The High Grounds of Mass Surveillance
Western pundits and politicians love to talk about scary Russian and Chinese cyber capabilities and activities. I believe we should look at those statements with a heavy dose of cynicism. Western states, and especially the Five Eyes nations (USA, UK, Canada, Australia, New Zealand), have overwhelming control of what I call “the high grounds of mass surveillance”. Both in terms of capabilities, and in terms of known activities, I believe the idea of any nation being in serious competition with, or a threat to, the Five Eyes is absurd.
Patriotism is our natural and delusional tendency to see our own country of origin as uniquely good, moral, and important. By contrast, we see any rival football teams — sorry, countries — as uniquely sinister, immoral, and dangerous. In reality, it doesn’t take even a close look at the recent history of any major nation to see multiple examples of behavior that would shame an unbiased observer.
For my native England, and our step-child the United States, we can easily list off multiple internal and external atrocities per decade of their continuing quasi-monopoly on world power. Perhaps my belief is a way for me to assuage a natural guilt at what my long dead ancestors and still living compatriots did and continue to do. Still, I do not believe that any other nation, people, or culture would show more humanity if they found themselves in a similar position of unrivaled power. I believe that centralization of power is itself the problem.
Again, it may be a self-serving belief, but I do not think Anglo-Saxons and America are somehow uniquely evil. History gives us a never-ending parade of examples of power abused. I draw a blank on finding even one example of a hegemonic power who has not used their position to murder, torture, plunder, abuse, oppress, and otherwise show that most human of traits: utter inhumanity towards those under their power.
So what are these high grounds of mass surveillance? Why do I find it absurd to consider Russian or Chinese state-sponsored anti-social cyber activities in the same league as those performed by the United States and their Five Eyes allies? Here are my top 20 reasons, the top 20 high grounds where American / Five Eyes power is undisputed:
1. Budgets
The 2017 US military budget is greater than that of the next 7 countries combined, including both Russia’s and China’s. The proposed US military budget increase for 2019 is bigger than the total Russian military budget. This is without considering that #7, #13, and #14 budgets are those of Five Eyes allies, whose surveillance capabilities are largely joined to those of the US; and that numbers 6, 8, 9, 10, and 12 are also dependent NATO allies.
By any count, the NSA, CIA, FBI, and other US surveillance agencies have budgets that dwarf those of the FSB, GRU, and People’s Army, and have dwarfed them consistently for decades. This means there is a huge and ever-growing gap in total investment. Even if you assume Americans are uniquely wasteful and stupid, while Russians and Chinese are uniquely efficient and brilliant, this is surely a more or less insurmountable gap.
2. Internet Governance
The key organizations and powers of Internet governance reside in the United States. ICANN is headquartered in Los Angeles, and the US Department of Commerce has final approval over any critical DNS system changes. The main standards body, the IETF, is also headquartered in California. The IANA is a semi-private U.S. corporation recently spun off from the U.S. Department of Commerce. While many attempts have been made, and are still ongoing, to make governance less centralized, the likelihood is that the US will continue to keep a very close leash on this vital power.
3. Physical Internet Control
The Internet is physically made up of high capacity cables that snake under the oceans, connecting the world together. Those cables arrive in countries at buildings called “landing points” — these buildings (and their access to the cables) give a great opportunity for mass espionage and surveillance. Most of the early and even modern cables were laid and controlled by first the British, then the US, with much of the rest by other Five Eyes states, especially Australia.
Beyond this, the Internet protocols means traffic takes the fastest routes, and not necessarily the physically shortest routes. As the US, UK, and Australia have a much higher density of high capacity and highly inter-connected cables than others, the reality is that a huge proportion of Internet traffic (even when between two completely external countries) will pass via a Five Eyes accessible cable and/or landing point. We know that the US are not shy about using this advantage, for example embedding the NSA in AT&T buildings across the US.
4. Satellites
Satellites are used for many things, including surveillance (satellite imagery), communications, and GPS. The US has a big lead in all three — for example, the vast majority of the world (including all Android and Apple phones) rely on the US military for its GPS geo-location system, putting them in a unique position to manipulate and perform surveillance on the system’s use.
5. Social Media & Search
While Russia, China, and Brazil especially have had some success in making locally limited social network and search rivals, for everyone else we have US companies like Facebook, Google, Twitter, Snapchat, LinkedIn, Tinder, Strava, and many more. These services are uniquely rich sources of mass surveillance metadata. We know from Snowden documents that the NSA’s PRISM program has had, and likely still has, direct feeds into these companies’ data. If they don’t, the US spies can just get National Security Letters issued to force local US companies to cooperate in secret.
6. Messaging / Chat
The same also applies to messaging networks. Most personal, corporate, and state conversations will at some point pass over an system controlled by a US company, Facebook Messenger, Whatsapp, Skype, Signal, and even Tor. For the latter, while these tools are technically significantly more surveillance resistance, and many of the people involved too, there is Freedom of Information Act evidence to suggest secret management cooperation with US intelligence agencies in allowing windows of access to critical security bug information which act as a back-doors in everything but name.
7. Smart Phones & Assistants
Smart phones are more and more a necessity for the modern world. Smart phones are the ultimate consumer surveillance devices. They are linked to individual identities. They have constant passive location tracking as standard. And they have simple capabilities to secretly record conversations, take high-quality photos and videos, and send all the data at high speeds to any location on the Internet.
All the major smart phone companies today (and even in the last decade or so) are US or Canada based: Apple, Android, Windows Mobile, and Blackberry. All the same NSA feeds and National Security Letter hooks are available to the US surveillance agencies to gain privileged access to these devices. And now we have a new generation of US controlled home, office, and hotel room surveillance devices like Google Home and Amazon Echo.
8. Business Software
No matter which country you are in, if you run a major business or government agency, you are hostage to US developed and controlled software: Microsoft Windows, Microsoft Office, Salesforce, Oracle, AWS, Cloudflare, and many more. Again, only one government has the levers to easily corrupt these trusted providers, and the Snowden documents make clear that the US government have no qualms about using those levers.
9. IT Hardware
For all practical purposes, every major company and government agency in the world is now a software company. Their software runs on servers, computers, and CPU chips that are overwhelming American, from companies like IBM, Dell, HP, Apple, Intel, AMD, Qualcomm, Broadcom, etc. We can worry about Chinese state agents managing to infiltrate local factories to add back-doors, but a far more likely scenario is a back-door added en masse in the design phase back at HQ. This brilliant BlackHat talk looks at the hundreds of secret commands on the Intel x86 chip architecture, giving a flavor of how plausible this could be. HP laptops have been found shipping with keyloggers — likely in error, but plausibly deniable back-doors are surely a real thing.
10. Telecom Network Infrastructure
Mobile and fixed telecoms networks are built on special hardware and software. The dominant force in the switch market is Cisco. Alcatel-Lucent and Genband/Ribbon are two of the biggest worldwide names in network building. Cisco has had a few too many plausibly deniable back-doors for people to not be more than a bit suspicious. Meanwhile, telecoms networks are required to be designed with ‘lawful’ interception features that can easily be abused with the right access.
11. Extra-Territorial Law
There is only one country in the world that has the power to claim and enforce extra-territorial legal authority worldwide, whether it is in demanding foreign bank records, rendering foreign citizens abroad, or mass hacking of foreign computers as part of criminal investigations. Russian cyber-criminals know that when they take a holiday in Spain or the Czech Republic, they risk an American jail. Even the CFO of one of China’s largest companies, Huawei, wasn’t safe transiting from China to Mexico via Canada. Her devices are now in the custody of US surveillance, and physical control over someone’s body can be an incredibly motivating force.
12. Surveillance Authorization
At least on paper, the Five Eyes have some of the most sweeping and extreme surveillance authorization laws in the world. The NSA and GCHQ are not in any way hampered by working in democratic states with a public reverence for “rule of law”.
13. Border Searches
Basic anti-surveillance human and civil rights do not apply within 100 miles of the US border. Nearly two thirds of the US population lives in this ‘border’ zone, including all the major international business and governmental hubs. Search of travelers’ electronic devices and demands for social media accounts and passwords are considered as fair game by the US state. Millions are daily subject to invasion of their basic human rights against unreasonable search at US border checks. There is a reason the InfoSec community and many corporate employee travel policies recommend visiting the US with empty burner devices — the risk of border espionage is clear and present.
14. Breaking Cryptography
The US and other Five Eyes nations lead the world in trying to make sure ordinary citizens and employees do not have access to secure encryption technologies. The cryptowars are a cat-and-mouse game that has now been running for at least 4 decades. Even last month (December 2018), Australia passed the latest in a long line of hubristic human rights busting laws, claiming they have a right to force technology companies to add back-doors to encrypted communications services. When our own governments pass laws like this, can we doubt they use every capability and privileged position already at their disposal?
15. Security / Hacker Conventions
By far the biggest and most prestigious security and hacker conferences in the world are in the US, starting with DefCon and BlackHat. Not only does this give the US agencies strategic first (and sometimes exclusive) access to knowledge and skills, but it also gives them an opportunity to either disadvantage or waylay (even allied) foreign talent.
16. Election Interference
The cynics will be aware that Russia has been aggressively moving their borders nearer to US/NATO military bases for decades. Now the Russia government have used a US-controlled mass surveillance and manipulation tool, and the existing social discontents over our real long-standing internal injustice and corruption to amplify the excuses used by a few tens of millions of people in two Five Eyes countries to justify voting for unconscionable barbarity (barbarity that they were likely voting for anyway).
Meanwhile, the US government has interfered in 81 elections between 1946 and 2000, using anything from propaganda, misinformation, bribery, ballot stuffing, and covert military support to assassination and direct military action. This list of course includes Russia and some of their strategic neighbors (their equivalent of Canada or Mexico). The research list stops in 2000, but the behavior continues. The scale and scope of interference are simply not remotely equivalent.
17. Surveillance of Allies
We know from the Snowden papers that even allies are not sacred to the Five Eyes. The U.K. government hacked a NATO/EU ally’s telecom network — Belgium’s Belgacom; the U.S. government spied on a NATO/EU ally’s phone — Germany’s Merkel. They have the capabilities, and they use them freely, without scruple.
18. Cyber-Weapons of Mass Destruction
Two of the most damaging and expensive cyber-attacks in history happened in 2017. Neither would have been possible without the help of the NSA’s hackers — both WannaCry and EternalPetya were powered by the NSA’s EternalBlue exploits. This is not new. More than a decade before, the US spies released the world’s first cyber-weapon of mass destruction, Stuxnet, into the wild, exploits from which were quickly used in the #1 cyber-crime tool attacking ordinary users worldwide. Similarly, Vault 7 revealed that the CIA is working to make everyone around the world less safe online by hiding security vulnerabilities, weaponizing exploits, and adding bugs into supply chains.
19. Wide-Area Surveillance
Wide-area surveillance is also a domain dominated by the US, via drone and Stingray(-like) technologies. Both were developed and tested by the US military abroad before being extended to mass surveillance on their own citizens.
20. Propaganda & Influence
What about propaganda and influence operations? The British perfected many of the techniques during World War II and the US have been applying them ever since, backed by money, money, and more money. Successful Five Eyes propaganda channels include Hollywood, the BBC, Radio Free Europe, CIA paying journalists and creating activist front organizations, and more.
Of course that Hollywood and the BBC are successful propaganda organs does not mean that everything (or even the majority) of what they publish is lies and manipulation. That is not how propaganda works. Successful propaganda is compelling content that is close enough to the truth to be accepted, and passes the desired messages nonetheless. Part of the methodology is to build up trust with a mass of ‘clean’ content. Propaganda also does not require deliberate malice on the part of journalists, screenwriters, and directors — it is enough to sprinkle in here and there a few police and military consultants, an ex-CIA, FBI, or police manager as a regular ‘expert’ guest.
How is it that the absurd anti-historical fiction of America being the main heroes who won the war against Fascism came to be so widespread? How is it that we are focused on relatively minor Russian and Chinese cyber movements only a few years after the revelations from Snowden, ShadowBrokers, and Vault 7? American propaganda works.
Conclusions
The Five Eyes, and especially the United States, control all the possible high grounds of mass surveillance, and they have shown no compunction in using these high grounds, both against external rivals and against their own populations. Yes, sometimes the Russia state finds ways to use our festering internal injustices and prejudices against us, and sometimes the Chinese state finds ways to steal some of our companies’ commercial secrets…
But I think it would be incredibly naive to believe the Five Eyes don’t do both and more, just at a far greater scale, and from a position of overwhelming strategic advantage. Patriotic delusions of “we only do it for good moral reasons unlike those bad people over there” are just that, delusions.
When you have a problem of overwhelmingly anti-social behavior by the powerful, do you start with the small fry, or do you tackle the main problem, the root cause that gives moral cover to the others? Do you start with the mote in your neighbor’s eye, or the beam in your own?
