On Thursday afternoon, the UK government published its white paper, “The United Kingdom’s exit from and new partnership with the European Union.” The last-minute changes, following a spate of Cabinet resignations late in the day, resulted in the publication being delivered to the House of Commons as MPs were timetabled to debate it. This led to a rare suspension of proceedings while the copies of the white paper were distributed. This maintained the pretense that MPs had read it before the statement by Dominic Raab.

The Brexit white paper does finally give clarity to what the UK’s proposed future relationship with the EU is. While this is welcome, in my opinion the paper has several issues that I believe will lead to a failure to agree on the entirety of a future trading agreement and withdrawal agreement. This increases the chances of a no-deal outcome and disruption to cybersecurity cooperation and operational capabilities that CISOs gain benefit from today.

The following issues are prevalent within the paper:

  1. The customs proposal relies on technology and a complex customs collection facilitation mechanism. The proposal on a customs solution for the Irish border is complex. The solution relies on technology that does not yet exist or has been deployed in this way. The EU is likely to treat this proposal in the same way as other proposals. The maximum facilitation option previously rejected is also included here. It is seen as complex and increases the risk of “tariff arbitrage” between the UK and EU, which the EU will be wary of. This proposal fails to give certainty to the issue of the Irish border. I think this will be a key sticking point in the withdrawal agreement. There are also other issues such as ending of free movement. This feels to the EU as if the UK is cherry-picking. This breaks one of the EU’s key negotiating principles and is not likely to be well received.
  2. The security partnership proposal makes demands that the EU has indicated a coolness toward. As I argued in my recent report, cybersecurity is a transnational issue that does not respect any boundaries. Therefore, continued cooperation between the EU and UK is vital. While the white paper indeed argues for this, the EU has only offered participation based on existing third-country precedents. For example, the EU has already indicated that membership of the European Arrest Warrant is not on offer. The gap in the EU and UK’s negotiating positions is vast, meaning agreement is going to be challenging.
  3. The security partnership agreement is based on receiving a data adequacy decision by the end of transition. The security partnership is reliant on a data adequacy decision from the EU. A secure information exchange agreement is also required. While the latter is in progress, the adequacy decision is not yet being examined. Though the UK has implemented GDPR through its Data Protection Act 2018, this is still required. This takes a minimum of two years to gain, and there is no guarantee that it will be agreed upon in time. This could severely impact data transfers between the UK and EU if it does not come to pass.

The EU has not formally responded to the proposals that have been put forward by the UK. With time running out, security organizations should be beginning to plan based on a no-deal outcome. The Irish border issue and customs agreements are likely to be key areas that could disrupt negotiations. Even if the withdrawal agreement is concluded, the UK parliamentary arithmetic is looking tricky. There are potential rebellions in the planning by groups such as the European Research Group. This will potentially put parliamentary ratification in the UK at risk. CISOs should act as outlined in my report on preparing for Brexit by preparing themselves regardless of the negotiation outcome. This will prepare their security organization for any disruption to capabilities delivered to them by their governments.