Brexit is Jeopardizing the U.K.’s Cybersecurity—And Fueling the Rise of the “Splinternet”

July 22, 2019, 1:52 PM UTC

Those championing Britain’s departure from the European Union have long-insisted that breaking with Brussels won’t harm the U.K.’s national security.

After all, the Brexiteers insist, it is in both the U.K.’s and the EU’s interest to continue to share information and coordinate policy on vital national security threats like terrorism, cybersecurity and international crime.

Now, there are signs that these Brexiteers—such as Boris Johnson or Jeremy Hunt, one of whom is expected to be named as Britain’s next prime minister later this week—are in for a rude awakening. On Friday, the U.K.’s top diplomat in Brussels sent a letter to a top official in the EU’s executive branch protesting that Britain had been disinvited to a key June 25 on future cybersecurity standards, according to a report Friday in the Financial Times.

On the agenda for the meeting was a discussion of how the EU should protect its future 5G wireless networks. It’s a key topic in light of recent concerns raised by the U.S. and other Western governments over the potential security threat of using 5G equipment from Chinese technology company Huawei.

The exclusion of the Britain from the meeting happened even though the U.K. has not yet left the EU. Until October 31, the current Brexit date, an agreement between the Brussels and London is supposed to give Britain the right to continue to participate in all EU discussions, except those directly pertaining to Brexit itself, or in the case of “exceptional circumstances.” Tim Barrow, Britain’s top diplomat in Brussels, said in his letter that the EU had given no reason for disinviting Britain to the meeting, the FT reported.

It is a troubling sign that Britain’s close security cooperation with the EU will, indeed, be strained by Brexit—and, in fact, already has been—an alarm U.K. security officials have been trying to sound for months.

“Any form of Brexit makes our security more difficult to manage,” John Sawers, a former head of foreign intelligence service MI6, told Sky News in January. “The harder the Brexit, the greater the damage.”

Meanwhile, the National Police Chiefs’ Council has cautioned that fall-backs to current information-sharing agreements with European law enforcement agencies “will be slower, more bureaucratic and ultimately less effective.”

Weaker security coordination, particularly on cybersecurity, is bad news for British business, or indeed any international firm with offices in the U.K. It is also further evidence of the extent to which the Internet—once seen as a great global unifier—is “Balkanizing“, splintering into geographic regions with different rules and different standards on everything from data privacy to security to net neutrality and free speech.

There are a few good arguments for why Internet regulation should vary by region, such as varying definitions of what constitutes illegal hate speech between different countries. But there’s no denying this so-called “Splinternet” makes life harder for any business with an international web presence (i.e. almost every business). Complying with different rules for different customers and employees adds costs, complexity and increases risk.

“It’s a huge administrative nightmare,” says Ann LaFrance, a partner at the law firm Squire Patton Boggs who specializes in data privacy and cybersecurity issues. LaFrance says that some of her firm’s global clients have commissioned time-consuming and expensive 50-country data protection compliance reviews, to ensure they are abiding by current laws. But, she says, the reviews are complicated by legal definitions that vary by geography and an ever-shifting landscape of rules. Meanwhile, in the U.S., companies also face an increasingly chaotic web of state-level data privacy regulations, she says.

With Brexit, LaFrance also points out, it is not only cybersecurity coordination that is at risk. So too is whether the U.K.’s surveillance powers, which enable the bulk collection of certain Internet data, will be judged to violate E.U. data privacy laws. If they are, she says, the U.K. and the EU could be barred from transferring back-and-forth any personal data at all after Brexit.

In domains like cybersecurity, having different standards has the potential to make everyone less secure, as hackers are adept at exploiting such variations to pry open networks. A 2018 report from technology research firm Forrester warned corporate information security executives that Brexit would make the sharing of real-time intelligence about cyberthreats more difficult and impede a coordinated response to sophisticated trans-national cybercriminal networks.

That’s why the EU’s exclusion of Britain from meetings on things like 5G security standards may ultimately be self-defeating. The Brexiteers are right that close coordination and cooperation is in both the EU’s and the U.K.’s interests—what they get wrong is the belief that politics and bureaucracy won’t get in the way.