Covid-19 has triggered a spike in cybersecurity threats, as criminals exploit the public’s anxieties and state actors try to get their hands on strategic information. But the ability of the UK’s police forces to fight cybercrime has been hampered by Brexit – for the time being, at least.
Article Eight of the Brexit Agreement stipulates that the UK “shall cease to be entitled to access any network, any information system and any database established on the basis of Union law”.
This means that, as of 1 January 2020, the UK police are no longer a part of the EU law enforcement coordination agency Europol. Nor will they be able to use the European Arrest Warrant, which can be issued in any member state and is valid throughout the bloc.
Both of these will make catching and prosecuting criminals more difficult. “Policing has known all along that whatever emerged in the final deal was always going to be inferior to the pre-Brexit arrangements,” said Lord Willy Bach, police and crime commissioner for Leicestershire, when the agreement was announced. “Fighting crime in Britain will be made more difficult by losing the European Arrest Warrant… The alternatives are slower, more complicated, and less reliable.”
But they will be especially harmful to the fight against cybercrime, which is international by nature. “You don’t have to literally cross borders for someone in one country to commit a criminal offence against another via the Internet,” says Rick Muir, director at the UK’s policing think tank The Police Foundation. “This sort of crime has become more cross-border, more complex.”
“Ideally what you want is more international co-operation around law enforcement rather than less,” he adds. “And what we’re going to have is inevitably less”.
Investigating cybercrime typically requires data collected from multiple jurisdictions. For UK law enforcement, this was greatly aided by Europol membership, says Chris Morgan, a senior cyber intelligence analyst at security company Digital Shadows.
“We did have a lot of cross-working with Europe in this particularly difficult area,” he explains. “With the deal at present, the speed in which the UK gets important data, and the influence that it has on the organisations that it was a member of, has drastically reduced.”
While the UK will still be able to participate in international investigations, leaving Europol means it will be no longer have a leadership role, says Muir. “The UK has been the lead instigator in many of these investigations, so the ability to work has been reduced,” he explains. “We’ll still be able to be part of joint investigations, but we will be in more of a backseat role.”
Outside the EU, the UK will no longer be able to issue European Investigation Orders, which are legally binding requests for local authorities to gather evidence by a specific deadline. Instead, UK police will need to issue a Letter Rogatory, a diplomatic request for assistance, but these typically take international authorities longer to execute.
The loss of the European Arrest Warrant (EAW) could be equally damaging. It allows a suspect of a crime committed in the UK to be arrested and charged in any EU member state. “Almost whatever form of Brexit we had, it looked pretty inconceivable that we could retain the EAW, as it is codified in law in different European states,” explains Muir.
For the time being, he says, UK police will need to rely on the European Convention on Extradition, which was drawn up in 1957. This means that during the process of tracking cybercriminals throughout Europe, if the UK police pinpoint them via cryptocurrency tracking and tracing their digital trails, they will not be able to arrest them and bring them to trial as quickly or as easily, allowing time for the suspect to escape.
Brexit and cybercrime: What happens now?
The UK has not been entirely excluded from the EU’s crime-fighting measures. The EU’s Security of Networks & Information Systems (NIS) Directive, which imposes obligations on digital services providers to protect the security of their customers’ data, was enacted in UK law and so will remain in place post-Brexit.
“The UK will continue to participate in the NIS directive post-Brexit,” explains Morgan. “From this perspective, there will be far more consistency in tackling cyber threats across the continent.”
And it may not be long before new co-operation measures are devised and implemented. “It’s likely that the UK will be able to generate most, if not all, of the old arrangements in due course,” says Morgan.
He believes that the mutual interest in tackling cybercrime will ultimately overcome political divisions. “Keeping people safe on both sides of the channel is the main goal here,” he says. “It’s not a case of trying to win some political argument.”
But until then, and in the face of intensifying cyber threats, Brexit has made the difficult task of fighting cybercrime even harder.