The joint ransomware takedown earlier this month? The one they're calling Sandworm 2.
The Justice Department and Five Eyes partners announcing that coordinated action. They seized infrastructure across four countries. But you know, when I saw that press release, the part that jumped out at me wasn't just the list of countries—it was the specific language about "shared intelligence leading to simultaneous action." That's the tell. That's the hallmark of a Five Eyes operation, not just a bunch of countries deciding to hit the same target on the same day.
The headlines all pointed to the international collaboration. But it made me wonder what that collaboration actually looks like behind the scenes. How does that kind of intel sharing really work? What's the architecture? Is it a weekly video call where they compare notes, or something much more deeply woven into their daily operations?
The mechanics are almost always the most interesting part. And it turns out Daniel's thinking along the same lines. His text was practically vibrating with operational curiosity.
He sent us a text prompt to discuss the two major signals intelligence sharing frameworks: the Five Eyes and the 14 Eyes. The Five Eyes being the core group — the UK, U., Canada, Australia, and New Zealand. His questions are all about the practical reality. What does this network look like on the ground? How do mutual spying and cooperation coexist, say between the U.Is it a broad, informal information-sharing club, or a structured, compartmentalized system? And what's the human element in coordinating all this?
Those are the perfect questions. Because most people just see the acronym and assume it's a monolithic bloc. The reality is a lot more nuanced, and frankly, more interesting. It's a living system built on decades of trust, but also with very specific rules and limitations. It's less of a "club" and more of a federation with a single, extremely well-guarded currency: validated signals intelligence.
By the way, today's script is being powered by deepseek-v3.
The friendly AI down the road. Always a solid contributor. It's funny, even in our little production chain here, we have a kind of data-sharing and processing pipeline. It's a tiny, benign mirror of the vast systems we're about to discuss.
This topic feels particularly relevant now. Beyond that ransomware takedown, you've got the constant discussion of global cyber threats, the geopolitical friction with China and Russia, and even debates about data privacy and sovereignty. Understanding how these intelligence alliances actually function is key to parsing a lot of the news. When a government says, "We acted based on intelligence from our allies," what does that actually mean for how the operation was planned?
It absolutely is. And it cuts through a lot of the conspiracy-level noise. These frameworks aren't shadowy cabals; they're formal, though secretive, instruments of statecraft. Their effectiveness, and their stresses, tell us a huge amount about the current world order—which brings us to their origins. To understand the mechanics, you have to start with the history. You have to see why this specific group has a cohesion others can't just replicate with a treaty.
The Five Eyes alliance wasn't born in a conference room with a handshake. It came out of the intelligence partnership between the U.and the U.during World War Two. It was formally established in 1946 under the UKUSA Agreement. But the key context is what they were sharing at the start: breakthroughs in cracking Axis codes, like the work on the German Enigma and Lorenz ciphers at Bletchley Park, and the Japanese Purple cipher by the U.
It's not just some modern diplomatic construct. It's an institution forged in a shared existential fight, with roots going back eight decades. They weren't just sharing information; they were sharing existential secrets that literally turned the tide of the war. That's a different order of trust right from day one.
And that long history of cooperation is what distinguishes it from every other intelligence-sharing network. The trust is generational. The operational standards and security protocols are deeply integrated. Other groups, like the Nine Eyes or the Fourteen Eyes, are looser extensions. It's the difference between a marriage and a business partnership. Both are important, but the depth of shared assets and risk is fundamentally different.
Right, the Fourteen Eyes. That's the broader framework that adds in countries like Denmark, France, Norway, and the Netherlands. But how did that broader circle come about? Was it a formal expansion, or did it just evolve?
It evolved mostly in the Cold War context. As the Soviet threat became the organizing principle, other NATO allies with sophisticated signals intelligence capabilities, like Norway listening to Soviet naval traffic in the North Atlantic, proved to be valuable partners. The "Fourteen Eyes" term is actually a bit of an outsider's label; it refers to the members of the SIGINT Seniors Europe (SSEUR) forum, which is a cooperative body that includes the Five Eyes nations plus those nine European countries. But it's crucial to note that the Fourteen Eyes isn't a formal charter the way the UKUSA Agreement is. It's more of an informal understanding for broader signals intelligence cooperation. The inner circle, the Five Eyes, operates under a unique non-aggression pact when it comes to spying on each other. A piece in the Washington Examiner earlier this year pointed out that this explicit agreement to not conduct espionage against one another is what sets it apart—it treats fellow members completely differently than even close allies outside the club.
Which is a fascinating distinction. So the deepest trust isn't just about sharing intelligence, it's about formally agreeing not to steal it from each other in the first place. That creates a kind of sacred space. But what about the others in the 14? Is there a similar pact with, say, Germany or France?
No, there isn't. And that's the critical line. With the extended members, intelligence sharing is robust and incredibly valuable, but it's transactional and conditional. might share specific intelligence on a Russian hacker group with the German BND, but it does so with the understanding that Germany is still a valid—though friendly—intelligence target for the U.in other areas. The possibility of espionage between them isn't off the table. Within the Five, it is.
That's a stark way to frame it. So the foundation lets them build something more integrated. So, what does the actual, day-to-day signals intelligence sharing look like? Is it like a giant, shared database everyone logs into? I think a lot of people imagine something like a top-secret version of a shared Google Drive.
Not even close. It's far more structured and compartmentalized than that. Think of it as a federation of sovereign systems, connected by secure, dedicated channels. The NSA doesn't just dump raw intercepts into a bucket for GCHQ to fish through. They collaborate on specific collection programs, with agreed-upon targets, and then share the analyzed product through controlled gateways. It's less like a shared drive and more like a network of secure, diplomatic pouches, where each pouch's contents and destination are meticulously logged and controlled.
Give me a concrete example of that collaboration in action. Something beyond the abstract "they work together.
The classic case study is the collaboration between the NSA and GCHQ on global internet backbone monitoring. Programs like those revealed in the Snowden disclosures showed how they divided the labor. might focus on collecting data from certain key internet exchange points in Asia, while the U.covers major hubs in Europe and Africa. They then use systems like XKEYSCORE to allow analysts from each agency to query the combined data set, but under strict rules of engagement and with strong auditing. But here's a more tangible, modern example: tracking a group like APT29, or Cozy Bear, the Russian group behind the SolarWinds hack. A joint task force would be stood up. The Canadians, with their unique diplomatic and intelligence relationships in certain regions, might be tasked with cultivating a human source. The Australians, positioned in the Asia-Pacific, might use their facilities to monitor the group's command-and-control communications bouncing through servers in Southeast Asia. All that collected data flows to a joint analytic cell, likely virtual, where analysts from each agency work side-by-side—digitally—to piece the puzzle together.
The mechanism isn't a free-for-all data lake; it's a set of joint missions with a clear division of responsibilities. It's project-based. But who decides on the projects? Is there a steering committee?
And the sharing is governed by formal agreements that specify what can be shared, with whom, and for what purpose. They use caveats like "NOFORN" – no foreign nationals – or "EYES ONLY" designations that travel with the intelligence. A Canadian analyst might get a report from the NSA, but it could have a caveat saying it cannot be further shared with, say, a French liaison officer, even though France is in the broader Fourteen Eyes circle. As for who decides, it's a mix of standing agreements and ad-hoc needs. There are permanent joint committees that meet to align priorities—counter-terrorism, cyber, counter-proliferation. But a lot of it is driven by necessity. When a new threat emerges, like a zero-day exploit being used in the wild, the relevant agency that discovers it will immediately task their liaisons to start querying their partners: "Are you seeing this? What do you have?
Which brings us to Daniel's second question: how does mutual spying coexist with cooperation? You said there's a non-aggression pact. Does that mean the U.literally never spy on each other? That seems almost too good to be true, given the nature of the intelligence business.
Formally, yes, that's the agreement. But the reality has layers, and this is where it gets legally and ethically intricate. The pact applies to offensive, clandestine espionage aimed at stealing each other's state secrets—trying to plant a mole in MI6, or hacking into the Pentagon's weapons design servers. It doesn't preclude all surveillance. For instance, if a British citizen is communicating with a known terrorist facilitator, and that communication transits U.infrastructure, the NSA might incidentally collect it. That's not considered "spying on the U." in the treaty-violating sense; it's collecting against a mutual target. But here's the grey area: what about "bulk collection"? If the NSA is vacuuming up metadata on all calls entering the U., and that includes calls from the U., that could be argued as a violation of the spirit of the pact, even if the target isn't the British government.
The line is between targeting the partner state itself versus targeting threats that happen to be within the partner's territory or using its systems. But who gets to draw that line? And who watches the watchmen?
And that line is managed through what's called the "Third Party Rule" and "Originator Control." If the U.shares intelligence with the U.cannot then turn around and share that same intelligence with a third country like Germany without the U.'s explicit permission. The originator retains control. This prevents partners from using each other's intelligence to build separate, unauthorized relationships. As for oversight, it's largely internal to each agency and subject to their national oversight bodies. There's no supranational Five Eyes inspector general. The check is reciprocal vulnerability. If the U.were caught conducting a classic espionage operation against GCHQ, the blowback would be catastrophic—a collapse of trust that would take generations to rebuild. The mutual assurance is based on mutually assured destruction of the relationship.
It's a system of checks and balances built on a ledger of trust. But that trust must get strained. I remember reading about Operation Epic Fury, the U.cyber operation a while back. The Atlantic Council had a piece saying it was launched without consulting allies, and it caused real friction. But give me a specific example of how that friction manifests inside the machine.
That was in 2025. It's a perfect example of the tension between national sovereignty and alliance cohesion. decided it needed to act unilaterally and rapidly. But doing so bypassed the consultative mechanisms of the Five Eyes. For the other partners, it raises a question: if you're not going to consult us on a major action that could have blowback on all of us, why should we be so forthcoming with our most sensitive intelligence? Reciprocity is the glue. The manifestation is often a quiet tightening of the rules. After something like Epic Fury, you might see the other partners add more restrictive caveats to the intelligence they send to the U., or delay sharing on certain sensitive streams until they get a fuller briefing. It's not a public fight; it's a cooling of the pipes. The liaison officers feel it first—their requests for information might get slower, more qualified responses.
The mechanism isn't just technical protocols; it's a constant, delicate diplomatic calibration happening at the operational level, not just the foreign minister level.
A hundred percent. The structured sharing works because there's a shared understanding of the rules and, usually, a shared strategic outlook. When those alignments wobble – like when New Zealand has, on occasion, withheld intelligence over political disagreements, such as its historic anti-nuclear stance affecting certain military collaborations – you see the structured system clamp down. Access gets restricted, caveats get added. The flow becomes more targeted and less broad. It's a thermostat, not an on/off switch.
That calibration, though, doesn’t just happen through protocols – it’s driven by people. This is where the human element becomes critical. You have liaison officers embedded in each other's agencies. A Canadian intelligence officer might have a desk at GCHQ in Cheltenham, and a British counterpart works out of the NSA's campus in Fort Meade. These postings are often two to three years long, and they're career-making or breaking assignments.
Are these just diplomats in uniform, or do they have real operational roles? Do they get to actually do anything, or are they just glorified couriers?
They're deeply operational. Their job is to be the human interface for the joint task forces we were talking about. They translate requirements, smooth over procedural differences, and crucially, they build the personal relationships that grease the wheels during a crisis. They're the ones who pick up a secure phone and know exactly who to call, and they've built enough social capital to get a fast answer. Think of them as the living, breathing API for the alliance's data streams. They don't just pass messages; they interpret them, provide context, and advocate for their home agency's needs within the host agency.
It's institutional memory wearing a face. And that face goes to the bar after work with counterparts, builds friendships, and creates a network that exists outside the org charts.
A case study often cited is the role of Canadian liaison officers in the early 2000s, facilitating intelligence flows between the U.and other partners during the Afghanistan campaign. Canada's position, seen as a bit more neutral than the U., sometimes made them effective brokers within the Five Eyes framework itself. A Canadian officer might have been able to frame a request from the Australians to the Americans in a way that was more palatable, or explain a U.hesitation to the British in terms they understood better. That's intangible, human-level value that no secure fax machine can provide.
How do they manage compartmentalization with all these people in the loop? If a Canadian officer is sitting in a British facility, how do you stop them from seeing something they shouldn't? Do they just have to avert their eyes from certain whiteboards?
Through a rigid system of clearances and need-to-know, enforced by both technology and culture. Physical and digital access are strictly segregated. The Canadian liaison might have access to a specific, shared server room or a joint operations cell, but they won't have free roam of the entire British facility. Their login credentials only open doors to the information pools their home country is formally party to. It's a constant process of verification. And the culture is just as important. There's a powerful norm of "don't ask, don't look." If a classified document is left face-up on a desk in a common area, the visiting officer will look away or leave the room. Violating that unspoken trust is a career-ender. The system runs on the assumption that these are professionals who internalize the rules.
It sounds incredibly cumbersome. All this friction just to share a piece of information.
But that's the point. The friction is a security feature. It ensures that shared information is precisely targeted, not broadly defined. Which gets to another of Daniel's questions. The intelligence shared isn't a firehose. It's usually a curated product—a finished report, a specific intercept, a named target profile—accompanied by those strict caveats on further dissemination. They're not sharing the haystack; they're sharing a specific, verified needle they found in their section of the barn.
It's more like passing a sealed dossier than opening a shared filing cabinet. But that raises a question about speed. In a crisis, like the early hours of a major cyber-attack, does this curation and sealing process slow things down dangerously?
That is the eternal tension between security and speed. The system has "flash" or "critic" designators for time-sensitive intelligence. That gets pushed through the channels with minimal delay, but the caveats still travel with it. The human liaisons are key here—they can verbally authorize and log the sharing of a critical piece of data in seconds, knowing the paperwork will catch up later. The protocols have flex built in for genuine emergencies, but that flex is based on, you guessed it, the personal trust between the officers on the phone.
This is a key difference between the core Five Eyes and the broader Fourteen Eyes framework. Within the Five, the targeting can be broader because the trust is deeper. They might share strategic assessments about an entire region's communications patterns. With the extended members, the sharing is often much more incident-specific. "Here is the data on this one hacking group," not "here's our entire analysis of China's cyber command structure." But does that mean the extended members are sometimes left in the dark about the bigger picture?
Often, yes, and that can create its own frustrations. A country like France, with its own sophisticated capabilities, might contribute a vital piece to a puzzle but not get to see the final, complete picture that the Five Eyes assemble. They get a tailored summary. This can lead to perceptions of a "two-tier" alliance, which is exactly what it is. The Five Eyes is the inner tier. The benefit for the extended members is access to intelligence they could never collect on their own. The cost is accepting that they
