This is the second installment in a two-part commentary on the implications of Brexit for digital policy. Read part I here.
The UK’s loss of membership of the EU’s law enforcement agency Europol and the Union’s judicial cooperation unit Eurojust are serious concerns stemming from Brexit. Both EU bodies are spearheading the continent’s fight against cybercrime through Europol’s European Cybercrime Center (EC3) and the EC3’s Joint Cybercrime Action Taskforce (J-CAT), with Eurojust facilitating information exchange between member states and ensuring the admissibility of evidence in judicial proceedings. Additionally, Europol’s year old Internet Referral Unit (EU IRU) has also taken on an increasing role in “combatting terrorist propaganda and related violent extremist activities online”.
The UK’s future relationship with Europol is complicated by the timing of the Brexit negotiations, as they will squarely fall within the period for the adoption of Europol’s new regulation. Adopted by the European Parliament earlier this year, the new regulation is specifically aimed at enhancing Europol’s mandate in its fight against terrorism, cybercrime, and other criminal offences. It will also allow the EU law enforcement agency to engage in greater information sharing and enable the creation of specialized internal units to swiftly respond to newly emerging threats. Given that Europol’s new regulation will enter into force in May 2017, London will be in the awkward position of having to decide whether to opt into a new EU legislation while at the same time negotiating the separation from the European Union.
Denmark, which voted ‘No’ in a referendum last year on scrapping the country’s opt-out arrangement on EU Justice and Home Affairs’ laws, has been in a similar predicament as Britain is now. So far Copenhagen’s attempts to negotiate a special arrangement, to remain a member of Europol past the May 2017 deadline, have not produced any tangible results nor noteworthy progress. The most positive remark on the Danish situation was voiced by European Council President Donald Tusk during his visit to Christiansborg in mid-May 2016, stating that “It will not be easy. Maybe impossible.”
One mitigating solution for the UK could be to join Europol’s J-CAT as a non-EU law enforcement partner, in line with Australia, Canada, Colombia, and the United States. Certainly this move will not make up for Britain’s loss of Europol membership or its exclusion from accessing the agency’s comprehensive criminal and counter-terrorism databases, but it will at least allow the UK’s National Crime Agency (NCA) to remain an integral part of the most effective European instrument tackling high-tech crimes around the globe.
Indeed, it would be a tragic turn of events – and a loss for the European Union as a whole – if the UK is forced to break its strong engagement in Europol. This would be especially so given that UK national Rob Wainright is currently leading the agency, and that Andy Archibald, Deputy Director of the National Cyber Crime Unit in the UK’s NCA, is heading the EC3’s J-CAT.
Within the legal domain, previous EU discussions on much needed reform of the Mutual Legal Assistant Treaty (MLAT) process are likely a top concern for the UK’s Crown Prosecution Service. Within the EU, the request for information and assistance on criminal matters is currently still regulated by the 2000 Convention on Mutual Assistance in Criminal Matters, which serves as an MLAT between the 47 member states of the Council of Europe (CoE).
While the British exit will have no impact on the Convention or the MLAT process, London’s decision to leave the EU is nonetheless unfortunate as Britain will be unable to take advantage of the new European Investigative Order (EIO), which comes into force in May 2017. The EOI is specifically designed to serve as a single comprehensive instrument for judicial cooperation within the European Union, thus transitioning from a CoE system of mutual legal assistance to an intra-EU system of actual mutual legal recognition. As such the EOI will introduce mandatory time limits for request execution, to assure that EU information exchanges will receive the same attention as domestic cases, and it will provide standardized EOI forms that will streamline the very bureaucratic and rather chaotic MLAT requesting process. Instead, for the foreseeable future, the UK is now stuck with an MLAT regime that according to the Global Network Initiative is “in need of reform,” given that “the time required to process a request is being measured in months and in some cases years.”
Overall, the curtailment of law enforcement cooperation between the UK and the European Union will be an inevitable consequence of the British exit. Negative repercussions such as a reduction of investigative information shared across the channel and a subsequent drop in the success rate for prosecuting cybercriminals ought to be expected. However, it would be a stretch to assume that Britain plans to adopt an isolationist approach toward cybercrime. With this in mind, the European Union would be best served by keeping the UK on board in Europol’s J-CAT and possibly negotiating a separate EOI agreement with London to strengthen law enforcement cooperation.
Nurturing Tech Start-ups
Despite the EU’s principle of free movement, one of the foremost issues concerning the tech industry across Europe has been the persistent shortage of IT professionals as well as constrained access to foreign talent. This skills shortage is particularly problematic for the UK’s vibrant start-up scene, as highlighted by a 2016 Silicon Valley Bank (SVB) survey.
According to SVB, 57 percent of UK start-up respondents noted that the most important policy issue affecting them is access to talent. Fears of the UK’s exclusion from the European Single Market, as a possible reaction to the re-imposition of restrictions on free movement, have already sparked numerous notions of (1) even more restrained access to foreign talent, (2) an anticipated shrinkage of the UK’s tech labour pool, and (3) UK-based companies migrating to the continent if things turn ugly.
Yet, as it currently stands the UK is still the top destination for tech start-ups in Europe. According to an assessment by advisory firm GP Bullhound in June 2016, around 40 percent of Europe’s 47 ‘unicorns’ – start-ups valued at $1 billion or more – are headquartered in the UK. In 2015, London also topped Nesta’s European Digital City Index (EDCi) ahead of all the other EU capitals and 7 hub cities, on account of its relatively easy access to capital, flourishing entrepreneurial culture, and knowledge spill-over effects. However, the UK is also home to the most notorious start-up collapse, with e-commerce firm Powa Technologies going bust in February 2016, after being valued at $2.7 billion only 20 months prior.
Compared to the other 27 EU member states, start-ups in the UK also take advantage of Britain’s progress in regards to the EC’s Digital Market Strategy. Currently the Digital Economy and Society Index (DESI) ranks Britain 6th out of 28, while it ranks 3rd within the EU when it comes to human capital. Given these numbers it is not surprising that even Andrus Ansip, EC Vice President for the Digital Single Market, noted that “the UK is a big, powerful country with a highly developed digital sector but, in or out, the EU will still need good relations in this field with the UK.”
The post-Brexit era will be a challenging environment for UK tech start-ups, as they will have to operate in a climate of continuous political uncertainty, persistent currency volatility, fears of a diminishing UK tech labour pool, and the possibility of losing access to the European Single Market. On the other hand, the digital sector in the UK is performing much better than the EU average and a clean break between the continent and Britain on ICT is in no one’s interest.
Cybersecurity Talent Gap
The cybersecurity industry meanwhile remains rather unconcerned about the post-Brexit environment. According to a straw poll conducted by Tripwire of 278 information security professionals, 64 percent noted that the referendum will not change the UK’s ability to defend itself against cyberattacks.
Indeed, in comparison to the other 27 EU member states, the UK has been nurturing its cybersecurity industry for years, which led the European Network and Information Security Agency (ENISA) to note in 2010 that “the UK, along with a limited number of other Member States, is considered a leader in [the cybersecurity] area with developed practices that set benchmarks for others to adopt.” In fact, according to the latest annual report on the UK’s Cyber Security Strategy, London has invested £860 million since 2011, to tackle cybercrime, improve resilience, support open societies, and build the UK’s cyber security knowledge, skills, and capacity.
The UK is also proactively engaged in closing the cybersecurity talent gap, with the House of Lords Select Committee on Digital Skills having released its report ‘Make or Break: The UK’s Digital Future’ in February 2015. The report focusses on (1) maintaining a sufficient talent pool with the knowledge and abilities to keep the UK’s hard and soft infrastructure secure, (2) creating a world-leading further education system for digital skills, and (3) facilitating the right conditions for business involvement across the board. The government responded in July stating that it is “committed to delivering an ambitious programme of activity to ensure that the UK ‘makes’ its Digital Future.”
If measured by the number of Certified Information Systems Security Professional (CISSP), a widely considered must-have certificate for information security professionals, the UK already has the best cybersecurity workforce in Europe. Currently, the UK ranks a distant first among EU member states, with 5,559 CISSPs, compared to the EU27 combined 8,664. Indeed, the British exit might end up being more detrimental to the European Union rather than the other way around. A 2015 study, commissioned by Raytheon and the National Cyber Security Alliance (NCSA) on global career interests and educational preparedness of millennials (ages 18-26) highlights this assessment.
According to the survey, 70 percent of the 1,256 European respondents noted that “no teacher or guidance or career counselor ever mentioned the idea of a career in cybersecurity.” Equally disturbing was the result that the continent scored highest globally on “millennials who want more info about cyber careers” (42 percent), and millennials who stated that “no cybersecurity programs or activities were available to them” (54 percent). But while Europe is doing badly as a whole, the UK is one of its better performers, as seen from the chart below.
Source: Raytheon and NCSA
Stark national differences are also evident when it comes to the organization of national cybersecurity challenges offered to high-schoolers and students. Cybersecurity Challenge UK, which is sponsored among others by the NCA, GCHQ, and the UK Office of Cyber Security & Information Assurance, can look back at a history of six years, with its first challenge taking place in 2010. By contrast, the first Cyber Security Challenge Germany (CSCG) was organized in November 2014, and the first European Cyber Security Challenge (ECSC) took place in October 2015.
Overall, the European Union has a long way to go to close the existing cybersecurity talent gap, and the British exit will only help exacerbate the skills shortage on the continent. In the coming years, the European Commission has to find a way to standardize cyber education across the continent, possibly introduce an alternative to CISSP certification, and kick-start a digital agenda specifically aimed at boosting cybersecurity skills, awareness, and resources in Europe.
The European Council on Foreign Relations does not take collective positions. ECFR publications only represent the views of its individual authors.