What's Next in Government Surveillance

Before the Internet, when surveillance consisted largely of government-on-government espionage, agencies like the NSA would target specific communications circuits: that Soviet undersea cable between Petropavlovsk and Vladivostok, a military communications satellite, a microwave network. This was for the most part passive, requiring large antenna farms in nearby countries.

Modern targeted surveillance is likely to involve actively breaking into an adversary’s computer network and installing malicious software designed to take over that network and “exfiltrate” data—that’s NSA talk for stealing it. To put it more plainly, the easiest way for someone to eavesdrop on your communications isn’t to intercept them in transit anymore; it’s to hack your computer.

And there’s a lot of government hacking going on.

In 2011, an Iranian hacker broke into the Dutch certificate authority DigiNotar. This enabled him to impersonate organizations like Google, the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter, and Microsoft’s Windows Update service. That, in turn, allowed him to spy on users of these services. He passed this ability on to others—almost certainly in the Iranian government—who in turn used it for mass surveillance on Iranians and probably foreigners as well. Fox-IT estimated that 300,000 Iranian Gmail accounts were accessed.

In 2009, Canadian security researchers discovered a piece of malware called GhostNet on the Dalai Lama’s computers. It was a sophisticated surveillance network, controlled by a computer in China. Further research found it installed on computers of political, economic, and media organizations in 103 countries—basically a who’s who of Chinese espionage targets. Flame is a surveillance tool that researchers detected on Iranian networks in 2012; these experts believe the United States and Israel put it there and elsewhere. Red October, which hacked and spied on computers worldwide for five years before it was discovered in 2013, is believed to be a Russian surveillance system. So is Turla, which targeted Western government computers and was ferreted out in 2014. The Mask, also discovered in 2014, is believed to be Spanish. Iranian hackers have specifically targeted U.S. officials. There are many more known surveillance tools like these, and presumably others still undiscovered.

To be fair, we don’t have proof that these countries were behind these surveillance networks, nor that they were government-sponsored. Governments almost never admit to hacking each other’s computers. Researchers generally infer the country of origin from the target list. For example, The Mask target list included almost all Spanish-speaking countries, and a bunch of computers in Morocco and Gibraltar. That sounds like Spain.

In the United States, the group charged with hacking computers is the Tailored Access Operations group (TAO) inside the NSA. We know that TAO infiltrates computers remotely, using programs with cool code names like QUANTUMINSERT and FOXACID. We know that TAO has developed specialized software to hack into everything from computers to routers to smartphones, and that its staff installs hardware “implants” into computer and networking equipment by intercepting and infecting it in transit. One estimate is that the group has successfully hacked into, and is exfiltrating information from, 80,000 computers worldwide.

Of course, most of what we know about TAO and America’s hacking efforts comes from top-secret NSA documents provided by Edward Snowden. There haven’t been similar leaks from other countries, so we know much less about their capabilities.

We do know a lot about China. China has been reliably identified as the origin of many high-profile attacks—against Google, against the Canadian government, against The New York Times, against the security company RSA and other U.S. corporations, and against the U.S. military and its contractors. In 2013, researchers found presumed Chinese government malware targeting Tibetan activists’ Android phones. In 2014, Chinese hackers breached a database of the U.S. Office of Personnel Management that stored detailed data on up to 5 million U.S. government employees and contractors with security clearances.

A lot of this is political and military espionage, but some of it is commercial espionage. Many countries have a long history of spying on foreign corporations for their own military and commercial advantage. The U.S. claims that it does not engage in commercial espionage, meaning that it does not hack foreign corporate networks and pass that information on to U.S. competitors for commercial advantage. But it does engage in economic espionage, by hacking into foreign corporate networks and using that information in government trade negotiations that directly benefit U.S. corporate interests. Recent examples are the Brazilian oil company Petrobras and the European SWIFT international bank-payment system. In fact, according to a 1996 government report, the NSA claimed that the economic benefits of one of its programs to U.S. industry “totaled tens of billions of dollars over the last several years.” You may or may not see a substantive difference between the two types of espionage. China, without so clean a separation between its government and its industries, does not.

Many countries buy software from private companies to facilitate their hacking. Consider an Italian cyberweapons manufacturer called Hacking Team that sells hacking systems to governments worldwide for use against computer and smartphone operating systems. The mobile malware installs itself remotely and collects e-mails, text messages, call history, address books, search-history data, and keystrokes. It can take screenshots, record audio to monitor either calls or ambient noise, snap photos, and monitor the phone’s GPS coordinates. It then surreptitiously sends all of that back to its handlers. Ethiopia used this software to sneak onto the computers of European and American journalists.

When American officials first started getting reports of the Chinese breaking into U.S. computer networks for espionage purposes, they described it in very strong language. They labeled the Chinese actions “cyberattacks,” sometimes invoking the word “cyberwar.” After Snowden revealed that the NSA had been doing exactly the same thing as the Chinese to computer networks around the world, the U.S. used much more moderate language to describe its own actions—terms like “espionage,” or “intelligence-gathering,” or “spying”—and stressed that these were peacetime activities.

When the Chinese company Huawei tried to sell networking equipment to the United States, many feared that the Chinese government had installed backdoors into the switches that would allow Beijing to eavesdrop, and considered the move a “national-security threat.” But, as Snowden's disclosures eventually revealed, the NSA has been doing exactly the same thing, both to Huawei’s equipment and to American-made equipment sold in China.

The problem is that—as they occur and from the point of view of the victim—international espionage and attack look pretty much alike. Modern cyberespionage is a form of cyberattack, and both involve breaking into the network of another country. The only difference between them is whether they deliberately disrupt network operations or not. That’s a huge difference, of course, but the time lag between breaking into a network and disrupting operations might be months or even years. Because breaking into a foreign network affects the territory of another country, it is almost certainly illegal under that country’s laws. Even so, countries are doing it constantly to one another.

In 2012, for example, the NSA repeatedly penetrated Syria’s Internet infrastructure. Its intent was to remotely install eavesdropping code in one of the country’s core routers, but it accidentally caused a nationwide Internet blackout. Exfiltrating data and taking out a country’s Internet involve exactly the same operations.

Governments, meanwhile, are getting into cyberwar big time. About 30 countries have cyberwar divisions in their military: the United States, Russia, China, the major European countries, Israel, India, Brazil, Australia, New Zealand, and a handful of African countries. In the United States, this effort is led by U.S. Cyber Command inside the Department of Defense. Admiral Michael S. Rogers is in charge of both this organization and the NSA. That’s how close the missions are.

Few examples have surfaced of cyberattacks that cause actual damage, either to people or to property. In 2007, Estonia was the victim of a broad series of cyberattacks—an incident that is often called the first cyberwar because it coincided with increased tensions with neighboring Russia. The ex-Soviet republic of Georgia was also the victim of cyberattacks, ones that preceded a land invasion by Russian troops a year later. In 2009, South Korea was the victim of a cyberattack. All of these were denial-of-service attacks, during which selected Internet sites are flooded with traffic and stop working temporarily. They’re disruptive, but not very damaging in the long run.

In all of these cases, we don’t know for sure who the perpetrator was, or even whether it was a government. In 2009, a pro-Kremlin youth group took credit for the 2007 Estonian attacks, although the only person convicted of them was a 22-year-old Russian living in Tallinn. That sort of identifiability is rare. Like the espionage attacks discussed earlier, cyberattacks are hard to trace. We’re left to infer the attacker by the list of victims. Ethnic tensions with Russia—of course Russia is to blame. South Korea gets attacked—who else but North Korea would be motivated?

Stuxnet is the first military-grade cyberweapon known to be deployed by one country against another. It was launched in 2009 by the United States and Israel against the Natanz nuclear facility in Iran, and succeeded in causing significant physical damage. A 2012 attack against Saudi Aramco that damaged some 30,000 of the national oil company’s computers is believed to have been retaliation by Iran.

There’s an interesting monopolistic effect that occurs with surveillance. Espionage basically follows geopolitical lines; a country gets together with its allies to jointly spy on its adversaries. That’s how we did it during the Cold War. It’s politics.

Mass surveillance is different. If you’re truly worried about attacks coming from anyone anywhere, you need to spy on everyone everywhere. And since no one country can do that alone, it makes sense to share data with other countries.

But whom do you share information with? You could share with your traditional military allies, but they might not be spying on the countries you’re most worried about. Or they might not be spying on enough of the planet to make sharing worthwhile. It makes the best sense to join the most extensive spying network around. And that’s the United States.

This is what’s happening right now. U.S. intelligence agencies partner with many countries as part of an extremely close relationship of wealthy, English-speaking nations called the Five Eyes: the U.S., U.K., Canada, Australia, and New Zealand. Other partnerships include the Nine Eyes, which adds Denmark, France, the Netherlands, and Norway; and the Fourteen Eyes, which adds Germany, Belgium, Italy, Spain, and Sweden. And the United States partners with countries that have traditionally been much more standoffish, like India, and even with brutally repressive regimes like Saudi Arabia’s.

All of this gives the NSA access to almost everything. In testimony to the European Parliament in 2014, Snowden said, “The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn’t search it for Danes, and Germany may give the NSA access to another on the condition that it doesn’t search for Germans. Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.”

In 2014, we learned that the NSA spies on the Turkish government, and at the same time partners with the Turkish government to spy on the Kurdish separatists within Turkey. We also learned that the NSA spies on the government of one of its much closer surveillance partners: Germany. Presumably the United States spies on all of its partners, with the possible exception of the other Five Eyes countries. Even when the NSA touts its counterterrorism successes, most of them are foreign threats against foreign countries and have nothing to do with the United States.

It should come as no surprise that the U.S. shares intelligence data with Israel. Normally, identities of Americans are removed before this data is shared with another country to protect our privacy, but Israel seems to be an exception. The NSA gives Israel’s secretive Unit 8200 “raw SIGINT”—that’s signals intelligence.

Even historical enemies are sharing intelligence with the United States., if only on a limited basis. After 9/11, Russia rebranded the Chechen separatists as terrorists, and persuaded the United States to help by sharing information. In 2011, Russia warned the United States about Boston Marathon bomber Tamerlan Tsarnaev. The United States returned the favor, watching out for threats at the Sochi Olympics.

These partnerships make no sense when the primary goal of intelligence is government vs. government espionage, but are obvious and appropriate when the primary goal is global surveillance of the population. So while the German government expresses outrage at the NSA’s surveillance of the country’s leaders, its BND continues to partner with the NSA to surveil everyone else.

The endgame of this isn’t pretty: It’s a global surveillance network where all countries collude to surveil everyone on the entire planet. It’ll probably not happen for a while—there will be holdout countries like Russia that will insist on doing it themselves, and rigid ideological differences will never let countries like Iran cooperate fully with either Russia or the United States—but most smaller countries will be motivated to join. From a very narrow perspective, it’s the rational thing to do.

This post has been adapted from Bruce Schneier's new book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.