"There is no place where espionage is not used. … Secret operations are essential." – Sun Tzu, "The Art of War."
Whether for Sun Tzu in ancient China or the Ultra code breakers in World War II, spying has always been a critical part of international affairs. The ongoing revelations of the activities of the National Security Agency are not likely to change that fundamental premise, but they raise critical questions as to what should be the rules going forward that govern cyberespionage.
If spying is so common, however, it is useful to identify just what is different about the revealed NSA activities? Certainly for people in the national security arena, there can be no great surprise as to NSA operations in general. Not only have many been personally involved, but the NSA's efforts have been substantially detailed in numerous books and articles.
Yet despite a good deal of knowledge, there is a difference. The NSA, and spying in general, has long been thought to be focused largely on countries and mostly on adversaries. While counterterror efforts understandably have gone beyond countries, it nonetheless has been a surprise to many that fighting al-Qaida required collecting large amounts of information concerning ordinary individuals in the United States and allied countries.
The second great difference is that private sector companies have become both witting and unwitting collaborators for governmental espionage. The fundamental rationale is that expressed by the bank robber Willie Sutton – go where the money, or in this case, the information is. The critical point is that the private sector's business models have been built not only on the rise of computer power and the extraordinary usability of information technology, but also on the willingness for individuals and companies to put a great deal of information online with very little protection. The implications could have been understood: The ability to tap fiber optic lines has been publically discussed for at least ten years; data breaches in the private sector have become entirely ordinary; and that the Internet was built without security is by now a cliché.
But if technology has made widespread collection possible, that does not answer the question of the limits that policy and law should establish. These are intricate issues involving the degrees of privacy individuals expect, the relationships of companies to government and the establishment of trust among governments and between governments and their citizens. It will take some time to sort out the answers. Here, however, are three propositions as reference points for the debate.
First, so-called "metadata," (the time, frequency and address) is not nearly as sensitive as the content of a communication. That is particularly true when the metadata is contained in a data bank without being further called for search. All users of the Internet are aware that the norms of privacy have changed – we regularly see pop-up advertisements generated because of prior searches and a younger generation is more used to sharing than restricting information. But it would be incorrect to think that metadata can never be intrusive; after all, that is why governments collect it. So the questions become: Can government be trusted to be nonabusive, and, given that there will always be mistakes, is the collection valuable? A somewhat tighter rein on collection and a much better explanation of the value would go a significant distance to legitimizing such efforts.
Second, the relationships between companies and governments need to be regularized and transparent. The Foreign Intelligence Surveillance Act (which governs the collection of foreign intelligence information in the United States) and comparable regulations in Europe and other allied nations needs updating. As this is done, it will be very important to keep in mind the values of free speech and privacy. Democracies can be more trusted by their citizens because there are limits; the nature of the limits needs to be at the heart of the ongoing debate.
Third, it is time to consider updating the status of certain close allies. The spying business is often a hall of mirrors, and trust is not necessarily a first principle. However, the United States has a close "Five Eyes" relationship with the United Kingdom, Canada, Australia and New Zealand. The question is whether this type of close set of agreements should be extended – as apparently ongoing discussions with Germany may be contemplating. That is not an easy matter to decide or implement. Among other issues, any significant changes would require changes in behavior from allies – for example, there are multiple media assertions regarding French industrial spying. Moreover, adding one ally will beget demands from another.
Twenty-five-hundred years ago, Sun Tzu asserted the importance for the "enlightened" ruler to utilize the "intelligent" approach to espionage. The context has changed but the fundamental question remains: What is the intelligent approach to spying in the 21st century?
Franklin D. Kramer is a distinguished fellow and member of the board of the Atlantic Council and a former assistant secretary of defense for international security affairs.