German BND Intelligence Cooperation with NSA has Actually Expanded.

apes.png

Late last month Der Spiegel reported that the Bundesnachrichtendienst (BND), Germany’s foreign intelligence agency, participated in and directly supported the National Security Agency’s efforts much more broadly than originally revealed by the Snowden documents. 

The Der Spiegel story revealed that nearly five percent of the searches conducted according to NSA requests were violations of German intelligence policies, which, among other things, prohibit spying on European targets. On a daily basis, the NSA requested that the BND run searches on specific selectors (like phone numbers, IP addresses, and email addresses) and share the information with the US agency. These revelations are important on at least two fronts. First, the sheer quantity of selectors that the NSA sent to the BND raises questions about the level of cooperation between German and American spy agencies. Second, the degree to which the NSA’s requests were driven by economic interests rather than terrorism concerns may undercut the agency’s claims that it doesn’t engage in forms of economic espionage.

Before delving into these developments, it is important to consider them in light of the background history of relations between the US intelligence community and the BND. A Just Security post by Prof. Jefferson Adams traced some of the rocky relationship over time and the different institutional cultures today surrounding state surveillance. He called for a high-level review of US policies toward Germany and other NATO countries. 

According to the news from a few days ago, the relationship may have also borne fruit in the form of the BND played a fundamental role in tracking down Osama bin Laden before his death. So what do the new revelations about NSA and BND cooperation tell us?

Between 2002 and 2013, the NSA sent the BND roughly 800,000 selectors to run searches against, which averages out to nearly 200 per day, according to Zeit Online. By 2008, analysts at the BND started to worry that some of the selectors were targeting German and European individuals and companies, but it wasn’t until the Snowden revelations that the German public was made aware of the NSA’s requests or that the fulfillment of those requests included a number of violations of the country’s intelligence policies. 

Indeed, according to Der Spiegel, neither the leadership of the BND nor the Chancellery, the body charged with monitoring the BND, were made aware of the violations before 2013. In October of that year, the BND estimated that it had run searches on approximately 2,000 selectors that were aimed at information about European (including even German) individuals and companies. However, Der Spiegel’s recent report indicates that the number of violations committed by the BND at the request of the NSA was 40,000, not 2,000. (These “violations” are distinct from the NSA’s violations of the countries’ intelligence agreement — which bars spying on each other’s citizens — by, for example, directly monitoring Angela Merkel’s phone.)

The NSA maintains that it has broad authority to collect information on non-US persons abroad, whether pursuant to Section 702 of the FISA Amendments Act or under other authorities like Executive Order 12,333. Why did the NSA need to ask the Germans to run the searches in the first place? Were there restrictions under American law that would prevent the NSA from conducting those queries on its own?

There are longstanding concerns that the United States and its allies rely on each other to gather and share information that they cannot obtain under their own domestic laws. Many countries place significant restrictions on spy agencies gathering intelligence information about their own citizens, but the rules for spying on allies’ citizens are often looser. Intelligence agreements like the one between the US and Germany dictate what sorts of information can be collected and shared. 

Experts have long worried that, for example, if a search can legally be conducted under German law by the BND (but not under American law by the NSA), the Germans will run the search and share the results with the US, thereby allowing the NSA to gain access to information it may not lawfully have been able to get on its own.

Until now, stories of such practices have largely been confined to the Five Eyes community and haven’t extended to the US’s broader intelligence coalitions (see here, here, and here for examples). Der Spiegel’s report may indicate that the practice is far more widespread than previously known considering the fact that Germany enters the NSA’s intelligence coalition at the Fourteen Eyes level. There may well be valid reasons for the NSA requesting the BND to run so many searches, but the fact that none are particularly evident is concerning in-and-of itself.

Reports indicate that various European politicians and EADS, the European defense company, now known as the Airbus Group, were among the NSA’s targets. So while the US may not be stealing trade secrets, some of the selectors, sent to the BND, were apparently, driven by economic interests rather than counterterrorism efforts. 

The drama over these surveillance activities and Germany’s complicity is just starting to heat up. Austria filed a legal complaint two weeks ago so it could begin its own investigation into the extent of Germany spying on Austrian targets on behalf of the NSA. And Airbus is preparing to file a criminal complaint over the disclosures. This is to say nothing of last week’s revelations that, in addition to assisting the NSA with searches of particular selectors, the BND also sends the NSA roughly 1.3 billion metadata records every month.

Clearly, German and US intelligence agencies are cooperating on a scale and in ways that we are just now finding out about. It’s worth noting that in the wake of all of these new public revelations, the BND has suspended the online surveillance activities it was conducting for the NSA and has otherwise reduced its cooperation while the investigations are pending. Needless to say, it will be worth watching this space and to see whether and how these types of events undermine US-German cooperation on actual counterterrorism efforts.
Just Security:  http://bit.ly/1PAF4fl

« Nine Strange Flying Robots from the 2015 Drone Show
Snowden Sees Victory – But it’s From a Distance »

Directory of Suppliers

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 4,000+ specialist service providers.

#GDPR2 Conference

#GDPR2 Conference

#GDPR2 : Free Access. The Virtual European Data Protection Conference 28 May 2020. The Economic Forum for Best Practices in Data Protection in the Heart of Europe.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

IOActive

IOActive

IOActive serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

IDnomic

IDnomic

IDnomic is a leading European provider of Identity & Authentication services for managing the digital identities of people and the Internet of Things.

General Dynamics Information Technology

General Dynamics Information Technology

General Dynamics IT delivers cyber security services to defend critical information and infrastructure.

SlashNext

SlashNext

The SlashNext Internet Access Protection System (IAPS) provides Zero-Day protection against all internet access threats including Social Engineering & Phishing, Malware, Exploits and Callback Attacks.

Cyprus Cybercrime Center of Excellence (3CE)

Cyprus Cybercrime Center of Excellence (3CE)

3CE aspires to become an exemplary Centre of Excellence in the area of Cybercrime by conducting research in relevant fields, particularly forensics, information infrastructures and legal aspects.

Provise Consulting

Provise Consulting

ProVise is an independent, product agnostic, research-driven advisory firm specializing in GRC and Cyber Security professional services.

Trustonic

Trustonic

Trustonic is a leader in the device security market. Our mission is to protect apps, secure devices & enable trust.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.