Britain's signals intelligence spy chief raised eyebrows this week with warnings that Russia is coordinating both cyberattacks and physical acts of sabotage against the West. There's evidence to back her claims—and the West may be returning the favor. Coming soon after FBI Director Christopher Wray warned that China is targeting American infrastructure, it looks like the world is not only fracturing once again, but that the hostile blocs are engaged in covert warfare.

Rumors of War

"We are increasingly concerned about growing links between the Russian intelligence services and proxy groups to conduct cyberattacks as well as suspected physical surveillance and sabotage operations," Government Communications Headquarters (GCHQ) Director Anne Keast-Butler told an audience at the United Kingdom government-sponsored CyberUK 2024 conference. "Before, Russia simply created the right environments for these groups to operate, but now they are nurturing and inspiring these non-state cyber actors in some cases seemingly coordinating physical attacks against the West."

Keast-Butler, whose agency is comparable to the U.S. National Security Agency (NSA), also called out China, Iran, and North Korea as cybersecurity dangers. But naming Russian officials as being behind "physical attacks" raises the stakes. Sadly, her claims are well-founded.

Sabotage, Espionage, and Other Mischief

"A 20-year-old British man has been charged with masterminding an arson plot against a Ukrainian-linked target in London for the benefit of the Russian state," CBS News reported last month. That wasn't an isolated incident.

"In April alone a clutch of alleged pro-Russian saboteurs were detained across the continent," The Economist noted May 12 in describing what it called a "shadow war" between East and West. "Germany arrested two German-Russian dual nationals on suspicion of plotting attacks on American military facilities and other targets on behalf of the GRU, Russia's military intelligence agency. Poland arrested a man who was preparing to pass the GRU information on Rzeszow airport, the most important hub for military aid to Ukraine. Britain charged several men over an earlier arson attack in March on a Ukrainian-owned logistics firm in London whose Spanish depot was also targeted."

The GCHQ chief's warnings coupled with reality on the ground are alarming in themselves. Worse, they come after FBI Director Christopher Wray issued similar cautions in April about China.

"The PRC [People's Republic of China] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist," Wray told the Vanderbilt Summit on Modern Conflict and Emerging Threats in Nashville, Tennessee.

Wray clarified that, by "infrastructure," he meant "everything from water treatment facilities and energy grids to transportation and information technology."

If that doesn't make you want to check that your pantry is stocked and that the water filter and generator are in working order, nothing will.

A Game Both Sides Can Play

Of course, in war of any sort, the implication is that both sides are involved in conflict. Western intelligence officials are loud in their warnings about foreign threats, but less open regarding just what their own operatives might be doing in Russia, China, and elsewhere. Still, there's evidence that this is hardly a one-sided war, shadowy though it may be.

In June 2022, The New York Times reported that Ukraine's defensive efforts relied heavily on "a stealthy network of commandos and spies rushing to provide weapons, intelligence and training." In addition to Americans, the story noted, "commandos from other NATO countries, including Britain, France, Canada and Lithuania, also have been working inside Ukraine."

American journalist and combat veteran Jack Murphy goes further, claiming the CIA, working through an allied spy service "is responsible for many of the unexplained explosions and other mishaps that have befallen the Russian military industrial complex." The targets include "railway bridges, fuel depots and power plants," he adds.

And if you wonder who blew up Nord Stream 1 and 2, well, so do a lot of people. Russia was initially accused, but it didn't make a lot of sense for the country's forces to destroy pipelines that generated revenue and fed western dependence on Russian natural gas. Since then, Denmark and Sweden have closed inconclusive investigations, journalist Seymour Hersh blamed American officials, and a report by Der Spiegel and The Washington Post placed responsibility on a rogue Ukrainian military officer.

The Wider War Is Here

Taken all together, the warnings from Keast-Butler and Wray, as well as acts of sabotage and arrests of foreign agents suggest that fears of a wider war resulting from Russia's continuing invasion of Ukraine may miss the point; the war could already be here. People looking for tanks and troops are overlooking cyber intrusions, arson, bombings, and other low-level mayhem.

"Russia is definitely at war with the West," Oleksandr Danylyuk of the Royal United Services Institute, a British defense and security think tank, told NBC News earlier this week.

Russian officials seem to embrace that understanding, with Kremlin spokesman Dmitry Peskov commenting in March that the invasion of Ukraine, originally referred to by the euphemism "special military operation," is now more serious. "It has become a war for us as the collective West more and more directly increases its level of involvement in the conflict," he said.

Fortunately, a shadow war of the sort around us is less destructive than open military conflict, especially when the hostilities involve nuclear-armed powers. It's far better that spies hack the email accounts of government officials, as happened in the case of a Russian cyberattack on Germany's ruling Social Democrats, than that cities burn. But civilians still must live with the consequences of combatants attempting to do each other harm—particularly when the harm is to infrastructure on which regular people rely.

So, welcome to the world of global shadow war. Try to not become collateral damage.

For years, the U.S. government has bought information on private citizens from commercial data brokers. Now, for the first time ever, American spymasters are admitting that this data is sensitive—but they're leaving it up to the spy agencies on how to use it.

Last week, Director of National Intelligence (DNI) Avril Haines released a "Policy Framework for Commercially Available Information." Her office oversees 18 agencies in the "intelligence community," including the CIA, the FBI, the National Security Agency (NSA), and all military intelligence branches.

In the 2018 case Carpenter v. United States, the Supreme Court ruled that police need a warrant to obtain mobile phone location data from phone companies. (During the case, the Reason Foundation filed an amicus brief against warrantless snooping.) As a workaround, the feds instead started buying data from third-party brokers.

Haines' new framework claims that "additional clarity" on the government's policies will help protect Americans' privacy. Yet the document is vague about the specific limits. It orders the agencies themselves to come up with "safeguards that are tailored to the sensitivity of the information" and write an annual report on how they use this data.

As national security journalist Spencer Ackerman points out in his Forever Wars newsletter, the framework doesn't require the feds to delete old purchased data. Earlier this year, Sen. Ron Wyden (D–Ore.) called on the NSA to purge all data that it bought without a warrant and without following the Federal Trade Commission's privacy policies.

"The framework's absence of clear rules about what commercially available information can and cannot be purchased by the intelligence community reinforces the need for Congress to pass legislation protecting the rights of Americans," Wyden tells Reason. "The DNI's framework is nonetheless an important step forward in starting to bring the intelligence community under a set of principles and policies, and in documenting all the various programs so that they can be overseen."

The senator says he will keep working to ensure "that Congress is fully informed of all these programs." He and Rand Paul (R–Ky.) have been trying to pass the Fourth Amendment Is Not For Sale Act, which would ban buying data from third-party brokers. Although the bill passed the House of Representatives last month, the Biden administration opposes it.

Wyden has been aggressively pushing for transparency on data purchases over the past few years. In 2021, he uncovered that the Defense Intelligence Agency was buying Americans' smartphone location data. That same year, he sent a letter to Haines and CIA Director Bill Burns complaining about a secretive CIA data collection program. (In an Orwellian turn, the letter itself was classified until 2022.) This year, Wyden revealed more details on NSA data purchases.

Some of this data is collected and sold directly by the apps. For example, an intelligence company called X-Mode once paid MuslimPro, an app that offers a daily prayer calendar and a compass pointing towards Mecca, to include a few lines of location tracking code. X-Mode then sold the data to U.S. government agencies. MuslimPro claims that it did not intend to sell the data to the government and ended the arrangement after the story broke.

In other cases, the data is siphoned from advertising markets. Every time a user opens a website with paid advertisements, their location and attributes appear on a real-time bidding (RTB) exchange, a virtual auction where companies buy ad space. Data brokers posing as advertisers scrape the listings for information on users.

"Any government with a halfway decent cyber intelligence program is participating in these RTB exchanges, because it's such an immensely valuable source of data," says Byron Tau, author of Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State.

As a demonstration of how powerful RTB data is, an intelligence contractor used data from the dating app Grindr to track gay government employees from their offices to their homes, Tau reported in his book. Another firm called Near Intelligence used RTB data to help anti-abortion groups track women who visited Planned Parenthood clinics.

Earlier this year, WIRED revealed that Near Intelligence had used RTB data to build a dossier on sex trafficker Jeffrey Epstein's associates, tracing mobile phone owners from his private island to addresses in the continental United States and other countries.

The new U.S. intelligence policy is "sort of a recognition that this data is actually sensitive, which is a bit of a change," Tau notes. "Early on, government lawyers were saying basically it's anonymized, so no privacy problem here."

For example, U.S. Customs and Border Protection insisted in a 2018 privacy assessment that the agency "receives only anonymized data from commercial sources…with no associated PII," or personally identifiable information. But the border cops have used that supposedly anonymous data to track and arrest specific people.

Lawyers for the Internal Revenue Service, on the other hand, have argued that users voluntarily handed over the information, so the government is free to use it. Tau points out that users don't really know how their data is being resold, and even the RTB exchanges themselves aren't supposed to be used for data scraping.

"A lot of these companies that are collecting data from the global population don't have a real consumer relationship" with the people they're spying on, Tau says. "Unless you know how to decompile software and you're technically savvy, you can't even make informed choices."