It’s a classic story of what happens when spies go rogue, but instead of the typically draconian punishments associated with treason, three former U.S. cyberoperatives who worked for the United Arab Emirates after leaving government service are getting off with just a fine.
The three men—Marc Baier, Ryan Adams, and Dan Gericke—have agreed to pay $1,685,000 to avoid prison time, according to court filings. In doing so, they’ve acknowledged they committed hacking crimes and violated U.S. laws meant to restrict the export of military technology to foreign governments, after they left the intelligence community and military to hack journalists, activists, and dissidents—some of whom were American citizens.
But because they have agreed to pay the fine and “cooperate fully” with investigators—and never again obtain security clearances, which will ostensibly keep them away from classified materials—prosecutors have agreed to drop all charges in three years.
Part of the soft punishment comes from the murkiness that accompanies leaving government service and seeking a new career.
The program the three men worked for was called Project Raven, which was an effort from the United Arab Emirates to hire former U.S. cyberspecialists and use their expertise to hack certain vulnerable targets.
The UAE program, first revealed by a Reuters investigation in 2019, took shape over multiple years, poaching approximately a dozen ex-National Security Agency employees and other contractors and shuffling them between a series of companies that provided the UAE with surveillance and hacking capabilities.
And the activity has raised predictably ethical questions and the eyebrows of lawmakers.
Paul Kurtz, one former participant in an early iteration of the project, said in 2019 that he thought there ought to be more oversight on these kinds of activities where U.S. intelligence community know-how on hacking seeps out into other governments’ hacking operations, according to Reuters. But no law in particular barred them from sharing their offensive cyberoperations knowledge or skills with foreign governments, experts say.
The news of the repercussions for the men is the latest puzzle piece to fall into place about the storied Project Raven. But the dangling promise of no criminal prosecution and a fine that amounts to one or two years of the men’s salaries is leaving some questioning whether the punishment goes far enough.
In the halls of Congress and across the Biden administration, the whole chain of events is leaving some wondering whether the U.S. government and its sprawling intelligence apparatus are properly equipped to prevent technical hacking operations from falling into the wrong hands when contractors and employees quit.
The NSA and the intelligence community have long dealt with contractors and personnel stealing government secrets when they’re not authorized to do so. There’s of course the infamous 2013 leaks from ex-NSA contractor Edward Snowden, as well as Hal Martin, who stole 50 terabytes of classified documents from the agency over the course of two decades, or former NSA employee Nghia H. Pho, who was sentenced in 2018 for stealing classified hacking tools.
But Project Raven is far less cut and dry.
Early iterations of the program took shape under the auspices of the State Department when U.S.-based security firm CyberPoint won approval from the agency to provide counterterrorism work to the Emiratis, according to Reuters.
And some lawmakers are now pointing fingers at the U.S. government for letting this whole fracas run amok.
“I feel strongly the license itself should never have been issued,” Rep. Tom Malinowski (D-NJ) told The Daily Beast on Thursday, referring to the State Department license issued to CyberPoint in the early days. “I don’t think that NSA employees should be able to market the skills that our intelligence community taught them to the highest bidder after they leave government—especially if the highest bidder is a dictatorship and wants to use those tools to persecute dissidents.”
Malinowski told The Daily Beast he has been speaking with senior officials from the Office of Director of National Intelligence, White House, and State Department about what to do following the news of the Project Raven punishments.
“There’s more that needs to be done. I have spoken to senior administration officials about placing ‘post-deployment’ restrictions on employees of the U.S. intelligence community,” said Malinowski, who serves on the House Committees on Foreign Affairs and Homeland Security. “The UAE case reveals that the licensing system is broken.”
In recent days, Malinowski—alongside Reps. Dean Phillips (D-MN), Katie Porter (D-CA), Ro Khanna (D-CA), and Ted Lieu (D-CA)—introduced an amendment as a part of the National Defense Authorization Act that would require the State Department and ODNI to brief Congress annually on foreign companies that focus on developing offensive cyberoperations and hack-for-hire capabilities specifically for repressive governments or those who abuse human rights.
But foreign companies are not the only ones the U.S. government has to worry about when it comes to these kinds of hacking operations; some of the offensive hacking tools that fell into the hands of the UAE Project Raven came from U.S. companies at times.
Accuvant, a Denver-based firm, provided an iPhone hacking tool—it used a flaw in iMessage to take over victims’ entire phones—to Project Raven, according to MIT Technology Review.
Malinowski admits the proposed amendment is only a start—the proposal doesn’t directly tackle U.S. companies whose work the U.S. government specifically approves of—but “it would also require the administration to consider whether any of the foreign companies should be placed on the entity list, which would effectively block U.S. companies from exporting any talent or services to them,” Malinowski added.
“If our amendment were law, then the Emirati company that was partnering with this American firm could well have been blocked and it would not have been possible for an American contractor to provide the services,” he told The Daily Beast.
And yet, determining which countries are human rights abusers and which are not hasn’t always led the U.S. down a clear path of who to partner with on the international stage and who to treat like a pariah.
“The fact that UAE is sometimes viewed as a friendly, doesn’t reduce the harms the UAE was causing in this case,” said John Scott-Railton, a senior researcher at Citizen Lab, which tracks spyware and digital rights abuses around the globe.
Calls for a moratorium on the sale, export, and distribution of surveillance software have been reignited in recent days following the publication of a report from cybersecurity experts and news organizations detailing an extensive list of suspected victims of surveillance software developed by Israeli surveillance company NSO Group.
This latest action against Project Raven associates could spur more questions about who gets to decide who should have access to sophisticated hacking programs, says Oren Falkowitz, who previously worked at the NSA.
“One of the tricky things here is the knowledge of how to hack computers is not uniquely held at places like the National Secret Agency [and] the NSA works in a collaborative state with multiple parties, the so-called Five Eyes—is that OK? Are others not OK? [Who] are allies? What’s not an ally? It gets complicated,” Falkowitz said.
Nonetheless, former NSA employees told The Daily Beast they see the Project Raven work as a major transgression of the trust the intelligence community placed in them to wield powerful hacking programs on behalf of the U.S.—not on behalf of foreign governments.
“It’s disappointing because one of my experiences working at the NSA is really [learning and applying] the ethical and privacy standards… it’s shocking to me that people I worked with just missed that part of it,” Falkowitz, who worked in the NSA’s hacking division, called Tailored Access Operations, told The Daily Beast. “One of the big takeaways is about how you use these really important powers, techniques and tools for very specific purposes—I do think people in those environments have the responsibility to safeguard the techniques they learn… and some people just saw that as a pay day? And didn’t understand the gravity of it?”
“This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division said in a statement. “There is risk, and there will be consequences.”
The U.S. government is not the only country that has allowed former employees and companies to develop offensive hacking tools and run amok.
The news about the fates of Baier, Adams, and Gericke is just one small ripple in the broader hacker-for-hire market around the world that has enabled governments from the UAE to Iran and China to hire cutouts, mercenaries, and front companies to do their bidding in offensive cyberoperations—and wipe their hands of any culpability if they’re caught.
While the Department of Justice has finally taken a stand against this case of spies gone rogue—and even though the charges and action against this kind of operation are unprecedented—many worry it doesn’t go far enough.
Some have raised questions in recent days about whether the DOJ is holding back in its punishment of Project Raven workers due to historical cooperation between the program and the U.S. government, according to The New York Times.
“I’m looking at this case in puzzled wonderment… the DOJ in its press release made it clear that this unregulated offensive cyber capability is a threat to security worldwide—I had to pinch myself because this is what we’ve been saying at the Citizen Lab for a decade,” Scott-Railton told The Daily Beast. “The rhetoric is great but the modesty of the punishment left a lot of people wondering what other things happened here that we don’t know about?”