Governance & Risk Management

UK Stands Up GCHQ National Cyber Security Center in London

But Brexit May Down Europol and Intelligence-Sharing Efforts
UK Stands Up GCHQ National Cyber Security Center in London
Ciaran Martin, chief executive of the National Cyber Security Center (©GCHQ)

The U.K. government on Oct. 3 launched a new National Cyber Security Center to help British organizations better defend against cyberattacks and respond to security incidents.

See Also: The Cost of Underpreparedness to Your Business

The new center is part of GCHQ, Britain's signals intelligence and cybersecurity agency that's comparable to the U.S. National Security Agency. It's being led by Ciaran Martin, a career civil servant who previously helped GCHQ connect with private industry via his position as director general for government and industry cybersecurity.

"Our role is helping to make the U.K. the safest place to live and do business online. So we're going to tackle the major threats from hostile states and criminal gangs," Martin says in a statement. "But we're also going to work tirelessly to automatically protect people from those smaller scale and deeply damaging attacks that cause so much disruption and frustration. We'll also continue our work helping people and businesses understand better what they need to do to protect themselves."

NCSC brings together CESG - the information security arm of GCHQ - as well as the Center for Cyber Assessment, Britain's computer emergency response team CERT-UK and the cyber-related responsibilities of the country's Center for the Protection of National Infrastructure.

In a speech delivered at a September cybersecurity summit in Washington, Martin noted that the National Cyber Security Center will include security experts drawn from the domestic security service - MI5 - as well as CERT-UK and GCHQ. "We'll have formalized and integrated operational partnerships with law enforcement, defense and private industry," he said.

Even so, "being part of the intelligence community poses challenges" for the new center, because it needs to focus not on intelligence gathering, but incident response, he noted. To help, he said in his speech that the center will be reviewing the effectiveness of U.S. Presidential Policy Directive 41. Released in July, PPD-41 specifies how U.S. federal agencies will respond "to any cyber incident, whether involving government or private sector entities," and also creates a framework for federal agencies to respond to "significant cyber incidents."

Based in London

NCSC will be headquartered at London's new Nova building.

Plans for NCSC were announced in November 2015 by George Osborne, then the Tory government's chancellor of the exchequer. He said the center would comprise the nation's first "cyber force" tasked with handling major cyber incidents. The center was to be based in Cheltenham, where GCHQ is headquartered, according to the original announcement.

But now the government plans to locate NCSC in central London at the Nova building, the newspaper Evening Standard reports, adding that at least half of the center's staff will be based there.

Police Intelligence-Sharing Uncertainty

As Britain stands up NCSC to help U.K. organizations better battle online attacks, however, critical intelligence-sharing and policing efforts for combating cybercrime may be falling down.

The reason is simple: Brexit. In a June referendum on Britain's EU membership, a majority of voters opted for their country to exit the European Union.

While the British government continues to attempt to sort out what that means and when related moves will take place, current intelligence-sharing efforts in place via the EU's law enforcement intelligence agency Europol and its Electronic Cybercrime Center, or EC3, are at risk.

Those risks cut both ways. Britain has played a vital role in establishing and running Europol and EC3, and their respective leaders are British civil servant Rob Wainwright and Police Scotland veteran Steven Wilson.

One near-term deadline is the end of 2016, which is when the U.K. government must opt in again to Europol, or risk its domestic law enforcement organizations losing access to Europol's resources - including European arrest warrants, which allow any EU member state to issue EU-wide arrests warrants beginning in June 2017.

The Scottish government has urged the U.K. government to sign membership protocols that would ensure that the U.K. remains a Europol member, at least pending the close of the Article 50 Brexit negotiations, which currently look like they'll wrap up in April 2019.

"The ability to share information quickly and coordinate operations with other law enforcement agencies through Europol is key to detecting, disrupting and detaining criminals across borders," Scotland's Justice Secretary Michael Matheson says in a statement. "That is necessary to keep Scotland and the rest of the U.K. safer from the threats of organized crime, cybercrime and terrorism."

UK Government Has No Europol Plan, Yet

But a representative for the U.K.'s Home Office, which oversees the country's security and law and order arrangements, told the BBC that the government hasn't yet decided what to do, but will decide "in due course."

The representative adds that the government plans to push for continued intelligence sharing post-Brexit. "The prime minister has stated that law enforcement cooperation will continue when the U.K. is outside the EU," the representative said. "We will do what is necessary to keep our people safe. We are exploring options for cooperation arrangements with Europol once the U.K. has left the EU, but it is too early to speculate at this stage what future arrangements may look like."

One significant wrinkle, however, is that Europol is an EU agency; full access is reserved for EU members. By exiting the EU, Britain forfeits the right to belong to Europol and potentially to use such EU judicial instruments as EU arrest warrants.

Borderless Crime Challenges

One rallying cry of Britain's "Leave" campaigners was to "take back control of our borders." Given the borderless nature of so much crime today, however, Brexit may make it more difficult, from a law enforcement perspective, for Britain to battle cybercrime (see Police After Brexit: Keep Calm and Carry On).

Already, some EU officials have suggested that they plan to make an example of Britain to the other 27 EU member states, demonstrating what's at risk if they too chose to leave. As a result, Britain may find itself with far less access to EU agency resources. Accordingly, it may need the new NCSC more than ever.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.