In the digital age with California tech giants, nothing stays private. The 9/11 attacks on the US caused the Western allies to step out of bounds in the Face of Terror, a string of Patriot Acts [What’s In A Name?] made its way across Europe. What was illegal became legal. A new diary posted @EuroTrib:
○ Is a Russian Troll Farm Destroying US Democracy?
How UK Spies Hacked a European Ally and Got Away With It
The covert operation was the first known example of a European Union member state hacking the critical infrastructure of another. The malware infection triggered a massive cleanup operation within Belgacom, which has since renamed itself Proximus. The company – of which the Belgian government is the majority owner – was forced to replace thousands of its computers at a cost of several million Euros. Elio di Rupo, Belgium’s then-prime minister, was furious, calling the hack a “violation.” Meanwhile, one of the country’s top federal prosecutors opened a criminal investigation into the intrusion.
The criminal investigation has remained open for more than four years, but no details about its activities have been made public. Now, following interviews with five sources close to the case, The Intercept – in collaboration with Dutch newspaper de Volkskrant – has gained insight into the probe and uncovered new information about the scope of the hack.
More below the fold …
In June 2013, shortly before the discovery of the intrusion at Belgacom, journalists began publishing documents leaked by National Security Agency whistleblower Edward Snowden. The documents exposed controversial mass surveillance programs operated by the NSA and its British counterpart, GCHQ.
Some of the Belgacom investigators initially suspected that the NSA was involved in the hack, partly due to the complexity of the malware. It bore similarities to Stuxnet and Flame, U.S.-created digital viruses designed to sabotage and collect intelligence about Iran’s uranium enrichment program. “This was by far the most sophisticated malware I’ve ever seen,” recalled Frank Groenewegen, a researcher who analyzed Belgacom’s infected systems for the cybersecurity firm Fox-IT.
It was not until September 2013 that the Belgians would learn the truth: The Belgacom intrusion had in fact been carried out by another of their close allies, the British. Documents from Snowden, published that month by Der Spiegel, showed that a GCHQ unit called the Network Analysis Centre had hacked into the computers of three Belgacom engineers who had access to sensitive parts of the company’s systems.
When the details about the hack went public, Belgacom tried to play down the extent of the breach. The company circulated a press release insisting there was “no indication of any impact” for its customers and their data. But the reassurance turned out to be false. As The Intercept revealed in December 2014, the most sensitive parts of Belgacom’s networks were compromised in stages between January and December 2011.
The UK intelligence community before and after Snowden by Richard J. Aldrich
Executive Summary
Few areas of public policy are more important than electronic intelligence and cyber-security. The revelations made by Edward Snowden have shone a bright light on this subject. The National Security Agency (NSA) and its many partners have grown rapidly, sharing data in a response to globalisation as well as terrorism. In an uncertain world, increased knowledge is often seems a security panacea. Whether global challenges are defined in terms of international terrorism, organised crime, disease or indeed demographic and socio-economic change, a common response has been to turn to knowledge-intensive organisations to manage societal risk. Today, the data derived from social media, from our travel cards and our supermarket loyalty cards, is at the core of this activity.
Government no longer owns most of this data. The most important change during the last decade is that “surveillance” has merged with “shopping” and has ceased to be the preserve of specialist state agencies; instead it has escaped out into society. The big collectors of intelligence are now the banks, airlines, supermarkets, ISP providers and telecoms. Every organisation, both public and private now collects, stores and shares data on an unprecedented scale – often across state boundaries. Airlines are typical of this new phenomenon as both vast collectors and also ‘customers’ of refined data for both commercial and security purposes. Are the organisations the future security agencies?
What are the consequences? In the UK the outcomes of these trends are often portrayed as darkly dystopian. Yet human beings are now more connected. Potentially, the new era of “knowledge- intensive security” offers stronger partnerships and more open styles of governance that will diminish government secrecy and corporate confidentiality as well as privacy. But this will require higher levels of trust regarding the way corporations and government handle personal data, together with “flat” ownership. We will also need radical new approaches and new concepts if oversight is to be improved and public confidence is to be sustained. The policy task is urgent, for while information and communications technology is accelerating, cabinets and corporate boards are often baffled by this subject.
Parliaments, the judiciary, human rights organisations and the media have also struggled to comprehend its potential and its dangers. In short, while the consequences of electronic intelligence and cyber security are important, they are as yet poorly understood and poorly regulated. Just like intelligence itself, oversight and the protection of rights is an activity that is increasingly dispersed. The lead elements are no longer formal committees but global civil society, consisting of a broad alliance of whistle-blowers, journalists, academics, campaign groups, lawyers and NGOs. These fluid international alliances of counter-spies work unevenly, but have the advantage of mirroring the multinational alliances of the intelligence agencies. National governments are not comfortable with “regulation by revelation” and have worked hard to constrain whistleblowers.
Don’t threaten to cut intelligence ties in Brexit talks, UK warned | The Guardian – Feb. 2017 |
The British government’s desire to “take back control” would also be tested when it comes to data privacy. The UK would have to apply to the European commission for “adequacy status” to allow financial and personal data to move unimpeded across the continent. “We are not an island in the sense of data flows,” Moraes said. “The commission would have to examine our data protection law and if it doesn’t offer equivalent protection to the [EU] data protection regulation, then we have a problem.”
He pointed to the difficulties faced by the US, when its “safe harbour” pact on data protection with the EU was struck down by the ECJ, throwing Google, Facebook and thousands of other companies into legal limbo. The pact has since been replaced by the new “privacy shield” agreement, which puts stronger duties on American companies to protect EU consumers.
“[Safe harbour] collapsed because the US data protection standards were so much lower than the EU’s,” he said. “The UK will have to come up to quite high standards.”
Further reading …
○ Munich: Theresa May calls for UK-EU security agreement | DW |
○ EU approves data-sharing SWIFT agreement with US authorities (2009)