Tag Archives: Government Surveillance

First-ever Audit At The Department of Defense


First Ever Audit at the Pentagon


“The Department of Defense is preparing for its first-ever audit.

The nation’s most sprawling and expensive bureaucracy and the world’s largest employer—has yet to undergo a formal, legally mandated review of its finances.

[It] has become a preoccupation for members of Congress intent on demonstrating their fiscal prudence even as they appropriate more than $600 billion annually to the Pentagon.

“Like Waiting for Godot,” one Democratic senator, Jack Reed of Rhode Island, quipped about the absent audit at a recent hearing. The lack of formal accountability has left unanswered basic questions about how the military spends taxpayer money, like the precise number of employees and contractors its various branches have hired. Cost overruns have become legendary, none more so than the F-35 fighter-jet program that has drawn the ire of President Trump. And partial reports suggest that the department has misspent or not accounted for anywhere from hundreds of billions to several trillion dollars.

After years of missed deadlines, the mounting political pressure and a renewed commitment from the Trump administration might finally result in an audit. For the first time last year, both major political parties called for auditing the Pentagon in their campaign platforms. That unites everyone from Hillary Clinton and Elizabeth Warren to Ted Cruz and the House Freedom Caucus. And last week, Trump’s nominee to serve as comptroller for the Pentagon, David Norquist, testified at his Senate confirmation hearing that he would insist on one whether the department could pass it or not. “It is time to audit the Pentagon,” Norquist told members of the Senate Armed Services Committee in his opening statement.

As comptroller for the Homeland Security Department a decade ago, Norquist, the brother of the anti-tax advocate Grover Norquist, undertook the first successful audits of that much younger federal agency. The Defense Department is unlikely to meet a statutory deadline to be “audit-ready” by the end of September. But Norquist said he would begin the process even if the Pentagon’s financial statements were not fully in order, and he committed to having the report completed by March 2019.

What has prevented the Pentagon from being examined this way before? The answer lies somewhere “between lethargy and complexity,” said Gordon Adams, a distinguished fellow at the Stimson Center who was the top budget official for national security in the Clinton White House. “It hasn’t been done ever,” he told me, “partly because it’s incredibly complicated to do and also because there’s not a great, powerful will in the building to do it.”

The complexity of the project dates back to the Civil War, Adams said, when the Army and the Navy set up their own separate accounting systems. The Air Force also went its own way after its creation following World War II, and the military build-ups of the last four decades scrambled the department’s financial records many times over. The explosion of military contractors since 9/11 has made scrubbing the books harder still. Adams estimated that an audit would have to account for 15 million to 20 million contracting transactions each year. The Pentagon has spent several billion dollars over the last seven years just trying to consolidate its accounting systems in preparation for a potential audit.

Despite the ramp-up costs, the project has never risen to be a top priority; the Pentagon has simply been too busy fighting wars. “The military has repeatedly argued that they need to focus on the war effort and accountability can come later,” said Kori Schake, a fellow at the Hoover Institution who previously served in a variety of national-security positions in the government. That excuse carried more weight with lawmakers in the years when the United States had hundreds of thousands of troops fighting in Iraq and Afghanistan.

Now, top Republicans like Senator John McCain of Arizona, chairman of the Armed Services Committee, are pressing for an audit with more urgency. “This has been a very public continuing failure for the Department of Defense, in large part due to the failure of senior management to make this a priority for the department and invest the necessary time and will to get it done,” McCain said at the outset of Norquist’s hearing. “This must end with you,” he told the president’s nominee.

Yet those fiscal hawks hoping that the long-awaited report will spur substantial reforms to defense spending are just as likely to be disappointed. An audit by itself won’t dismantle the “military industrial complex” that former President Dwight Eisenhower famously warned about, nor will it lead members of Congress to stop fighting to protect the bases and weapons systems that are manufactured in their districts—and the jobs that come with them. Several times in recent years, it has been congressional lobbying that has kept up production of weapons and equipment that the military no longer considers necessary.

“An audit does not raise the big issues,” Adams said. “It doesn’t tell you that we’re not getting the right bang for the buck. It doesn’t tell you anything about whether we’re getting the right forces for the threat. It doesn’t tell you how well the forces perform. It doesn’t tell you where we are wasting capability that we don’t need.”

“What it allows a member of Congress to do,” he continued, “is to look tough on defense and spend a lot on defense at the same time.”

Spending a lot on defense is what the Trump administration wants to do, even as it pledges its support for a Pentagon audit. The White House has asked Congress for a $54 billion increase in the military budget over the next year and secured about $15 billion of that in the recent spending deal. “It’s harder when there’s a big inflow of cash to focus on something like the audit,” said William Hartung, director of the arms and security project at the Center for International Policy. “There’s still that incentive to just push the money out the door.”

There’s some hope among audit advocates that the administration’s demand for more money will give congressional spending hawks leverage to insist on progress toward the accounting milestone in exchange for a budget increase. But they also don’t believe leverage should be necessary to demand that a department with a workforce pegged at more than 3 million people commit, at long last, to some basic bookkeeping. “We would never accept the argument that the Department of Education is too big and too complicated to be accountable,” Schake argued. “Why do we accept that for Defense?”



Navigating Defense Department Cyber Rules


Cyber Rules


“Defense contractors by Dec. 31 are expected to provide “adequate security” to protect “covered defense information” using cyber safeguards.

Thousands of companies who sell directly to the Defense Department, and thousands more who sell to its suppliers, are or will be, subject to the rule.

This obligation arises from a Defense Acquisition Regulation System Supplement clause, “Network Penetration Reporting and Contracting For Cloud Services,” that was finalized last October and described in the National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Pentagon is well-justified to seek improved cyber protection of sensitive but unclassified technical information. Hackers have exploited network vulnerabilities in the defense supply chain for the unauthorized exfiltration of valuable and sensitive defense information. Senior defense officials have expressed alarm at this persistent and pervasive economic espionage. 

Since 2013, the Defense Department has used acquisition regulations to protect controlled technical information significant to military or space. Other forms of information may not have direct military or space significance, but loss of confidentiality through a cyber breach can produce serious, even grave national injury. 

The Defense Department is the leader among federal agencies in using its contractual power to cause its vendors to improve their cybersecurity. The principal instruments are two contract clauses, DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” and DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Both were the subject of final rulemaking released Oct. 21.

Where the -7008 “compliance” clause is included in a solicitation, the offeror commits to implement the SP 800-171 safeguards by the end of this year. Defense Department contracts will include the -7012 “safeguards” clause, which defines the types of information that must be protected, informs contractors of their obligation to deliver “adequate security” using SP 800-171 controls, and obligates reporting to the department of cyber incidents.  

Every responsible defense supplier supports the objectives of these cyber DFARS rules. But the requirements are complex and are not currently well-understood. Outside of a few of the largest, dedicated military suppliers, many companies in the defense supply chain view these rules with a mix of doubt, concern and alarm. This recipe serves neither the interests of the Defense Department nor its industrial base.

A technology trade association, the IT Alliance for Public Sector, released a white paper that examines the Defense Acquisition Regulation System Supplement and other federal initiatives to protect controlled unclassified information. The goal was to assist both government and industry to find effective, practical and affordable means to implement the new cyber requirements. The paper examines these five areas: designation, scope, methods, adoption and compliance.

As for designation, the department should accept that it is responsible to identify and designate the covered defense information that contractors are obliged to protect. It should confirm that contractors only have to protect information that it has designated as covered, and that such obligations are only prospective — newly received information — and not retrospective.

In regards to “scope,” the Defense Department should revise the rule to clarify that contractors must protect information that it has identified as covered and provided to the contractor in the course of performance of a contract that is subject to the rule. The definition of “covered defense information” should be revised to remove confusing language that can be interpreted to require protection of “background” business information and other data that has only a remote nexus to a Defense Department contract.

The October 2016 revision now allows defense contractors to use external cloud service providers, where covered information is involved, only if those vendors meet the security requirements of FedRAMP Moderate “or equivalent.” The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

The regulation fails to explain what is meant by “or equivalent” and who decides. The Defense Department needs to explain what it expects from cloud services to satisfy SP 800-171 and the DFARS rules. A security overlay should be prepared by NIST to add cloud-specific controls. But it is unnecessary to impose the whole of the FedRAMP process and federal-specific controls on commercial cloud providers.

The Defense Department continues to depend on small business for many needs, and seeks their innovative ideas. The supplements are an obstacle and burden on smaller businesses, and yet security is just as important at the lower levels of the supply chain as at the top. The department can improve the ability of small business to implement the required security controls. Several specific recommendations are made as to how it can reach and assist the small business community. One recommendation is to make increased use of the NIST voluntary cybersecurity framework.

As far as compliance, contractors are required to represent that they will deliver “adequate security” and fully implement the SP 800-171 controls by the year-end deadline. The Defense Department needs to better inform its contractors how they can be confident their security measures will satisfy the requirements should they come under scrutiny following a cyber incident. The white paper explores different ways to create a safe harbor for compliance. A key component is contractor documentation of a system security plan, which was added as a 110th requirement to SP 800-171.        

The White Paper is available here. The Defense Department is hosting an industry day on the cyber DFARS, June 23 at the Mark Center in Alexandria, Virginia. Information and registration details available here. ”     


Intelligence Watchdog Finds Contractor Abuses




“Dozens of instances when contractor employees fudged their timesheets, billing the government for time they were not at work or when they engaged in activities either personal in nature or outside the scope of the contract.

38 substantiated cases  – loss to the government of more than $2.5 million.

Last week brought news that another Booz Allen Hamilton employee was accused of improperly removing sensitive material from the National Security Agency (NSA). Harold Thomas Martin III was charged with theft of government property and unauthorized removal and retention of classified materials. The government alleges Martin took documents and digital files containing information that, if disclosed, “reasonably could be expected to cause exceptionally grave damage to the national security of the United States.”

It was another black eye for Booz Allen, which was NSA surveillance program whistleblower Edward Snowden’s employer. It was equally embarrassing for the U.S. intelligence community, which pays contractors like Booz Allen billions of dollars each year to help run its global operations and keep a tight lid on our country’s more sensitive secrets.

Just days after the Harold Martin story broke, U.S. intelligence contractors were again in the spotlight. On Sunday, VICE News reporter Jason Leopold posted hundreds of pages of Intelligence Community Inspector General (ICIG) investigative reports. The documents contain the juicy—and occasionally disturbing—details of misconduct investigations conducted by the ICIG, the watchdog office that oversees the federal intelligence agencies. Most of the cases involved employees of Booz Allen and other prominent contractors.

Specifically, the documents contain dozens of instances when contractor employees fudged their timesheets, billing the government for time they were not at work or when they engaged in activities either personal in nature or outside the scope of the contract.

The ICIG also found that some contractor employees, while working on extremely sensitive intelligence programs and operations, risked exposing classified information by using non-secure networks and computers. They did so while working for some of the government’s most trusted private sector partners: Booz Allen and SAIC are among only a handful of private firms that collectively employ nearly all of the intelligence community’s contractor workforce.

The implications of the VICE News revelations are enormous. Not only did the contractor employees rip off taxpayers, they also compromised national security. The ICIG reports bolster POGO’s concern that contractor timesheet fraud is especially rampant among intelligence programs due to a lack of transparency and insufficient contract oversight. However, they also give us a reason to be optimistic: they show that the intelligence watchdog takes its role seriously and doggedly pursues allegations of wrongdoing.”




The Realities of Federal Drone Domestic Surveillance



“The Atlantic”

“Americans don’t particularly want to be spied on from above.

There are too many federal, state, and local agencies with too many surveillance aircraft to pretend any longer that aerial spying is rare.

A little more than a decade ago the border patrol started using surveillance drones. The technology and the mission were a perfect match, and few did any worrying—almost no one objects to closely monitoring America’s southern border.

The belief that the federal government was using drones to conduct domestic surveillance inside the United States, though, could get a person labeled a paranoid lunatic as recently as 2012. Yet by then, the border patrol had lent its drones to other agencies 700 times. And the Department of Homeland Security was actively developing a domestic drone fleet, egged on by at least 60 members of Congress. “This bipartisan caucus, together with its allies in the drone industry, has been promoting UAV use at home and abroad through drone fairs on Capitol Hill, new legislation and drone-favored budgets,” the Center for International Policy reported.

In 2013, Senator Dianne Feinstein, a staunch defender of NSA surveillance,declared that drones are “the biggest threat to privacy in society today.” Under her questioning, the FBI admitted to using surveillance drones in “a very minimal way.”

What did Feinstein know that the FBI wasn’t telling us? Perhaps that the federal government gave local police departments $1.2 million to spend on drones that year.

In 2015, NBC News reported that the Bureau of Alcohol, Tobacco, and Firearms spent $600,000 on six drones, “then never flew them because of technical problems with flight time, maneuverability and more.” Has ATF figured them out yet?

AP reported that the DEA was using drones domestically, too.

That brings us to 2016.

On Wednesday, USA Today reported that the Pentagon “has deployed drones to spy over U.S. territory for non-military missions over the past decade,” citing a report by a Pentagon inspector general who declared that the flights are “rare and lawful.”

That’s the narrative that officials speaking on behalf of the federal government keep conveying––that the instances of aerial surveillance over U.S. soil are safe, legal, and rare.

But it isn’t so.

There is too little oversight to presume all these government entities are acting legally. As for safety, Americans know neither what sort of aerial-surveillance data has been archived nor how secure it is. And security researcher Nils Rodday learned that he could successfully hack into professional drones and take over their operations on a $40 budget.

The ACLU and Electronic Frontier Foundation are trying to draw attention to these issues; the Department of Justice has issued its own guidelines on domestic drone use. But there’s still not much public discussion, debate, or oversight of domestic drone surveillance.

By keeping various aerial-surveillance programs hidden or very quiet, the government will continue to achieve a rapid fait accompli unless it is stopped”


What the Future of Government Surveillance Looks Like


defense-large“DEFENSE ONE”

“A future awaits where countries share intelligence one minute, then hack and cyberattack each other the next.

These partnerships make no sense when the primary goal of intelligence is government vs. government espionage, but are obvious and appropriate when the primary goal is global surveillance of the population.

So while the German government expresses outrage at the NSA’s surveillance of the country’s leaders, its BND continues to partner with the NSA to surveil everyone else.

The endgame of this isn’t pretty: It’s a global surveillance network where all countries collude to surveil everyone on the entire planet. It’ll probably not happen for a while—there will be holdout countries like Russia that will insist on doing it themselves, and rigid ideological differences will never let countries like Iran cooperate fully with either Russia or the United States—but most smaller countries will be motivated to join. From a very narrow perspective, it’s the rational thing to do.

Before the Internet, when surveillance consisted largely of government-on-government espionage, agencies like the NSA would target specific communications circuits: that Soviet undersea cable between Petropavlovsk and Vladivostok, a military communications satellite, a microwave network. This was for the most part passive, requiring large antenna farms in nearby countries.

Modern targeted surveillance is likely to involve actively breaking into an adversary’s computer network and installing malicious software designed to take over that network and “exfiltrate” data—that’s NSA talk for stealing it. To put it more plainly, the easiest way for someone to eavesdrop on your communications isn’t to intercept them in transit anymore; it’s to hack your computer.

And there’s a lot of government hacking going on.

In 2011, an Iranian hacker broke into the Dutch certificate authority DigiNotar. This enabled him to impersonate organizations like Google, the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter, and Microsoft’s Windows Update service. That, in turn, allowed him to spy on users of these services. He passed this ability on to others—almost certainly in the Iranian government—who in turn used it for mass surveillance on Iranians and probably foreigners as well. Fox-IT estimated that 300,000 Iranian Gmail accounts were accessed.

In 2009, Canadian security researchers discovered a piece of malware called GhostNet on the Dalai Lama’s computers. It was a sophisticated surveillance network, controlled by a computer in China. Further research found it installed on computers of political, economic, and media organizations in 103 countries—basically a who’s who of Chinese espionage targets. Flame is a surveillance tool that researchers detected on Iranian networks in 2012; these experts believe the United States and Israel put it there and elsewhere. Red October, which hacked and spied on computers worldwide for five years before it was discovered in 2013, is believed to be a Russian surveillance system. So is Turla, which targeted Western government computers and was ferreted out in 2014. The Mask, also discovered in 2014, is believed to be Spanish. Iranian hackers have specifically targeted U.S. officials. There are many more known surveillance tools like these, and presumably others still undiscovered.

(Related: NSA Spying Continues With Another Rubber Stamp)

To be fair, we don’t have proof that these countries were behind these surveillance networks, nor that they were government-sponsored. Governments almost never admit to hacking each other’s computers. Researchers generally infer the country of origin from the target list. For example, The Mask target list included almost all Spanish-speaking countries, and a bunch of computers in Morocco and Gibraltar. That sounds like Spain.

In the United States, the group charged with hacking computers is the Tailored Access Operations group (TAO) inside the NSA. We know that TAO infiltrates computers remotely, using programs with cool code names like QUANTUMINSERT and FOXACID. We know that TAO has developed specialized software to hack into everything from computers to routers to smartphones, and that its staff installs hardware “implants” into computer and networking equipment by intercepting and infecting it in transit. One estimate is that the group has successfully hacked into, and is exfiltrating information from, 80,000 computers worldwide.

Of course, most of what we know about TAO and America’s hacking efforts comes from top-secret NSA documents provided by Edward Snowden. There haven’t been similar leaks from other countries, so we know much less about their capabilities.

We do know a lot about China. China has been reliably identified as the origin of many high-profile attacks—against Google, against the Canadian government, against The New York Times, against the security company RSA and other U.S. corporations, and against the U.S. military and its contractors. In 2013, researchers found presumed Chinese government malware targeting Tibetan activists’ Android phones. In 2014, Chinese hackers breached a database of the U.S. Office of Personnel Management that stored detailed data on up to 5 million U.S. government employees and contractors with security clearances.

A lot of this is political and military espionage, but some of it is commercial espionage. Many countries have a long history of spying on foreign corporations for their own military and commercial advantage. The U.S. claims that it does not engage in commercial espionage, meaning that it does not hack foreign corporate networks and pass that information on to U.S. competitors for commercial advantage. But it does engage in economic espionage, by hacking into foreign corporate networks and using that information in government trade negotiations that directly benefit U.S. corporate interests. Recent examples are the Brazilian oil company Petrobras and the European SWIFT international bank-payment system. In fact, according to a 1996 government report, the NSA claimed that the economic benefits of one of its programs to U.S. industry “totaled tens of billions of dollars over the last several years.” You may or may not see a substantive difference between the two types of espionage. China, without so clean a separation between its government and its industries, does not.

Many countries buy software from private companies to facilitate their hacking. Consider an Italian cyberweapons manufacturer called Hacking Team that sells hacking systems to governments worldwide for use against computer and smartphone operating systems. The mobile malware installs itself remotely and collects e-mails, text messages, call history, address books, search-history data, and keystrokes. It can take screenshots, record audio to monitor either calls or ambient noise, snap photos, and monitor the phone’s GPS coordinates. It then surreptitiously sends all of that back to its handlers. Ethiopia used this software to sneak onto the computers of European and American journalists.

When American officials first started getting reports of the Chinese breaking into U.S. computer networks for espionage purposes, they described it in very strong language. They labeled the Chinese actions “cyberattacks,” sometimes invoking the word “cyberwar.” After Snowden revealed that the NSA had been doing exactly the same thing as the Chinese to computer networks around the world, the U.S. used much more moderate language to describe its own actions—terms like “espionage,” or “intelligence-gathering,” or “spying”—and stressed that these were peacetime activities.

When the Chinese company Huawei tried to sell networking equipment to the United States, many feared that the Chinese government had installed backdoors into the switches that would allow Beijing to eavesdrop, and considered the move a “national-security threat.” But, as Snowden’s disclosures eventually revealed, the NSA has been doing exactly the same thing, both to Huawei’s equipment and to American-made equipment sold in China.

(Related: DARPA’s New Search Engine Puts Google in the Dust)

The problem is that—as they occur and from the point of view of the victim—international espionage and attack look pretty much alike. Modern cyberespionage is a form of cyberattack, and both involve breaking into the network of another country. The only difference between them is whether they deliberately disrupt network operations or not. That’s a huge difference, of course, but the time lag between breaking into a network and disrupting operations might be months or even years. Because breaking into a foreign network affects the territory of another country, it is almost certainly illegal under that country’s laws. Even so, countries are doing it constantly to one another.

In 2012, for example, the NSA repeatedly penetrated Syria’s Internet infrastructure. Its intent was to remotely install eavesdropping code in one of the country’s core routers, but it accidentally caused a nationwide Internet blackout. Exfiltrating data and taking out a country’s Internet involve exactly the same operations.

Governments, meanwhile, are getting into cyberwar big time. About 30 countries have cyberwar divisions in their military: the United States, Russia, China, the major European countries, Israel, India, Brazil, Australia, New Zealand, and a handful of African countries. In the United States, this effort is led by U.S. Cyber Command inside the Department of Defense. Admiral Michael S. Rogers is in charge of both this organization and the NSA. That’s how close the missions are.

Few examples have surfaced of cyberattacks that cause actual damage, either to people or to property. In 2007, Estonia was the victim of a broad series of cyberattacks—an incident that is often called the first cyberwar because it coincided with increased tensions with neighboring Russia. The ex-Soviet republic of Georgia was also the victim of cyberattacks, ones that preceded a land invasion by Russian troops a year later. In 2009, South Korea was the victim of a cyberattack. All of these were denial-of-service attacks, during which selected Internet sites are flooded with traffic and stop working temporarily. They’re disruptive, but not very damaging in the long run.

In all of these cases, we don’t know for sure who the perpetrator was, or even whether it was a government. In 2009, a pro-Kremlin youth group took credit for the 2007 Estonian attacks, although the only person convicted of them was a 22-year-old Russian living in Tallinn. That sort of identifiability is rare. Like the espionage attacks discussed earlier, cyberattacks are hard to trace. We’re left to infer the attacker by the list of victims. Ethnic tensions with Russia—of course Russia is to blame. South Korea gets attacked—who else but North Korea would be motivated?

Stuxnet is the first military-grade cyberweapon known to be deployed by one country against another. It was launched in 2009 by the United States and Israel against the Natanz nuclear facility in Iran, and succeeded in causing significant physical damage. A 2012 attack against Saudi Aramco that damaged some 30,000 of the national oil company’s computers is believed to have been retaliation by Iran.

* * *There’s an interesting monopolistic effect that occurs with surveillance. Espionage basically follows geopolitical lines; a country gets together with its allies to jointly spy on its adversaries. That’s how we did it during the Cold War. It’s politics.

Mass surveillance is different. If you’re truly worried about attacks coming from anyone anywhere, you need to spy on everyone everywhere. And since no one country can do that alone, it makes sense to share data with other countries.

But whom do you share information with? You could share with your traditional military allies, but they might not be spying on the countries you’re most worried about. Or they might not be spying on enough of the planet to make sharing worthwhile. It makes the best sense to join the most extensive spying network around. And that’s the United States.

This is what’s happening right now. U.S. intelligence agencies partner with many countries as part of an extremely close relationship of wealthy, English-speaking nations called the Five Eyes: the U.S., U.K., Canada, Australia, and New Zealand. Other partnerships include the Nine Eyes, which adds Denmark, France, the Netherlands, and Norway; and the Fourteen Eyes, which adds Germany, Belgium, Italy, Spain, and Sweden. And the United States partners with countries that have traditionally been much more standoffish, like India, and even with brutally repressive regimes like Saudi Arabia’s.

All of this gives the NSA access to almost everything. In testimony to the European Parliament in 2014, Snowden said, “The result is a European bazaar, where an EU member state like Denmark may give the NSA access to a tapping center on the (unenforceable) condition that NSA doesn’t search it for Danes, and Germany may give the NSA access to another on the condition that it doesn’t search for Germans. Yet the two tapping sites may be two points on the same cable, so the NSA simply captures the communications of the German citizens as they transit Denmark, and the Danish citizens as they transit Germany, all the while considering it entirely in accordance with their agreements.”

In 2014, we learned that the NSA spies on the Turkish government, and at the same time partners with the Turkish government to spy on the Kurdish separatists within Turkey. We also learned that the NSA spies on the government of one of its much closer surveillance partners: Germany. Presumably the United States spies on all of its partners, with the possible exception of the other Five Eyes countries. Even when the NSA touts its counterterrorism successes, most of them are foreign threats against foreign countries and have nothing to do with the United States.

It should come as no surprise that the U.S. shares intelligence data with Israel. Normally, identities of Americans are removed before this data is shared with another country to protect our privacy, but Israel seems to be an exception. The NSA gives Israel’s secretive Unit 8200 “raw SIGINT”—that’s signals intelligence.

(Related: Obama Pushes for Greater Intel Sharing in New Strategy)

Even historical enemies are sharing intelligence with the United States., if only on a limited basis. After 9/11, Russia rebranded the Chechen separatists as terrorists, and persuaded the United States to help by sharing information. In 2011, Russia warned the United States about Boston Marathon bomber Tamerlan Tsarnaev. The United States returned the favor, watching out for threats at the Sochi Olympics.

These partnerships make no sense when the primary goal of intelligence is government vs. government espionage, but are obvious and appropriate when the primary goal is global surveillance of the population. So while the German government expresses outrage at the NSA’s surveillance of the country’s leaders, its BND continues to partner with the NSA to surveil everyone else.

The endgame of this isn’t pretty: It’s a global surveillance network where all countries collude to surveil everyone on the entire planet. It’ll probably not happen for a while—there will be holdout countries like Russia that will insist on doing it themselves, and rigid ideological differences will never let countries like Iran cooperate fully with either Russia or the United States—but most smaller countries will be motivated to join. From a very narrow perspective, it’s the rational thing to do.”


“This post has been adapted from Bruce Schneier’s new book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.