System hacking

Lawmakers Look to Crack Down on ‘Hack for Hire’ Business


It’s a classic story of what happens when spies go rogue, but instead of the typically draconian punishments associated with treason, three former U.S. cyberoperatives who worked for the United Arab Emirates after leaving government service are getting off with a fine.

The three men—Marc Baier, Ryan Adams, and Dan Gericke—have agreed to pay $1,685,000 to avoid jail time, according to court filings. In doing so, they’ve acknowledged that they committed hacking crimes and violated U.S. laws meant to restrict the export of military technology to foreign governments after leaving the intelligence community and military to hack journalists, activists, and dissidents—some of whom were American citizens.

But since they have agreed to pay the fine and “cooperate fully” with investigators—and never again obtain security clearances, which will ostensibly keep them away from classified materials—prosecutors have agreed to drop all charges in three years.

I feel strongly the license itself should never have been issued.

Rep. Tom Malinowski (D-NJ)

Part of the soft punishment comes from the murkiness that accompanies leaving government service and seeking a new career.

The program the three men worked for was called Project Raven, which was an effort from the United Arab Emirates to hire former U.S. cyberspecialists and use their expertise to hack certain vulnerable targets.

The UAE program, first revealed by a Reuters investigation in 2019, took shape over multiple years, poaching approximately a dozen ex-National Security Agency employees and other contractors and shuffling them between a series of companies that provided the UAE with surveillance and hacking capabilities.

And the activity has raised predictably ethical questions and the eyebrows of lawmakers.

Paul Kurtz, one former participant in an early iteration of the project, said in 2019 that he thought there ought to be more oversight on these kinds of activities where U.S. intelligence community know-how on hacking seeps out into other governments’ hacking operations, according to Reuters. But no law in particular barred them from sharing their offensive cyberoperations knowledge or skills with foreign governments, experts say.

The news of the repercussions for the men is the latest puzzle piece to fall into place about the storied Project Raven. But the dangling promise of no criminal prosecution and a fine that amounts to one or two years of the men’s salaries is leaving some questioning whether the punishment goes far enough.

In the halls of Congress and across the Biden administration, the whole chain of events is leaving some wondering whether the U.S. government and its sprawling intelligence apparatus are properly equipped to prevent technical hacking operations from falling into the wrong hands when contractors and employees quit.

The NSA and the intelligence community have long dealt with contractors and personnel stealing government secrets when they’re not authorized to do so. There’s of course the infamous 2013 leaks from ex-NSA contractor Edward Snowden, as well as Hal Martin, who stole 50 terabytes of classified documents from the agency over the course of two decades, or former NSA employee Nghia H. Pho who was sentenced in 2018 for stealing classified hacking tools.

But Project Raven is far less cut and dry.

Early iterations of the program took shape under the auspices of the State Department when U.S.-based security firm CyberPoint won approval from the agency to provide counterterrorism work to the Emiratis, according to Reuters.

And some lawmakers are now pointing fingers at the U.S. government for letting this whole fracas run amok.

“I feel strongly the license itself should never have been issued,” Rep. Tom Malinowski told The Daily Beast on Thursday, referring to the State Department license issued to CyberPoint in the early days. “I don’t think that NSA employees should be able to market the skills that our intelligence community taught them to the highest bidder after they leave government—especially if the highest bidder is a dictatorship and wants to use those tools to persecute dissidents.”

Malinowski told The Daily Beast he has been speaking with senior officials from the Office of Director of National Intelligence, White House, and State Department about what to do following the news of the Project Raven punishments.

“There’s more that needs to be done. I have spoken to senior administration officials about placing ‘post-deployment’ restrictions on employees of the U.S. intelligence community,” Malinowski, who serves on the House Committees on Foreign Affairs and Homeland Security, told The Daily Beast. “The UAE case reveals that the licensing system is broken.”

In recent days, Malinowski—alongside Representatives Dean Phillips (D-MN), Katie Porter (D-CA), Ro Khanna (D-CA), and Ted Lieu (D-CA)—introduced an amendment as a part of the National Defense Authorization Act that would require the State Department and ODNI to brief Congress annually on foreign companies that focus on developing offensive cyberoperations and hack-for-hire capabilities specifically for repressive governments or those who abuse human rights.

But foreign companies are not the only ones the U.S. government has to worry about when it comes to these kinds of hacking operations; some of the offensive hacking tools that fell into the hands of the UAE Project Raven came from U.S. companies at times.

Accuvant, a Denver-based firm, provided an iPhone hacking tool—that used a flaw in iMessage to take over victims’ entire phones—to Project Raven, according to MIT Technology Review.

Malinowski admits the proposed amendment is only a start—the proposal doesn’t directly tackle U.S. companies whose work the U.S. government specifically approves of—but “it would also require the administration to consider whether any of the foreign companies should be placed on the entity list, which would effectively block U.S. companies from exporting any talent or services to them,” Malinowski added.

One of the big takeaways is about how you use these really important powers, techniques and tools for very specific purposes—I do think people in those environments have the responsibility to safeguard the techniques they learn.

Oren Falkowitz, former NSA hacker

“If our amendment were law, then the Emirati company that was partnering with this American firm could well have been blocked and it would not have been possible for an American contractor to provide the services,” he told The Daily Beast.

And yet, determining which countries are human rights abusers and which are not hasn’t always led the U.S. down a clear path of who to partner with on the international stage and who to treat like a pariah.

“The fact that UAE is sometimes viewed as a friendly, doesn’t reduce the harms the UAE was causing in this case,” said John Scott-Railton, a senior researcher at Citizen…


Read More:Lawmakers Look to Crack Down on ‘Hack for Hire’ Business

Products You May Like