Wild West Days for Nation State Hackers

Nation state hackers have been very busy but rarely candid about their work.  State-controlled teams from many nations run intelligence gathering projects and sometimes plant SCADA (supervisory control and data acquisition) attacks against the physical infrastructure in rival nations.  The teams may be on the military payroll or be talented IT workers under contract to a nation state.  Nation state hackers generally do not collect consumers’ private financial information just to convert it into cash.

Hacking into military secrets or intelligence operations is a common nation state objective.  China routinely commits industrial espionage to gather trade secrets that can be exploited by its own private sector.  Russia has a voracious appetite for government secrets such as OPM’s personnel files, US political party databases, Pentagon communications, and all of Ukraine’s government information.  Many nations sieve their population’s communications in search of leads to terrorists or dissidents.  The NSA has a reputation for competent and widespread monitoring of international communications, generally in support of military and anti-terrorist objectives.

There is convincing evidence of nation state surveillance by Germany, France, Israel, Iran, Islamic Jihad, Egypt, Saudi Arabia, China, Russia, Britain, the US, and perhaps Pakistan and India.  However, there is no public, thorough, and credible documentation of their cyber activities.  Unreliable accusations by rivals are common.

Also common is whining from leaders whose countries have just been hacked by another nation state but who refuse to admit they indulge in similar misbehaviors.  These hypocrites object not on principle but because public knowledge of their victimhood makes them appear politically weak.  In the weeks following Snowden’s colossal theft of NSA secret documents, there was an avalanche of such leaders and prosecutors in France, Germany and Belgium.

The USA appears to have a mostly cooperative relationship with at least 9 countries that includes the loan of cyber-tools and the sharing of some intelligence that they collect.  The “five eyes” are members of a signals intelligence treaty among the US, Canada, Australia, New Zealand and the United Kingdom.  Outside the five eyes, Germany, France, Sweden and Norway are friendly and collaborate sometimes with the US.  Until the revelations from Snowden, the NSA had free rein to inspect international communications in search of spying and terrorism candidates, and despite their protests, most European intelligence services knew about it.

The United Kingdom and Canada appear to be US’s closest cyber allies, although alignment among  the countries doubtless flutters with the public approval ratings of the leaders.  The UK’s Government Communications Headquarters (GCHQ) has been a staunch partner in surveillance of foreign communications.  It monitors some of the main intercontinental communications hubs, providing a valuable stream of clues for NSA to process.  Canada is similarly located on intercontinental hubs.

The NSA has developed amazingly powerful surveillance software and storage capabilities that can sieve worldwide communications and internet traffic and retain anything that matches a complex search profile.  This software behemoth is known as XKeyScore and has been in use by the UK, US, Germany, and probably by France.  France has its own surveillance software (called Babar and Casper).  Both Germany and France were aware of some NSA exploits because NSA shared the work product with them.  Nevertheless, they were quick to shed crocodile tears when their electorate became aware that NSA might have looked at their communications.  Revelations of spying by their own government merely nudged the leaders to punt and deflect using the tactic of “condemn publicly and announce an inquiry.”

Before mounting our moral high horse on all this espionage, we should take an explicit stand on whether our military and intelligence agencies should use cyber tools to monitor for vulnerabilities to American public safety.  Is it OK domestically?  Is it OK internationally?

A British tribunal assigned the task of judging the legality of GCHQ’s hacking decided that the hacking does not violate human rights.  Some will agree, but those who see privacy as a human right will disagree.  Our own Congress has reauthorized some of NSA’s surveillance actions and appointed the Foreign Intelligence Security court as regulator.  Many in the US are unsatisfied with this arrangement, although they are willing to be flexible when it comes to averting imminent dangers.

Since we cannot expect Congress to offer a clear cut, near term resolution that appeals to all Americans, we need pragmatic rules that help us achieve our objectives in an international context.  Ideally, we should lead by example.  The way that our government shows respect for US citizens’ privacy really does matter.  The respect shown in the US signals the minimum behavior acceptable both here and abroad.

Being prissy on privacy does not entice others to follow suit, and modelling the right behavior works better when we carry a big stick.  Our politicians seem confused about the right pain to inflict when foreign nations hack our government and commercial communications.   Our government is reluctant to even catalogue the cyber-crimes committed by each nation.  Pompous lectures about unacceptable behaviors, violations of human rights, or threatening unspecified reprisals will curb neither terrorism nor cyber-attacks.  We undermine the protection of Americans and their privacy when we enlist the gross inefficiency of our creaky legal system, for example, allowing government lawyers 4 or 5 years to indict Iranians who hacked banks and tampered with dam controls.  Not every international threat is suitably handled as a lawsuit.  Sometimes a drone, blockade, or asset seizure is more effective, especially if launched while people still remember the attack.

FacebooktwitterredditlinkedinFacebooktwitterredditlinkedin