit. It provides legal measures to boost the overall level of cybersecurity in the EU, including increasing preparedness for cyber security incidents, cooperation across member states, and enhancing an overall security culture. The continuation of this directive will be received with warm welcome from anyone who works in information security. 

From a cyber threat perspective, activity from state-sponsored actors and cybercriminal actors is becoming increasingly brazen, and in many cases, highly destructive. The WannaCry incident of 2017 highlighted how quickly an impactful cyber attack can spread, perhaps beyond the scope originally intended by the threat actors responsible. EU countries have more connected digital networks than ever before, but for many years cyber security issues were handled at a national level. That created a pretty obvious weak link, which cybercriminals were only too pleased to exploit. 

In the past year, ransomware activity has skyrocketed in both volume and success. Threat actors managed to accumulate enormous profits in 2020, ensuring activity will continue to escalate in the following year. December 2020 also saw arguably the biggest cyber event of the year, with the Solarwinds supply chain compromise resulting in a potential compromise to the networks of over 18,000 Solarwinds corporate clients. This operation has since been attributed to a probable Russian state-sponsored group, and highlighted the potential risk from global supply chains.

Countering professional criminal gangs and terrorism will always entail huge challenges. While UK police and intelligence services are second to none, their access to shared datasets containing critical real-time information has been severely restricted. I have no doubt that the future relationship will change over time; however, in the short term, law enforcements and intelligence bodies will likely find conducting investigations that much harder. It is essential that cross working and cooperation continues from both sides of the channel in 2021 and beyond. Despite the four years of posturing from both sides, our citizens’ safety, our data, our financial wellbeing, will always be one of the most important priorities for any government.