When the UK decided to leave the European Union after 47 years of membership within the bloc, specialists knew the separation would impact everything from trading to intelligence sharing on the island.
Now that the transition period has ended, and the Brexit deal is in full effect, the Brits are slowly discovering its full impact.
Let’s see what this means in terms of information security and data protection.
An overview of the Brexit deal
On January 1st, 2021, the Brexit deal went into effect. Ambassadors from the 27 EU member states have unanimously approved the EU-UK post-Brexit trade deal.
Previously, between 2017 and 2019, the EU and the UK negotiated terms of the UK’s withdrawal from the EU. The talks resulted in a joint Political Declaration, alongside a Withdrawal Agreement, validated in February 2020.
The EU and the UK settled the general terms of their future relationship, including a legal consensus.
EU laws will no longer reign supreme in the UK after Brexit. The British parliament can decide which elements to keep or amend while still accepting some EU rules and regulations.
Regarding data protection, the UK has included the EU’s General Data Protection Regulation (GDPR) into its national law.
Still, based on recent disclosure, it seems the country has been testing a surveillance technology that stores the web browsing activity of any individual living in the country.
Information security after Brexit
Even after Brexit, the UK will still have close ties to the continent, and data transfer with the EU could be challenging.
First, the UK would have to comply with the European Court of Justice (ECJ) on disputes over data and privacy. Yet, the UK has its surveillance laws further to be determined if they respect the privacy rights of EU citizens.
The EU and the UK have also agreed to exchange best practices and actions to promote and protect an open, free, and secure cyberspace.
The EU and the UK can still:
- Exchange information on cyber-related tools and methods;
- Collaborate in security-related exercises and research and development;
- Join activities of the EU Cybersecurity Agency (ENISA).
Great Britain is a key partner in Europe when it comes to business, commerce, international relations, and fighting terrorism.
Obsolete encryption references included in the deal
Exchanging and protecting data and information is of the utmost importance. This process remains an essential tool of cooperation in addressing common security threats.
When it comes to encryption technology recommendations, the Brexit deal is off to a rocky start.
Security experts were baffled by the document that recommends using outdated encryption algorithms, making sensitive data, like a common EU-UK forensic DNA database, vulnerable to cyber-attacks.
Page 921 of the trade deal covering encryption technology is included in the chapter referring to DNA data. Precisely, the chapter speaks about DNA forensic procedures of Interpol.
This part of the document recommends using 1024-bit RSA encryption and the SHA-1 hashing algorithm – systems that are now vulnerable to cyber-attacks.
For instance, SHA-1 was the primary algorithm up until 2015.
The document also describes Netscape Communicator and Mozilla Mail as being “modern” services.
Netscape Communicator is mentioned in Brexit document … Almost feels like it is 40 years old …1K RSA and SHA-1 … one day we will build a digital world fit for the 21st Century … pic.twitter.com/1cg6uX3clw— Prof B Buchanan OBE (@billatnapier) December 26, 2020
Several experts stated that the page seems to be an unfortunate slip of copy-pasting chunks of text from old legislation.
A spokesman for the Home Office UK mentioned the UK uses “the latest technology to share this data, which is properly protected and in line with the guidance from the National Cyber Security Centre.”
A few days later, the EU has admitted including obsolete parts in the Brexit trade deal and copying and pasting sections from a 2008 EU Council decision on cross-border cooperation. The EU also conceded to have used an “obsolete technical annex.”
The European Commission defended its negotiators, declaring that creating a new parallel system would have been time-consuming and a waste of public resources. Members of the Commission added that cooperation takes place based on updated technologies, despite the obsolete security systems included in the document.
Limits on international information exchange
Some journalists and law experts argue that outdated technology may not be the most relevant aspect to scrutinize about the Brexit deal.
The mentioned annex includes the 2008 EU Prüm Convention treaty text, whose general terms and wording have never been updated.
In June 2020, the EU Council agreed they should change the agreement’s text to align with the latest protection safeguards. However, the update is not a fast process.
The Prüm Convention, also known as Schengen III Agreement, is a law enforcement treaty. It was signed in May 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands, and Spain in Prüm town, Germany. However, the treaty is open to all members of the European Union.
The Schengen Information System allows participating countries to share alerts on law enforcement in real-time. The UK will no longer have access to SIS. Based on the Trade and Cooperation Agreement, the government will get hold of this information through complementary tools, but only in individual cases and with certain restrictions.
Anticipating a secure post-Brexit world
The UK has been at the forefront of many EU security instruments and initiatives. One of IT security professionals’ main concerns is that cross-border intelligence sharing, among other things, will be challenging. Many believe there is currently no country in the EU that has what it takes to replace it.
Learn more about the Five Eyes, the surveillance alliance that counts the UK as a member.
As elements of information security and privacy are not 100% clear, the future of EU-UK relations seems an incomplete puzzle.
We can only hope the two parties will develop a strong and up-to-date post-Brexit security and defense vision.
Do you believe information security and intelligence cooperation between the EU and the UK will be affected?
Let me know in the comments below.