Man holding a hammer with dollar icons showing the new legislation introduced in U.S. to track and regulate foreign sale of cyber capabilities
Prompted by Reuters Investigation, New Legislation Introduced in U.S. to Track and Regulate Foreign Sale of Cyber Capabilities by Scott Ikeda

Prompted by Reuters Investigation, New Legislation Introduced in U.S. to Track and Regulate Foreign Sale of Cyber Capabilities

A Reuters investigation into covert aid provided by government contractors to the United Arab Emirates has led to new legislation governing American cyber capabilities. United States companies will now be required to obtain permission from the State Department before selling any cyber capabilities to foreign governments, and the department will be required to report to Congress on its tracking and punishing of companies that violate the new regulation.

The Reuters spy story

The legislation stems from Reuters’ reporting on Project Raven, a secret operation involving former NSA intelligence operatives who had been recruited as civilian contractors for the United Arab Emirates (UAE). The National Security Agency (NSA) gave permission to three companies: Good Harbor, CyberPoint International and SRA International.

This team of about a dozen former U.S. intelligence analysts and hackers brought U.S. tools and techniques with them, and were initially told they would be serving in a counter-terrorism capacity approved by the NSA. After several years, the UAE government gradually expanded the team’s duties to include breaking into the phones and accounts of political opponents, dissidents, activists and journalists. Reuters learned that some of the human rights activists tracked in this way were tortured.

The work began in 2014, but some of the American intelligence contractors began to have second thoughts about their new line of work in 2016 when the UAE began instructing them to spy on Americans. This led five group members to contact Reuters with the story; eventually, nine of them would corroborate it.

Among the cyber tools used by the UAE were Karma, which used an undisclosed vulnerability to hack into iPhones, as well as unspecified phishing tools. The agents appeared to use a combination of hardware and software vulnerabilities and phishing with malware.

The story has inflamed concerns about trained U.S. intelligence personnel taking classified tools and methods with them to the private market when they opt to leave their jobs. U.S. operatives are naturally forbidden from doing such work for foreign governments when they are active; many in the government feel they should play by the same rules even after they leave their government positions, but there has been little forcing them to do so to present.

Congressman Dutch Ruppersberger, one of the creators of the legislation, compared the new regulation of cyber capabilities to similar regulations on military equipment and weapons that are sold to other countries.

The new law governing cyber capabilities

The new law, which was included in the 2020 budget bill and signed into law by President Donald Trump in late December, requires any U.S. company providing cyber capabilities (defined as sale of cyber tools or services) to first notify the State Department and obtain permission. The State Department will also be required to disclose any policing of companies when unauthorized sales occur, and Congress must be notified of any sales that are made.

The need for more regulation

In addition to highlighting the threat of former operatives taking private cyber capabilities and training into the public market, the Project Raven story is a confirmation and reminder that agencies may be sitting on undisclosed vulnerabilities that can be used to compromise major platforms and operating systems.

The reporting of the Karma exploit came shortly after Facebook had been in the news due to a vulnerability in its WhatsApp mobile app. The exploit was part of the Pegasus cyber tools and services package peddled by the Israel-based NSO Group, a mercenary spy outfit known to leverage such “zero day” exploits on behalf of various governments that contract with them.

The NSO Group is likely the largest and most prominent of these private spies for hire, but they are far from the only such entity. This market, often referred to as “lawful intercept,” muddies the waters with groups contracting with governments both for legitimate counter-terrorism purposes and for the stifling of political opposition.

The situation is difficult to monitor as nearly every major government contracts with some sort of cybersecurity company of this nature, there is very little public transparency as to what the real purpose of these contracts are, and both national and international laws do not adequately address the deployment of cyber capabilities of this nature.

For its part the NSA has admitted that it may sit on previously unknown vulnerabilities if it finds them useful, but it is supposed to apply terms laid out in a “Vulnerabilities Equities Process Charter” to determine if disclosure best serves the public interest. Of course, this assumes that the NSA can keep its own cyber capabilities cupboard secure – something that has been a problem in the past.

It is still unclear where the iPhone Karma exploit originated from, but Reuters reporting did discover that the UAE purchased it from a vendor similar to NSO.