Richard: all of your points boil down not to "it's impossible to tap an undersea cable" but rather "it's incredibly expensive to tap an undersea cable reliably and quickly enough not to get caught.
May I offer some thoughts, from just underneath my tinfoil hat?
Sever the cable at point A. While they are running around trying to fix it, insert a tap at point B. This gives you time to tap it. Your costs drop quite a bit. "Deliriously expensive" becomes "within the realm of possibility for a black ops budget".
Now the question of "how the hell do you get the data out" arises. May I suggest that it might well be possible to put a widget in the "point B" tap that:
1) Is protected to substantial depths
2) Is some form of ridiculously expensive computer in it's own right
3) Does basic inline analysis of traffic
4) Sends anything interesting it finds down the fibre via traffic injection to the NSA*
5) May have a radio link (ULF?) to be updated by the appropriate spook ship that parks on top of it.
6) May even be able to be raised and plugged into a bank of systems on a spook ship to provide real-time streaming into the ship on occasions where it's required.
A tap doesn't have to mirror all traffic at all times to be an effective tool. A tap doesn't have to be accessible 100% of the time to be an effective tool. A tap doesn't have to be a perfect filter to catch interesting things and a tap doesn't have to store all data forever to be an effective tool.
It could just be the equivalent of a plan old-school wiretap capability, but set up in such a way as to be able to bypass all that pesky "jurisdictional cooperation" and "the other guy knowing what you're up to" stuff.
The presumption that these taps exist to spy on the hoi polloi of a country is probably nuts. It's 100% more rational to expect that the NSA would work with most countries to make that happen.
But a tap in order to spy on those in power in the target country is a different story entirely. That needs done without the target country knowing. And what better way for them to think that you don't have that capability than to work both ends and establish a local on-shore tapping capability (which, I am sure, the host country knows how to route around or turn off)?
Tapping communications that someone else knows are insecure is pointless and a waste of money. Finding the means of communication they believe are secure, well...
...I wholeheartedly believe the NSA would gladly pour hundreds of millions of dollars into that. After all...that's what they are actually paid to do.
*Before you start talking about security and "they'd notice that", I don't think they would. Who is going to take the two routers on either end of an undersea cable and lock down the routers to the MAC address of the router on the other end? You control the cable, and thinking that any other MAC address would appear would be paranoid. Do you MAC lock the cables running in your house? Do you run traffic sniffers on your hardwired-only networks to see if someone has tapped it and is injecting traffic? Unless you have some serious tinfoil hattery going on, no...you don't.
Biting the hand that feeds IT
