Size Doesn’t Matter for Spies Anymore

From the Brits to the Australians, everyone wants to say they were the ones to tip off the Americans about Russian hacking. Now, the Dutch say their hackers hacked the hackers of Russia’s Cozy Bear network. Such claims are impossible to corroborate, and it’s only fair that they be greeted, at least in part, with skepticism.

But this competition to claim credit does reveal a new reality in this era of cyberespionage: Size no longer matters in the intelligence world. If you’re smart and lucky, even a small country like the Netherlands can now make an outsized impact on a small budget.

Consider the article in a Dutch newspaper that describes how a team of that country’s cyberspies hacked into Cozy Bear’s systems back in 2014. This Russian team, also known as APT29, has been active since 2010 in breaking into networks across the West, from the Democratic National Committee to the Pentagon. From their headquarters in the small city of Zoetermeer in western Holland, however, the Dutch were able to watch its operations, even warning the National Security Agency when the Russians were trying to break into the State Department’s computers.

There are some grounds for caution. The Dutch apparently believe Russia’s Foreign Intelligence Service is behind Cozy Bear, whereas most others link it with the Federal Security Service. The claim that it was working out of a “university building next to the Red Square” — presumably the Moscow State University journalism department building at 9 Mokhovaya St. — is also surprising to say the least. As with so many such accounts, relying as they do on anonymous insider sources, it is always hard to distinguish between fact, spin, interpretation, and disinformation there to protect operational security or just make a political case.

But the very fact that it cannot be ruled out illustrates an important point about the way intelligence is becoming democratized in the modern age.

Human intelligence is not necessarily an expensive venture (traitors come surprisingly cheap, idealistic fellow travelers even more so) so even small agencies have always had successes. But a full-spectrum human intelligence operation requires a substantial infrastructure to recruit, train, monitor, and support your field officers, and often very lengthy lead times between first identifying a potential source and recruiting them.

World-class signals intelligence, meanwhile, has historically required massive arrays of reception stations, analysts trained in arcane disciplines, and all the number-crunching cryptanalysis computing power you can afford. As for satellite-based espionage, with even a last-generation KH-11 costing the U.S. National Reconnaissance Office upwards of $2.5 billion to build and launch, again this is largely a game fit for agencies with big budgets.

In the cyberespionage age, though, smaller intelligence services can make a huge difference, even without equally huge budgets. The Dutch Joint Sigint Cyber Unit has about 300 staff members, but fewer than 100 are in its digital intelligence team, and most of those are actually handling cyber defense. This is not a large outfit by any standards, and yet they apparently managed not just to break into Cozy Bear’s systems for over a year but also to hack the security camera at their front door, so they could take pictures of everyone working there or even visiting.

Although it is possible to sink huge budgets into cyberespionage, especially if one moves into the realms of mass data mining, the essence of hacking is simple: a few smart hackers, decent hardware, and access to the net. It requires no language training institutes, no months spent cultivating a potential source, no “legends” — carefully constructed fake identities — and no special communications means to get the information back home. Just as cybercriminals have come to appreciate the innate economy, security, and transnationalism of the internet, so have the cyberspooks.

Cyberespionage also is a safe, clean kind of spookery. It doesn’t involve putting your nationals into harm’s way, spiriting defectors through checkpoints in the trunks of cars, ghosting spy planes into defended airspace, blowing up Greenpeace ships, or any of the other kind of potential dangers that less adventurous governments might want to avoid, especially smaller ones more vulnerable to retaliation.

When small countries’ intelligence agencies have a better chance of making big discoveries, that gives them something more: leverage.

Within NATO and the European Union, everyone pays lavish lip service to intelligence sharing, but the unspoken truth of the matter is that this is a transactional process. Secrets are a commodity, and the more you can give, the more you get. The more reciprocal intelligence one can provide, the more political leverage one extracts in return — not least, in the form of warm, fuzzy gestures of public esteem of the sort treasured by any politician or service chief. Apparently the Dutch even got flowers and cake from the Americans.

This is, after all, one of the reasons why Britain spends so much on GCHQ, its NSA analogue. It gives London a serious card to play with Washington, with practical payoffs including funding support and technology. But GCHQ doesn’t come cheap. Although one could argue Britain’s greatest strength remains its HUMINT — Brits do seem to have a knack for making friends with foreigners and getting them to betray their countries — the lion’s share of the intelligence budget goes to “the Doughnut,” GCHQ’s hi-tech headquarters in Cheltenham.

Increasingly, though, things are changing.

The best example is Estonia. At the forefront of e-government and mindful of its own experiences facing a massive cyberattack in 2007, this small country has emerged as one such niche player. It may spend only 0.10 percent of its GDP on its intelligence and security services — slightly above Europe’s 0.07 percent average, but even that is based on a GDP similar to that of Vermont — but nonetheless has become known for its sharp, aggressive cyberspying. And that can be leveraged: Estonia punches well above its weight politically, but also in intelligence circles.

Likewise, the Dutch reportedly got not just kudos but also technology and intelligence from the Americans in return for what they had found. Apparently, this included findings from the NSA’s hack of the mobile devices of several high-ranking Russians, another potential gold mine of insider information.

So perhaps the real insight from this case is that in the cyberespionage age, even small players can make it big from time to time. (That’s why GCHQ is getting into the startup incubator business.) There are still going to be intelligence haves and have-nots, but it’s now easier for scrappy outsiders to hit pay dirt sometimes. Small countries that spot a niche in the intelligence market, or that have bright young things with exciting new ideas, take note.