Schneier on Security
A blog covering security and security technology.
« US Government Monitoring Public Internet in Real Time |
| Arguing for NSA-Level Internet Surveillance »
October 28, 2013
Understanding the Threats in Cyberspace
The primary difficulty of cyber security isn't technology -- it's policy. The Internet mirrors real-world society, which makes security policy online as complicated as it is in the real world. Protecting critical infrastructure against cyber-attack is just one of cyberspace's many security challenges, so it's important to understand them all before any one of them can be solved.
The list of bad actors in cyberspace is long, and spans a wide range of motives and capabilities. At the extreme end there's cyberwar: destructive actions by governments during a war. When government policymakers like David Omand think of cyber-attacks, that's what comes to mind. Cyberwar is conducted by capable and well-funded groups and involves military operations against both military and civilian targets. Along much the same lines are non-nation state actors who conduct terrorist operations. Although less capable and well-funded, they are often talked about in the same breath as true cyberwar.
Much more common are the domestic and international criminals who run the gamut from lone individuals to organized crime. They can be very capable and well-funded and will continue to inflict significant economic damage.
Threats from peacetime governments have been seen increasingly in the news. The US worries about Chinese espionage against Western targets, and we're also seeing US surveillance of pretty much everyone in the world, including Americans inside the US. The National Security Agency (NSA) is probably the most capable and well-funded espionage organization in the world, and we're still learning about the full extent of its sometimes illegal operations.
Hacktivists are a different threat. Their actions range from Internet-age acts of civil disobedience to the inflicting of actual damage. This is hard to generalize about because the individuals and groups in this category vary so much in skill, funding and motivation. Hackers falling under the "anonymous" aegis -- it really isn't correct to call them a group -- come under this category, as does WikiLeaks. Most of these attackers are outside the organization, although whistleblowing -- the civil disobedience of the information age -- generally involves insiders like Edward Snowden.
This list of potential network attackers isn't exhaustive. Depending on who you are and what your organization does, you might be also concerned with espionage cyber-attacks by the media, rival corporations or even the corporations we entrust with our data.
The issue here, and why it affects policy, is that protecting against these various threats can lead to contradictory requirements. In the US, the NSA's post-9/11 mission to protect the country from terrorists has transformed it into a domestic surveillance organization. The NSA's need to protect its own information systems from outside attack opened it up to attacks from within. Do the corporate security products we buy to protect ourselves against cybercrime contain backdoors that allow for government spying? European countries may condemn the US for spying on its own citizens, but do they do the same thing?
All these questions are especially difficult because military and security organizations along with corporations tend to hype particular threats. For example, cyberwar and cyberterrorism are greatly overblown as threats -- because they result in massive government programs with huge budgets and power -- while cybercrime is largely downplayed.
We need greater transparency, oversight and accountability on both the government and corporate sides before we can move forward. With the secrecy that surrounds cyber-attack and cyberdefense it's hard to be optimistic.
This essay previously appeared in Europe's World.
Posted on October 28, 2013 at 6:39 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce, you have mention viewing Presidential Policy Directive (PPD) 20. Honestly, based on what you've read--does the government view the assets outside its purview as "important"? Collateral damage is inevitable, it can probably be assumed that it has already happened based on the same policy that the NSA believes it can act upon. The collection component mentioned in the PPD alone is sufficient to assume that all bets are off. This warfare policy goes beyond the subjugation of technology via vendors or manufactures. The sense that the government sees "NO BORDER" is concerning to the extreme.
I believe you have well understated the threat that exists--not intentionally--but wishfully.
True: "We need greater transparency, oversight and accountability on both the government and corporate sides..."
I don't think that's likely at all, however. And, the current power balance greatly favors governments and especially corporations.
Indeed some say we are headed for, or in the middle of, corporate totalitarian governance. For example, the defense lobby is behind a lot of the current surveillance scandal activities. Spying is profitable.
I would like to see technological innovation that leapfrogs corporate/government intrusion.
Other alternatives are gruesome.
"the NSA's post-9/11 mission to protect the country from terrorists has transformed it into a domestic surveillance organization"
The NSA was a domestic surveillance organization from the beginning, and should be seen in the context of global banking, the private Federal Reserve, and unavoidable corruption (due to fictional compound interest which produces unpayable debts). The real issue is that the new everlasting money requires total global surveillance to force its usage and to prevent barter.
I wouldn't count on *each* *government* *agency* to 'view the assets outside its purview as "important"'. There are two reasons for this: first, an agency that doesn't rigorously defend its "turf" is an agency that is replaced by one that does. Second, there is a certain aspect of "your job is to spend money on X, spending it on anything else is strictly forbidden" for government middle managers. The US government is huge, and these type of rules have grown in an attempt to keep in under control (i.e. this type of policy likely has nothing to do with an agencies indifference to US citizens, just that there is no budget or interest in gutting the entire workflow of the agency to protect something it isn't budgeted to protect).
What I don't understand is why we seem to be moving toward a few terms with over-broad meanings. As we've discussed previously "weapons of mass destruction" has gone from meaning Soviet H-bombs to include everything down to the scale of a guy with a couple of grenades.
Why is everything "cyber-something"? We have words that differentiate urban tagging from gang graffiti, and yet we lump some bored kid defacing the school website in with Anonymous as "hackers". We lump the Syrian Electronic Army in with the NSA as participants in the business of cyberwar. It's like using the same term for the Hell's Angels and the Marine Corps. When your town is "invaded" by these groups it's a very different experience.
Perhaps all the people that know what's going on are engineers that prefer C++ to English, but that's no excuse not to have a rich vocabulary and try to encourage the newsies and politicos to use the terms precisely.
You talk about being "well funded". I don't think cyber attacks cost too much. If we look at the attacks conducted by the NSA for example, released by Mr Snowden, they are not costly methods. The NSA prefer low-cost cyber attacks but conducted on a mass scale.
Not a threat in cyberspace, per se, but where is schneier.com on the Obama-didn't-know-!-NSA-was-intercepting-Merkel's-cellphone story?
You wonder if European countries are spying on their own as well as other European countries citizens.
The answer is both simple and complex.
The reality is that yes various European nations are happily spying on their and other nation citizens irrespective of what national and European laws say.
The complex part to sort out is "who knows"... Intel agencies of a government by and large don't trust either the elected or career members of their governments or for that matter the people that work in their own agencies (and some would say rightly so).
Thus as with New Zealand that found out the hard way that their signals directorate was actually taking orders from an American in an office adjacent to the supposed head of the directorate and not the NZ government or elected politicians it can be more than a bit emmbarising to find out exactly what is going on.
And thus most elected politicians are either "blisfully unaware" or have quite deliberatly chosen not to find out and distance themselves as much as possible from the intel agencies. Because they know that if they ask they are only going to get mislead or lied to and there is nothing they can do about it. Worse even though they have been lied to if they do talk to the agencies they will be hamstrung and more than likely will become "the sacrificial goat" should anything go wrong...
So the elected politicos with any sense chose "plausable deniability" and that's just the way the agencies want it to stay...
Why is everything "cyber-something"?
Because it sounds so much cooler. And it so much more amorphous than real-world situations.
Oh no! I was cyber-hacked and my cyber-identity was cyber-stolen. I must have been targeted by fearsome cyber-hackers from some cyber-state.
Oh no! Someone was digging through my mailbox or garbage can, looking for credit card applications or bank statements that I didn't shred/burn.
When your town is "invaded" by these groups it's a very different experience.
That's why I prefer to look to the real-world for a comparision of what could have happened. What's the worst thing that can happen when your credit card number is "cyber-hacked"? Your credit rating could be trashed. Possibly for years.
What's the worst thing that can happen in the real-world? You could be killed in a robbery by someone trying to get your credit card.
Perhaps all the people that know what's going on are engineers that prefer C++ to English, but that's no excuse not to have a rich vocabulary and try to encourage the newsies and politicos to use the terms precisely.
I'd suggest a different approach. Such as "fraud (wire fraud)". Or "vandalism (defacing a web site) (political)". The clarification/distinction comes AFTER the more general classification.
There's a difference between defacing an organization's web site and breaking a window at an organization's office.
And in reference to Bruce's "cyberwar", at what point are the Marines authorized to kill someone who is ONLY engaging in "cyberwar"? Big difference there.
“...We need greater transparency, oversight and accountability on both the government and corporate sides before we can move forward.” –Bruce S.
As Wikipedia notes, “After the U.S. Senate failed to pass the Cybersecurity Act of 2012 that August, Presidential Policy Directive 20 (PPD-20) was signed in secret. The Electronic Privacy Information Center (EPIC) filed a Freedom of Information Request to see it, but the NSA would not comply…”
This gross level of secrecy is not sustainable or tolerable in a Constitutional country such as the USA. The NSA and the Administration is basically running rough-shod over the Constitution in the name of “National Security.”
It’s to the point where every time some “official declines to comment due to National Security” they appear to trample the Fourth Amendment and look like lying power hungry thugs.
“Depending on who you are and what your organization does, you might be also concerned with espionage cyber-attacks by the media, rival corporations or even the corporations we entrust with our data.” –Bruce S.
I would add that it appears as the NSA/Google/Facebook/AT&T industrial complex seem to be conducting the “cyber-attacks” and we are the victims.
For example, Presidential Policy Directive 20 defines “Cyber Collection: Operations and related programs or activities by or on behalf of the United States Government… for the primary purpose of collecting intelligence – including information that can be used for future operations – computers, information or communications systems, or network without authorization from the own or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential … to enabling cyber collection, such as inhibiting detection…even if they cyber effects.”
This secret Presidential directive essentially seems advocates committing crimes under the guise of "National Security." It seems to go against US computer criminal laws such as Federal law 18 U.S.C., Fraud and Related Activity in Connection with Computers crimes and various State and International laws?
“In the US, the NSA's post-9/11 mission to protect the country from terrorists has transformed it into a domestic surveillance organization. The NSA's need to protect its own information systems from outside attack opened it up to attacks from within. Do the corporate security products we buy to protect ourselves against cybercrime contain backdoors that allow for government spying… military and security organizations along with corporations tend to hype particular threats. For example, cyberwar and cyberterrorism are greatly overblown as threats -- because they result in massive government programs with huge budgets and power…” -Bruce S.
This is crux of the problem. Due to secrecy and deception practiced by the NSA and the Administration most people would assume this is just a power grab by people in privileged positions. These privileged people appear to only care about enriching themselves at the expense of everyone else.
Worse, the damage to Americans and their one-time reputable companies could be enormous!
People are starting to look to non-US jurisdiction cloud companies for future security and peace of mind. This effect could cascade to the “Five-eye’s countries" and cause a huge shift of revenue out of US and "Five-eye’s countries" to other non-cooperative countries.
The bottom line is that almost anything made in US jurisdictions should not be trusted.
As a small example, I am now using browser plug-in that are made outside of US jurisdiction. And, I will soon move my email to a non-US company for security. I think that others will do the same.
Thus, for the good of the Nation, the NSA should be de-fanged as soon as possible (that would entail de-funding). And, I would also recommend all US companies be stripped of their “immunity from lawsuits" before this run-away military/industrial complex train crashes.
[Notable points of the Presidential Policy Directive 20]
"Loss of life, significant responsive actions against the United States, significant damage to property, serious adverse US foreign policy consequences, or serious economic impact on the United States."
To an extent, I agree with this. I would like to see all businesses required to file a report when they suffer a theft of information or an unauthorized penetration of their information systems. There are advantages and disadvantages to making those reports fully public, which I haven't thought through. But certainly aggregate metrics from the reports should be publicly available. And certainly any protected personal information that is stolen or exposed should require public notification.
As to cybercrime being downplayed, that's harder for me to judge. A few days ago there was a Financial Times article entitled "Cybercrime threatens financial system" or something along those lines. Products to protect individuals and firms from cybercrime are a multibillion dollar a year business. Perhaps they're being downplayed - but if so, how?
As to government transparency... certain reforms that have been proposed seem prudent. Adding a privacy advocate to the FISC is a good idea. Releasing more FISC opinions is a good idea.
No one has proposed this idea so far as I'm aware, but giving the FISC power and resources to independently investigate and verify what they are told by the NSA seems wise as well. While it's a bit unconventional for a US court, given the special nature of the FISC and the challenges presented to it, I think the addition of such powers and resources would strengthen the legitimacy of the FISC and improve their exercise of judicial review. Moreover, the relationship between this investigative function and the NSA need not be overly adversarial, so long as the NSA is intent on following the law (and, to my eyes, the evidence shows they are).
But I'd stop there. We don't need to know which foreign leaders the NSA can listen to, how the NSA captures certain communications data, the composition of the "black budget", or numerous other things that have been reported in the last four months.
" Do the corporate security products we buy to protect ourselves against cybercrime contain backdoors that allow for government spying?"
Yes, as has been demonstrated through multiple mechanisms that span the entire array of legality and lack thereof.
"European countries may condemn the US for spying on its own citizens, but do they do the same thing?"
Yes, because the same corruption that is in the US is in the EU as well, it is simply less obvious and largely hidden inside European exceptionalism (Germany is the perfect example of a country that should know better, but has allowed all the same things to crop up).
"The list of bad actors in cyberspace is long, and spans a wide range of motives and capabilities." "The Internet mirrors real-world society..."
Exactly. The real-world society of power is making a powergrab. I speculate it is that they have done analysis and realize they are now in direct competition with the internet itself, and that everything is simply the result of a goal to gain control of everything and everyone before the balance is upset. The same thing happened to every major communications platform in the past as well.
If security was our real goal, the NSA would be closing backdoors instead of inserting them.
The only real debate that isn't being had that I would really like to at least hear articulated is the last chance argument they are guaranteed to pull out eventually, which you have hinted at in the past. That given advances in technology, a single non-state actor could potentially destabilize the entire planet (eventually), and that this totalitarian surveillance system is the only way to prevent it.
That's my real problem, is that there is plenty of room for reasoned high-level debate on this, but instead the decision has already been made, and the public will be propagandized, entertained, and threatened into submission of the program.
I've said it before, and I'll say it again, the American government underwent a coup, and is no longer legitimate.
@ 65535: When you say "Due to secrecy and deception practiced by the NSA and the Administration most people would assume this is just a power grab by people in privileged positions. These privileged people appear to only care about enriching themselves at the expense of everyone else." I'm just not buying it.
We don't live in a society where there is no legitimate use of force. We authorize specific organizations to use force on our behalf. The Police get to use handcuffs, the Army (and Marines) get to use tanks, and the CIA and NSA get to use spys and the Internet respectively. (Actually the NSA gets to use all forms of communication signals, but let's just leave it at the Internet for the sake of discussion.)
The "privilege" of using handcuffs to restrain people does not lead the the police to enrich themselves at the expense of everyone else. Sure, there are a few cases of police corruption uncovered every year but the noise level is tolerable. Sometimes there are debates, the NYC stop-and-frisk policy is hotly debated from time to time, but I don't see folks going into police academies to get rich.
The "privilege" of using the products of the vast American arms industry to kill folks worldwide does not lead to the military leaders enriching themselves. From time to time there have been scandals, but it always seems to be the generals who buy things being scandalized, not the generals who are killing enemies.
Who at the NSA is getting rich? General Hayden was apparently on the Acela bullet-train recently, but if being head of NSA and CIA made you rich he'd have been in a private jet.
Sure, there are NSA contractors getting rich, mostly the same military contractors that were already getting rich from making conventional weapons. It just doesn't seem to fact-check that the government is enriching itself through the use of force by NSA on the Internet. (I consider the NSA use of the legal system and gag orders force, even though apparently weapons are not actually used.)
During a meeting of the congressional Internet caucus it was mentioned that the FiSC is not a court, it is a panel. I believe that observation to be accurate. The whole structure of the IC community needs to be transformed let alone reformed. I also advocate that contractors to DoD be 501.3c corporations. Why is profiting from War not considered a perverse incentive? Why is it rewarded, war is the failure of social political system(s). There also needs to be some soft of citizen data accord. Though it is clear to me by way of the fourth amendment that "secure in their persons, papers, and affects..." is a restriction on personally identifiable information. For what is a "person"?
@RSaunders "It just doesn't seem to fact-check that the government is enriching itself through the use of force by NSA on the Internet."
The USA is spying on Brazil's oil industry because
1: It intends to invade Brazil and needs to know where it can refuel its tanks
2: It fears a Brazilian invasion and needs to know how much fuel the Brazilian tank armies have
3: US companies are competing for contracts in Brazil and the US want's to give it's supporters a helping hand
European countries may condemn the US for spying on its own citizens, but do they do the same thing?
Of course they do. Former colonial powers like France and Britain have a long history both in domestic and global spying and @ Clive has pointed out on numerous occasions on this blog how the Brits not only have taught the US the tricks of the trade but to date are still closely working together.
I think it's reasonable to assume that in the wake of 9/11 quite some other European countries have significantly expanded their cooperation with the US IC under all sorts of secret agreements most of their top politicians were only too well aware of, then turning their backs and leaving it up to those in charge of their own intelligence communities to take care of the follow-up. Back then it must have been a deal too good to refuse because what is not to like about being able to piggyback off the formidable resources of the US IC in return for turning a blind eye to some more unsavoury practices they were indulging in. In addition, it was a practical way to work around budget restrictions and legal frame works imposed by European and national privacy laws.
And that's kinda blowing up in their faces now. Although much of the current indignation by certain high-profile European leaders is theatre only, some recent revelations have undoubtedly been a wake-up call that the US has not been playing very nice with them. It's like putting up a friend at your house and then finding out after a while that he's not just doing the handy work you brought him in for but that he is also running your financials and shagging your wife.
It's not in their best interest to tackle the issue head-on as it would only reveal their own complicity in allowing it to happen in the first place without putting any meaningful oversight in place. In the specific case of Germany, Article 10 of the German Constitution enshrines the right of citizens to privacy – no surveillance of an individual is possible without court approval - which is obviously completely violated by allowing any US TLA to spy on German citizens or the Bundesnachrichtungdienst (BND) sharing data with the NSA. Now suppose you were a politician, and suppose you were a hypocrite; but I repeat myself ...
4: All of the above
It just doesn't seem to fact-check that the government is enriching itself through the use of force by NSA on the Internet.
It is however a fact that quite some folks in Congress are receiving very generous donations from the military-industrial complex and that there sure are a lot of elected officials and civil servants going back and forth through the revolving door between the public and private sector. Check up on the backgrounds of one Michael Haydn and one Michael Chertoff, to name just a few.
It's like using the same term for the Hell's Angels and the Marine Corps. When your town is invaded by these groups it's a very different experience.
You do know that colors and shape of the HA's early-style jacket emblem were copied from the insignias of the 85th Fighter Squadron and the 552nd Medium Bomber Squadron ?
We don't need to know which foreign leaders the NSA can listen to, how the NSA captures certain communications data,
As a European citizen, I would very much like to know how a so-called ally is violating my constitutional rights, by which means and in which other ways they are subverting our democratic institutions and spying on our leaders and businesses. But - facepalm - I forgot again: you are the good guys and you are only doing it to protect us both from terrorists. So it's better we don't know the details as that would play right into the terrorists' hands.
Moreover, the relationship between this investigative function and the NSA need not be overly adversarial
Dianne "It's called protecting America" Feinstein totally agrees with you. I'd say that it's pretty mind-numbing that the chairpersons of the Select Committee on Intelligence in both House and Senate, meant to oversee the NSA's activities, are also among their biggest supporters. How can that possibly go wrong ?
Dear Bruce and Internet brethren (presumably we're part of secret cult of the Internet Keepers)
About cyber threats and government. It is a perspective thing. The government sees itself as the center of the galaxy which is why there is talk of policy and law when it interacts with net stuff. This might seem natural but one could equally put the internet at the center of the society and analyze politics in terms of i/o and protocols. I feel that something Copernican is going on.
To a whole generation the net is a place to which things like politics and economics are the externalities, not the other way around. Schneier says the web is a mirror of the real world, and although that is often true it is most interesting when that model isn't accurate. There are a lot of things which are unique to the Net which have no real world analog. As an example surveillance is the No.1 political issue online right now and has been for many months now. The offline media kicked it into the tall grass long ago.
I am pleased that you mention that governments are a threat to our great series of tubes. Often it is left out of the discussion completely. Which is perverse.
I don't believe it is anywhere near emphasized enough. They are not A threat. They are The threat.
I am aware you scoff at libertarianism but it seems pretty clear that reality shows nine tenths of cyber threats to communication and commerce on the net come from governments.
It would seem some of the other 10% from spam, crackers and other bad actors can also be partly attributed to government policy such as the consequences of the NSA cryptography weakening attacks, attempts to inhibit secure practices and tools. Non-state actors that want to manipulate the Net often cannot do so without government interventions.
Most 'cyber-threats' can be summated by this :
"The whole aim of practical politics is to keep the populace alarmed (and hence clamorous to be led to safety) by menacing it with an endless series of hobgoblins, all of them imaginary.
H. L. Mencken"
I am not anti-government but this really seems self evident. I don't go so far as Mencken but indeed most of them are imaginary.
I have an idea. Let's just stop being stupid. Most of us are fairly smart people. If others wish to be stupid, let them, but don't let it determine our own behavior. Why let the hobgoblins like Feinstein and Cruz/Obama control our politics and economics?
Relatedly here is a video doing the rounds in Silicon Valley that is causing consternation at the New York Times. I would be interested in your take on it. The bumper sticker is : Is the USA the new Microsoft?
--Look who showed up again ^^^ No response to Jose people, he will be gone shortly; as ordered by the Mod.
Jose's a troll?
btw what happened with your break-in situation? Did you discover whether it was somebody at your place or an outsider? saw lots of good persec advice in that last thread
I'm done with the debating. These guys have betrayed the country so profoundly they have no right to exist. Get rid of them, get rid of them yesterday. No job, no clearance, and no money. Any value that the NSA had has been crushed by the black hole which is this vast criminal act.
I think so UN should come up with real policies, rules and regulations and must punish the governments involved in Cyber crime and especially targeting civilian members in home or outside....
Just as an aside, I work in the "security business" and I'm pretty sure I saw/heard "evidence" (or at least a hint) that the German government has the full infrastructure to do ISP and Telco level interception of any traffic it wishes. I was told this is in place for "lawful interception" (i.e. when a warrant is issued). However, the person I spoke to about this said the system was "always collecting" and, furthermore, any business with a legitimate need can buy into this system and collect the same information about traffic in and out of its own IP space. And it's not only available in Germany...
--He was. I have suspects, they should re-search my grannies place though, there may be a bear trap waiting for them or some copper head snakes. Oh and they're trying to bait me or they are even more incompetent than I thought. Anyway I still sleep peacefully and I thank them for making the room nice and cozy for me.
Correction, that wasn't a threat. adviceanimal, I'll get too mad so sorry no talky.
It's impossible for the NSA to violate your constitutional rights. Your constitutional rights are derived from your government's constitution as a restraint upon that government and hence it is impossible for any other government to violate them.
It's impossible for the NSA to violate your constitutional rights.
I believe you know very well what I mean, but thanks for the enlightening heads-up on the official party line and the reminder of the most cunning way it has with words.
As a European citizen, I would very much like to know how a so-called ally is violating my constitutional rights, by which means and in which other ways they are subverting our democratic institutions and spying on our leaders and businesses.
Spying on foreign governments doesn't constitute subverting them. Were a foreign government able to eavesdrop on a conversation had by the American President, there are very, very few, perhaps none, who would refrain.
Now, if you're referring to allegations that the US engaged in mass surveillance of European citizens, those look like they may be false.
Nobody Special -
The USA is spying on Brazil's oil industry because 1: It intends to invade Brazil and needs to know where it can refuel its tanks 2: It fears a Brazilian invasion and needs to know how much fuel the Brazilian tank armies have 3: US companies are competing for contracts in Brazil and the US want's to give it's supporters a helping hand
None of the above. Petrobras is a major state enterprise in Brazil, and an important part of Brazilian politics. Understanding Brazil's geopolitical position and domestic politics is aided by information on the fortunes and outlook of Brazil's state-owned oil company.
As to US companies bidding on contracts, Petrobras recently held its long-awaited auction for rights to the pre-sal Libra oilfields.
Number of bidders? 1.
Number of US bidders? 0.
All the information I have continues to support the conclusion that the US government does not engage in espionage for the purpose of giving US companies intellectual property or confidential information.
There's a lot for which to criticize the US intelligence agencies, but commercial espionage isn't one of them.
Spying on foreign governments doesn't constitute subverting them.
I strongly disagree. Any information obtained through spying that can be put to use to affect a decision process or otherwise influence the way things play out in my book constitutes subversion. And that's what spying is done for in the first place. It's not any different than insider trading. And which is a criminal offense.
Now, if you're referring to allegations that the US engaged in mass surveillance of European citizens, those look like they may be false.
I have noted Gen. Alexander's statement on the matter that in fact this was carried out "under NATO programs" and "with the help of European governments". Now would you please be so kind to explain to me why Germany, France and Spain would call POTUS and summon the American ambassadors in their countries over the matter unless these governments and their leaders are either hypocrites or absolutely clueless about what activities NATO is involved in on European territory ?
Now let's assume for a minute that neither Gen. Alexander or the leaders of above countries are lying (quite a quantum leap in faith, I know). That would actually open up the very interesting possibility that the US and the UK through a joint NSA/GCHQ effort are conducting operations under NATO flag only very few others in the alliance are aware of. We've seen a similar collaboration in the Belgacom case.
It would also explain why both Gen. Alexander and Daffyd Cameron in recent days almost in choir lashed out at the press that these revelations must stop. If my theory is correct, a smoking gun report of covert US-UK operations against other European countries would seriously weaken Britain's position in the EU, the US's grip on EU policy making by proxy and as a consequence its intelligence gathering and other interests on the European mainland.
Neither party has anything to gain from such a scenario (except for the likes of Nigel Farage and his UKIP, perhaps), and the prospect of the UK and its PM becoming a paria in Europe is probably not something Cameron has high on his priority list, especially because Obama in the past has made it very clear that he doesn't want the UK out of Europe.
Any information obtained through spying that can be put to use to affect a decision process or otherwise influence the way things play out in my book constitutes subversion. And that's what spying is done for in the first place. It's not any different than insider trading. And which is a criminal offense.
The goal of spying in terms of collection is of course simply the acquisition of information. Just as the mere acquisition of insider information doesn't constitute insider trading (you must actually use that information to make a trade), so too does the mere acquisition of intelligence via espionage NOT constitute subversion. Indeed, if mere acquisition of insider or confidential information were sufficient to call an act subversion, then much of journalism, including recent articles about the NSA, would qualify.
And there are many uses to which collected intelligence can be put OTHER than subversion. If one is aware, for example, that Nation A will not allow troops to be staged there for an invasion of Nation I, then one may make alternative plans. This doesn't subvert the decision-making process of Nation A.
Now would you please be so kind to explain to me why Germany, France and Spain would call POTUS and summon the American ambassadors in their countries over the matter unless these governments and their leaders are either hypocrites or absolutely clueless about what activities NATO is involved in on European territory ?
Because German, French, and Spanish politicians are, in fact, politicians, who must from time to time play their parts for the voting public. Alternatively, the media reports were simply so off that government officials actually could deny knowledge of the operations reported, since the operations were reported completely inaccurately.
In reality, I think it's likely a combination of the two. Government officials know perfectly well what the media reports were getting at, but the inaccuracies of the reports allowed them to claim truthfully that they had no knowledge of the operations as reported. The voters are shown the proper sentiments, and if/when the reports are shown false, the officials have a plausible story for their claimed ignorance: "oh, you were talking about THOSE programs. One would never know that from your reporting, which claimed...."
As it turns out, by the way, based now on reports not just from the NSA, but also Spanish and French intelligence sources, the items of data noted in the slides examined by the four European papers were actually signals intelligence originating in areas such as Afghanistan and other conflict zones. The flow of communications from those areas, reportedly, placed certain European countries in a good position to intercept. See the Financial Times article France says NSA spying denial 'implausible' (the article itself shows differently).
I do not understand why one person would be put under surveillance when they have nothing to do with any sort of terrorist activity or massive illegal crime?
This sort of situation has happened to me and I can not get any sort of direct solution to the problem. Being tracked, tapped, hacked and followed is some sort of cruel and unusual punishment. It goes against the basic civil rights and constitution in the United States. So, where can I find help to solve this stupid problem of mine?
If I were another country with the manpower, technology, and funds. I'd take out out everyone at the heads of these organizations. Spying on orher peoples lives and plans brings more corruption to a corrupt world.
I imagine it just angers everyone beyond comprehension.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.