Security Products – Kit
Brexit1 could push Britain s access to vital intelligence systems off a cliff-edge if the Government does not act urgently to ensure continued security cooperation with the EU, a new report has warned.
European Arrest Warrants (EAW) have been used to arrest criminals including drug traffickers, murderers, rapists, terrorists, paedophiles and some of Britain s most wanted fugitives2. The UK also uses its membership of Europol and the European Criminal Records Information Exchange System (ECRIS), and it s access to the Schengen Information System (SIS) and the Pr m Convention on DNA data, to catch wanted people abroad and identify EU suspects inside Britain. The Government has repeatedly claimed security cooperation and intelligence sharing will continue after Brexit but its proposals have not yet been formally discussed.
Academics at King s College London have now warned that the political will for continued partnership is not enough to surmount serious practical and legal barriers. A report by its independent UK in a Changing Europe research division said that unless the Government acts quickly to secure a deal with the EU, there could be serious disruption to security cooperation.
There is much at stake here, it continued . Thus far, however, neither side has engaged strongly with the detail in public, nor demonstrated much awareness of the trade-offs that might be required in order to achieve their aims.
Andrea Leadsom on whether Brexit committee stage will finish by Christmas: It s difficult to project forward with absolute certainty
David Davis and Michel Barnier have not yet started discussions on the issue, which are due to take place in the delayed second phase of the floundering talks. Anand Menon, director of the research unit, said good intentions were not enough when negotiations are likely to involve constitutional issues and disagreements over jurisdiction.
Brexit has been an immigration issue and there s actually far more to this, he told The Independent.
The question is whether control means being able to close your borders, or being in a position to know as much as possible about who is coming in through them . And the latter is based on collaboration.
Prof Menon said it could take more time than is left before the Brexit deadline in March 2019 to build a new legal framework allowing intelligence sharing to continue on current levels, leaving the prospect of a Brexit cliff-edge in security .
We re not saying it s impossible but we need to start taking this seriously, quickly, because otherwise membership will come to an end with no obvious way to stay in these systems, he added.
The Home Office has talked about a treaty but what we re interested in is not broad structures but detailed proposals. Prof Menon said he hoped the lack of detail was a deliberate move made necessary by security protocol or negotiation tactics, but that he had not yet heard from anyone that concrete proposals are there . Theresa May herself warned of the security threat posed by leaving the EU during the referendum campaign, but claimed any risk will be mitigated by new agreements since becoming Prime Minister.
Her predecessor, David Cameron, asked whether peace and stability in Europe was a risk worth taking while arguing for Britain to remain in the EU. But security faded from the official campaign s radar after failing to attract interest in focus groups, the report said, despite the rising terror threat and Isis s deadly attacks across Europe. A backlash against Mr Cameron s speech and criticism of Project Fear are believed to have prevented a detailed Home Office paper on the potential impact of Brexit before the referendum being released, despite it containing evidence that the UK would be less protected from terrorism and crime.
Researchers concluded that although the EU will not want to lose access to British intelligence, the European Commission would have to approve transfers and could demand adequacy on data protection. The European Court of Justice, which the Prime Minister has vowed to leave, has already ruled mass data collection under the Investigatory Powers Act illegal3 and the efforts could prove a stumbling block in negotiations. Researchers cautioned that although several non-EU countries have signed agreements with Europol, they do not guarantee access to operational projects.
The UK may be able to achieve an unprecedented future relationship, based on its strong role within the agency, but the Danish government may object to a deal that goes further than its own, the report concluded.
This would mean the UK cannot retain direct access to Europol databases, nor a participating place on the management board.
The towers of the European Court of Justice in Luxembourg (Reuters)
There is also precedent for access by countries outside the EU to the EAW system, but Norway and Iceland s deals took years to negotiate and a similar agreement would probably mean that some EU countries won t be able to surrender their own nationals to the UK, the report said. Europol itself has warned that Brexit could worsen crime in the UK and damage security across Europe4. Brian Donald, its chief of staff, said last month that although the Government has drawn up proposals to remain a part of the organisation, an adverse impact should be expected.
Almost certainly the arrangements governing the UK s police cooperation with EU partners will not be as deep and effective as they are today, Mr Donald warned.
Reasonable assumptions point to a worse situation than now in the UK.
This week, the Commons Home Affairs Committee sounded a fresh warning over potential chaos at British borders if customs arrangements are not shored up. Yvette Cooper, the Labour MP who chairs the group, said: As things stand, the Government is running the risk of celebrating their first day of Brexit with the sight of queues of lorries stretching for miles in Kent and gridlock on the roads of Northern Ireland, which would be incredibly damaging to the UK economy and completely unacceptable to the country. The committee described Home Office plans to boost Border Force staff by 300 members as completely unconvincing .
A separate assessment published on Tuesday warned that failure to complete the introduction of a new customs system by the Brexit date would be catastrophic . The Government has proposed a new security treaty between the UK and EU to ensure a comprehensive new security, law enforcement and criminal justice partnership after Brexit. A policy paper published days after the attempted bombing of a London Underground train in September said the treaty would be underpinned by our shared principles and should make sure our partnership has the agility to respond to the ever-changing threats we face .
A Home Office spokesperson said: As we prepare to leave the EU it is vital that we agree a new way to ensure continued security, law enforcement and criminal justice cooperation.
We recently outlined our proposal to seek a new treaty with the EU which will underpin our future partnership, building on the already deep level of collaboration we have on security, policing and criminal justice.
Both the UK and EU have made clear our shared commitment to continued cooperation to keep Europe safe and this Government will do everything it can to keep the country secure.”
- ^ Brexit (www.independent.co.uk)
- ^ Britain s most wanted fugitives (www.independent.co.uk)
- ^ ruled mass data collection under the Investigatory Powers Act illegal (www.independent.co.uk)
- ^ Brexit could worsen crime in the UK and damage security across Europe (www.independent.co.uk)
- ^ Reuse content (www.independent.co.uk)
Brexit threatens Britain s security unless it wakes up to the fact it must make concrete demands in the negotiations and stop assuming good intentions will suffice, experts have warned. Though both Britain and the EU have emphasised they want to continue cooperating closely, a report by The UK in a Changing Europe warns that the matter is so fiendishly difficult that a new cliff edge on the issue looms unless Britain is cleared about what it wants.
There is a danger that, unless the British Government acts quickly to define more clearly what it wants and how it might achieve it, another Brexit cliff edge – in security – might be on the horizon, Professor Anand Menon, King s College London academic and director of the Brexit-focused research body, said.
PA Archive/PA Images
Britain has been accused of using security, one of its stronger suits in the negotiations, as a bargaining chip to ensure it gets a better economic deal. Menon added: This is fiendishly complex . When negotiations are likely to involve constitutional issues, disagreements over the role of the ECJ and trade-offs from both sides, good intentions are not enough.
Despite a shared desire to cooperate closely in future, nothing can be taken for granted.
The UK in a Changing Europe report, published on Friday, argues British negotiators have failed to lay out specific enough demands on issues such as the European Arrest Warrant (EAW), participation in Europol and intelligence sharing between police forces and could lose out amid trade-offs. It warns that any deal on the EAW would likely take years to negotiate and, while nations like Iceland and Norway have negotiated their own deals, the end result for Britain would likely be some EU countries wouldn t surrender their nationals to the UK. Britain is an active participant in Europol but it may any operational role in the agency, unless it can negotiate a new relationship that is unprecedented , the report said.
The Government has sought to emphasise the importance of security but also to deny it was trying to blackmail the EU by emphasising this in public. Theresa May was accused of making a blatant threat when she said security could be weakened if Britain left the EU without a deal in her Article 50 letter in March.
I think the security of our citizens is far too important to start a trade-off of one and the other . Both are absolutely necessary in the future partnership without bargaining this one against the other, European Parliament s Brexit co-ordinator Guy Verhofstadt said in response. In September, the Government issued its position paper, noting belief the UK has a historic deep belief in the same values that Europe1 stands for peace, democracy, freedom and the rule of law and making no reference to any threat of withdrawing co-operation.
Then-Defence Secretary Michael Fallon told the BBC: This isn t blackmail, this isn t a negotiating strategy . What we are doing, and everybody has asked for this, is to set out how we see the new partnership the day after Brexit.
We want to fight terrorism together . It s vital .
We are not making threats.
Sponsored One of the greatest barriers to broader cloud adoption is security.
However much the big cloud providers insist that their global networks of bit barns are more secure and tightly operated than those of their enterprise customers, it is those same customers who are ultimately liable for protecting the data under their control. For highly regulated industries like healthcare or financial services, the penalties for a data breach make it simply too risky to process sensitive data anywhere else outside their own systems . This means that they are missing out on the advantages of cloud services, such as greater operational flexibility and the potential to save on some of the capital expenditure costs of on-premise IT systems. Public cloud in particular presents a number of challenges for keeping data secure, largely because an organisation is effectively choosing to run workloads on infrastructure that it does not own or control . While an organisation can take steps to lock down its own systems and deploy tools to detect or prevent intrusion, there are limits on what a customer can do to the cloud provider s infrastructure.
Encryption of sensitive data is now routine both in the cloud and on-premise, but this largely protects data only when it is at rest, stored on disk . In order to be processed, it still has to be in the clear while in memory so that any required operation can be performed on it, whereupon it is vulnerable to being accessed by an attacker that may have compromised the system. In any case, industry experts have long realised that software only solutions simply will not cut the mustard, since they can ultimately be compromised or bypassed in some way . Instead, security needs to be rooted in hardware capabilities that cannot be altered or disabled by malicious code.
There have already been attempts at building security into silicon . Intel platforms have had Trusted Execution Technology (TXT) for some time, while chips based on the ARM architecture have had its TrustZone technology for over a decade . Oracle also added Silicon Secured Memory (SSM) into it SPARC processors when the M7 was introduced. The main purpose of Intel TXT was and is to ensure a secure startup, verifying that low-level code such as an operating system kernel or hypervisor has not been compromised . But this is not a complete solution as it does not prevent malware or an attacker from compromising the system once it is up and running.
Oracle s SSM is part of the software-in-silicon capabilities built into newer SPARC chips, and is designed to guard access to blocks of memory by associating them with a version number . Code accessing the memory block must present the same version number, offering some protection against buffer overruns . But this might not prove much protection against a determined attacker that may have compromised the system, as explained by The Register1 at the time. What is required is some mechanism that can prevent access to data while it is being processed, even if an attacker has managed to penetrate the system . This is no trivial task, since a compromise of the software stack at the operating system or hypervisor level would enable an attacker to simply pluck data out of an application s memory space.
Perhaps the most ambitious move to address this problem is Intel s Software Guard Extensions (SGX), one of the new capabilities introduced to the Xeon server platform with the latest chips based on the Skylake architecture. SGX is designed to allow the creation of isolated and protected memory blocks within the server s memory space, inside which code can be placed in order to safely process sensitive data . These memory blocks are known as Trusted Execution Environments (TEEs) or alternatively as enclaves. To enable this, SGX provides a new privileged execution mode and several new instructions .
These are used at runtime to create an enclave and deploy the trusted code into it, before locking it down . Once created, the enclave memory region cannot be accessed by any other code, and functions inside the enclave can only be accessed via carefully controlled entry points. In principle, SGX is somewhat similar to ARM s TrustZone, but the latter simply divides the entire system into secure and non-secure environments, with hardware enforced separation between the two . SGX, in contrast, enables multiple applications to each have their own enclave for any portion of their code that deals with sensitive data . The upshot of this is that applications running on an SGX-enabled system are split into trusted and untrusted code, with the trusted code deployed in the enclave kept as small as possible in order to reduce the possibility of security vulnerabilities being introduced.
But the chief difference in how SGX differs from previous silicon-based security schemes is that the processor itself is the only hardware component that needs to be trusted . It does not require a Trusted Platform Module (TPM) as the root of trust or for attestation of code, for example, as TXT does. Theoretically, this should mean that SGX enclaves should be secure from prying even if the operating system, hypervisor, firmware, and even Intel s Management Engine2 have all been compromised by an attacker . This is a level of security that was not practical to achieve before chips with SGX became available. The first major outing for this technology is going to come from Microsoft .
In September, the firm announced its Azure cloud platform will be the first to support enclaves secured by Intel s SGX, using servers based on the latest Skylake Xeon processors. How this will ultimately be made available to customers has yet to be fully detailed by Redmond, but the firm said it intends to implement encryption-in-use for its Azure SQL Database service and SQL Server . Azure CTO Mark Russinovich also gave a demonstration of what this might look like at the firm s Ignite conference in September. The demo revolved around a sample HR application running queries against a cloud database with two columns – social security number and salary where the stored value was protected using the Always Encrypted feature . A Stored Procedure was deployed into an enclave then passed the encryption key over a secure channel so that it was able to process queries that reference the encrypted columns.
To date, Intel s SGX has had only limited traction, but Microsoft s Azure cloud is widely used by large enterprise firms, and seems likely to drive interest in this method for keeping data secure while it is being processed . If it proves a hit, we can expect to see it implemented in more platforms, both in the cloud and on-premise there is certainly scope for a technology that can keep data secure, even if malware has compromised the server your application is running on. No single security technology can ever be totally bulletproof .
However, such attacks can be mitigated if the rest of the platform is carefully designed, and SGX means that Intel s latest Xeon chips offer the best foundation currently available for a platform capable of keeping the most sensitive data secure.
Sponsored by Intel