Authors: Bruce Schneier
When the Chinese company Huawei tried to sell networking equipment to the US, we feared
that the government had backdoored the switches and considered it a “national security
threat.” But, as we eventually learned, the NSA has been doing exactly the same thing,
both to Huawei’s equipment and to American-made equipment sold in China.
The problem is that, as they occur and from the point of view of the victim, international
espionage and attack look pretty much alike. Modern cyberespionage is a form of cyberattack,
and both involve breaking into the network of another country. The only difference
between them is whether they deliberately disrupt network operations or not. Of course
that’s a huge difference, but it’s a difference that might be delayed months or even
years. Because breaking into a foreign network affects the territory of another country,
it is almost certainly illegal under that country’s laws. Even so, countries are doing
it constantly to one another.
Here’s an example. In 2012, the NSA repeatedly penetrated Syria’s Internet infrastructure.
Its intent was to remotely install eavesdropping code in one of the country’s core
routers, but it accidentally caused a nationwide Internet blackout. Exfiltrating data
and taking out a country’s Internet involve exactly the same operations.
Governments are getting into cyberwar big time. About 30 countries have cyberwar divisions
in their military: US, Russia, China, the major European countries, Israel, India,
Brazil, Australia, New Zealand, and
a handful of African countries. In the US, this is led by US Cyber Command inside
the Department of Defense. Admiral Michael S. Rogers is in charge of both this organization
and the NSA. That’s how close the missions are.
Few examples have surfaced of cyberattacks that cause actual damage, either to people
or to property. In 2007, Estonia was the victim of a broad series of cyberattacks.
This is often called the first cyberwar, because it coincided with increased tensions
with neighboring Russia. The ex-Soviet republic of Georgia was also the victim of
cyberattacks, ones that preceded a land invasion by Russian troops a year later. In
2009, South Korea was the victim of a cyberattack. All of these were denial-of-service
attacks, during which selected Internet sites are flooded with traffic and stop working
temporarily. They’re disruptive, but not very damaging in the long run.
In all of these cases, we don’t know for sure who the perpetrator was, or even whether
it was a government. In 2009, a pro-Kremlin youth group took credit for the 2007 Estonian
attacks, although the only person convicted of them was a 22-year-old Russian living
in Tallinn. That sort of identifiability is rare. Like the espionage attacks discussed
earlier, cyberattacks are hard to trace. We’re left to infer the attacker by the list
of victims. Ethnic tensions with Russia: of course Russia is to blame. South Korea
gets attacked: who else but North Korea would be motivated?
Stuxnet is the first military-grade cyberweapon known to be deployed by one country
against another. It was launched in 2009 by the US and Israel against the Natanz nuclear
facility in Iran, and succeeded in causing significant physical damage. A 2012 attack
against Saudi Aramco that damaged some 30,000 of the national oil company’s computers
is believed to have been retaliation by Iran.
A SINGLE GLOBAL SURVEILLANCE NETWORK
There’s an interesting monopolistic effect that occurs with surveillance. Earlier
in this chapter, I made a distinction between government-on-government espionage and
government-on-population surveillance. Espionage basically follows geopolitical lines;
a country gets together with its allies to jointly spy on its adversaries. That’s
how we did it during the Cold War. It’s politics.
Mass surveillance is different. If you’re truly worried about attacks coming from
anyone anywhere, you need to spy on everyone everywhere. And since no one country
can do that alone, it makes sense to share data with other countries.
But whom do you share with? You could share with your traditional military allies,
but they might not be spying on the countries you’re most worried about. Or they might
not be spying on enough of the planet to make sharing worthwhile. It makes the best
sense to join the most extensive spying network around. And that’s the US.
This is what’s happening right now. US intelligence partners with many countries.
It is part of an extremely close relationship of wealthy, English-language-speaking
countries called the Five Eyes: US, UK, Canada, Australia, and New Zealand. Other
partnerships include the Nine Eyes, which adds Denmark, France, the Netherlands, and
Norway; and the Fourteen Eyes, which adds Germany, Belgium, Italy, Spain, and Sweden.
And the US partners with countries that have traditionally been much more standoffish,
like India, and even with brutally repressive regimes like Saudi Arabia’s.
All of this gives the NSA access to almost everything. In testimony to the European
Parliament in 2014, Snowden said, “The result is a European bazaar, where an EU member
state like Denmark may give the NSA access to a tapping center on the (unenforceable)
condition that NSA doesn’t search it for Danes, and Germany may give the NSA access
to another on the condition that it doesn’t search for Germans. Yet the two tapping
sites may be two points on the same cable, so the NSA simply captures the communications
of the German citizens as they transit Denmark, and the Danish citizens as they transit
Germany, all the while considering it entirely in accordance with their agreements.”
In 2014, we learned that the NSA spies on the Turkish government, and at the same
time partners with the Turkish government to spy on the Kurdish separatists within
Turkey. We also learned that the NSA spies on the government of one of its much closer
surveillance partners: Germany. Presumably we spy on all of our partners, with the
possible exception of the other Five Eyes countries. Even when the NSA touts its counterterrorism
successes, most of them are foreign threats against foreign countries, and have nothing
to do with the US.
It should come as no surprise that the US shares intelligence data with Israel. Normally,
identities of Americans are removed before this data is shared with another country
to protect our privacy, but Israel seems to be an exception. The NSA gives Israel’s
secretive Unit 8200 “raw SIGINT”—that’s signals intelligence.
Even historical enemies are sharing intelligence with the US, if only on a limited
basis. After 9/11, Russia rebranded the Chechen separatists as terrorists, and persuaded
the US to help by sharing information. In 2011, Russia warned the US about Boston
Marathon bomber Tamerlan Tsarnaev. We returned the favor, watching out for threats
at the Sochi Olympics.
These partnerships make no sense when the primary goal of intelligence is government
vs. government espionage, but are obvious and appropriate when the primary goal is
global surveillance of the population. So while the German government expresses outrage
at NSA’s surveillance of the country’s leaders, its BND continues to partner with
the NSA to surveil everyone else.
The endgame of this isn’t pretty: it’s a global surveillance network where all countries
collude to surveil everyone on the entire planet. It’ll probably not happen for a
while—there’ll be holdout countries like Russia that will insist on doing it themselves,
and rigid ideological differences will never let countries like Iran cooperate fully
with either Russia or the US—but most smaller countries will be motivated to join.
From a very narrow perspective, it’s the rational thing to do.
Consolidation of Institutional Control
C
orporate surveillance and government surveillance aren’t separate. They’re intertwined;
the two support each other. It’s a public-private surveillance partnership that spans
the world. This isn’t a formal agreement; it’s more an alliance of interests. Although
it isn’t absolute, it’s become a de facto reality, with many powerful stakeholders
supporting its perpetuation. And though Snowden’s revelations about NSA surveillance
have caused rifts in the partnership—we’ll talk about those in Chapter 14—it’s still
strong.
The Snowden documents made it clear how much the NSA relies on US corporations to
eavesdrop on the Internet. The NSA didn’t build a massive Internet eavesdropping system
from scratch. It noticed that the corporate world was already building one, and tapped
into it. Through programs like PRISM, the NSA legally compels Internet companies like
Microsoft, Google, Apple, and Yahoo to provide data on several thousand individuals
of interest. Through other programs, the NSA gets direct access to the Internet backbone
to conduct mass surveillance on everyone. Sometimes those corporations work with the
NSA willingly. Sometimes they’re forced by the courts to hand over data, largely in
secret. At other times, the NSA has hacked into those corporations’ infrastructure
without their permission.
This is happening all over the world. Many countries use corporate surveillance capabilities
to monitor their own citizens. Through programs such as TEMPORA, the UK’s GCHQ pays
telcos like BT and Vodafone to give it access to bulk communications all over the
world. Vodafone gives Albania, Egypt, Hungary, Ireland, and Qatar—possibly 29 countries
in total—direct access to Internet traffic flowing inside their countries. We don’t
know to what extent these countries are paying for access, as the UK does, or just
demanding it. The French government eavesdrops on France Télécom and Orange. We’ve
already talked about China and Russia in Chapter 5. About a dozen countries have data
retention laws—declared unconstitutional in the EU in 2014—requiring ISPs to keep
surveillance data on their customers for some months in case the government wants
access to it. Internet cafes in Iran, Vietnam, India, and elsewhere must collect and
retain identity information of their customers.
Similar things are happening off the Internet. Immediately after 9/11, the US government
bought data from data brokers, including air passenger data from Torch Concepts and
a database of Mexican voters from ChoicePoint. US law requires financial institutions
to report cash transactions of $10,000 or larger to the government; for currency exchangers,
the threshold is $1,000. Many governments require hotels to report which foreigners
are sleeping there that night, and many more make copies of guests’ ID cards and passports.
CCTV cameras, license plate capture systems, and cell phone location data are being
used by numerous governments.
By the same token, corporations obtain government data for their own purposes. States
like Illinois, Ohio, Texas, and Florida sell driver’s license data, including photos,
to private buyers. Some states sell voter registration data. The UK government proposed
the sale of taxpayer data in 2014, but public outcry has halted that, at least temporarily.
The UK National Health Service also plans to sell patient health data to drug and
insurance firms. There’s a feedback loop: corporations argue for more government data
collection, then argue that the data should be released under open government laws,
and then repackage the data and sell it back to the government.
The net result is that a lot of surveillance data moves back and forth between government
and corporations. One consequence of this is that it’s hard
to get effective laws passed to curb corporate surveillance—governments don’t really
want to limit their own access to data by crippling the corporate hand that feeds
them.
The “Do Not Track” debate serves as a sterling example of how bad things are. For
years, privacy advocates have attempted to pass a law mandating that Internet users
have the option of configuring their browsers so that websites would not track them.
Several US national laws have been proposed, but have been fought hard by Internet
companies and have never been passed. California passed one in 2013, but it was so
watered down by lobbyists that it provides little benefit to users. As a user, you
can configure your browser to tell websites you don’t want to be tracked, but websites
are free to ignore your wishes.
It’s a bit different in Europe. Laws such as the EU Data Protection Directive put
more constraints on corporate surveillance, and it has had an effect. But a “safe
harbor” agreement between the US and the EU means personal data can flow from the
EU to participating US companies under standards less strict than those that apply
in the EU.
THE PUBLIC-PRIVATE SURVEILLANCE PARTNERSHIP
Governments don’t conduct surveillance, censorship, and control operations alone.
They are supported by a vast public-private surveillance partnership: an array of
for-profit corporations. A 2010 investigation found that 1,931 different corporations
are working on intelligence, counterterrorism, or homeland security inside the US.
In a 2013 story, the
Washington Post
reported that 70% of the US intelligence budget goes to private firms and that 483,000
government contractors hold top-secret clearances: a third of the 1.4 million people
cleared at that level. There’s a strong revolving door between government and these
companies. Admiral Mike McConnell, who directed the NSA from 1992 to 1996, left to
become a vice president at the powerhouse government contractor Booz Allen Hamilton,
where he continues to work on national intelligence. After retiring from directing
the NSA in 2013, Keith Alexander started his own Internet security consulting firm,
and filed patents for security technologies he claimed to have invented on his own
time. He’s hired the NSA’s chief technology officer, who continues to work for the
NSA as well.
Many cyberweapons manufacturers sell hacking tools to governments worldwide. For example,
FinFisher is an “offensive IT Intrusion solution,” according to the promotional material
from the UK and German company that makes it, Gamma Group. Governments purchase this
software to spy on people’s computers and smartphones. In 2012, researchers found
evidence that the FinFisher toolkit was deployed in Bahrain, Singapore, Indonesia,
Mongolia, Turkmenistan, the UAE, Ethiopia, and Brunei, as well as the US and the Netherlands.