On Sept. 14, the Department of Justice announced an unprecedented resolution of criminal charges against three former U.S. military and intelligence members for conspiring to conduct computer network exploitation operations (hacking) on behalf of a foreign government, the United Arab Emirates (UAE). The defendants began as contractors providing cyber services to the UAE through a U.S. company, services that included offensive intelligence collection operations. They continued working on the project after a UAE company took control and ultimately provided UAE intelligence services with the ability to access smartphones and mobile devices remotely using “zero-click” exploits. In other words, the defendants used the tradecraft they learned in the U.S. military and intelligence community to assist a foreign government’s intelligence collection operations.
In addition to the novelty of prosecuting former U.S. intelligence operatives for hacking, the case marks the first time the department has charged hacking as a violation of the International Traffic in Arms Regulations (ITAR). Yet, for all the fanfare, the department resolved the charges with a deferred prosecution agreement, a rarely used and extraordinarily lenient resolution. Under the agreement, the criminal charges will be dropped in three years if the defendants do not violate the agreement’s terms.
On its face, the U.S. government appears to be sending mixed signals by investigating a case criminally and resolving it with an apparent slap on the wrist. However, companies and individuals engaged in this kind of work—providing offensive cyber services or exploits to foreign governments or foreign companies—should be wary. The resolution’s leniency reflects the unique circumstances of this case rather than a commitment to treat similar conduct the same way. To the contrary, the case seems to presage a new wave of investigations into the sale of offensive cyber services and indicates that the department is unlikely to be so kind the next time.
The details of this case are notable and provide crucial context for understanding its implications. Although the charged conduct occurred between December 2015 and November 2019, the story begins well before then. According to a Reuters investigative report, in 2009, the UEA hired CyberPoint, a Baltimore-based government contracting firm, to help develop and run its cyber programs while it worked to stand up its own version of the U.S. National Security Agency—the National Electronic Security Authority. CyberPoint applied for and received the requisite export authorization pursuant to a technical assistance agreement from the Department of State’s Directorate of Defense Trade Controls (DDTC) to perform the services subject to the ITAR. The report explained that CyberPoint’s agreement allowed it to provide services for the “protection of UAE sovereignty” through “collection of information from communications systems inside and outside the UAE” and “surveillance analysis”; but it prohibited CyberPoint from targeting U.S. persons. CyberPoint staffed its team with “more than a dozen former U.S. intelligence operatives.” Their work became known as Project Raven.
Project Raven was described outwardly as an effort to assist the UAE with the development of defensive cyber measures to combat terrorism. But, according to nine former team members whom Reuters interviewed, a follow-on briefing for new employees revealed that the true purpose of Project Raven was to support “offensive” cyber operations for the National Electronic Security Authority—in other words, proactive intelligence collection operations. These cyber operations initially targeted members of the Islamic State, but the target list later expanded to other opponents of the UAE government, including other foreign governments, reporters, and human rights activists. The collection methods also became more “audacious” and, among other things, started to sweep up communications of U.S. persons. According to another report, the collection included emails of then-First Lady Michelle Obama. Some members of Project Raven raised concerns about these issues and even helped to develop a policy to address the collection and storage of data from U.S. persons. But it soon became clear that these policies were not always followed.
Perhaps not coincidentally, in late 2015, Project Raven team members were informed that control of the project was being transferred to DarkMatter, a UAE company. Several members of Project Raven decided to continue working on the project for DarkMatter, while others decided to leave. The defendants did not seek or obtain a new license and technical assistance agreement despite being told by CyberPoint that they must do so or risk violating the ITAR; DarkMatter did not obtain the requisite license either. As described in the charging documents, Project Raven then began to use even more aggressive tactics by, among things, acquiring and using advanced exploits.
The charges that the Justice Department filed against three members of Project Raven—Marc Baier, Ryan Adams and Daniel Gericke—were based entirely on their work for DarkMatter. Among other conduct, the defendants used work product from CyberPoint that was governed by the technical assistance agreement, arranged for DarkMatter to buy “zero-click” mobile device exploits sold by two U.S. companies, helped the company design programs for deploying the exploits, and supervised DarkMatter’s use of these exploits to conduct intelligence collection operations.
The criminal information charged the three defendants with participating in two different but overlapping conspiracies related to this conduct. The first is a conspiracy to violate the Arms Export Control Act (22 U.S.C. § 2278) and the ITAR (22 C.F.R. Parts 210-120). The Arms Export Control Act and the ITAR restrict the export from the United States of “defense articles” or the provision of “defense services” without a license. Generally, “defense articles” refer to items specifically designed for a military use, such as weapons systems, and “defense services” include assistance in the design, development or operation of a defense article. The DDTC is responsible for administratively enforcing the ITAR, but the Justice Department leads criminal investigations of ITAR violations, which require proof that the conduct was willful (that the defendant knew the conduct violated the law). Here, at least one of the computer network exploitation systems that the defendants developed and deployed was a defense article, and the department charged the defendants with providing defense services to foreign persons and entities in connection with that article without the requisite DDTC approval.
The second count charged the defendants with conspiring to commit computer fraud (18 U.S.C. § 1030) and access device fraud (18 U.S.C. § 1029) for, among other conduct, obtaining unauthorized access to multiple devices, damaging computers through the use of exploits, and obtaining unauthorized access to information of value and other personal data. Under the Computer Fraud and Abuse Act, it is against the law to obtain unauthorized access to a computer to obtain information, as well as to transmit a program causing damage to a computer. It is also unlawful to use a code or other means to access a device to obtain a thing of value, and to possess more than 15 unauthorized access devices.
To resolve these charges, all three defendants entered into a deferred prosecution agreement, which—although requiring each defendant to admit to the criminal conduct, pay a fine and agree to restrictions on future employment (forfeiture of their security clearances)—effectively nullifies the charges in three years if the defendants do not violate the agreement. The agreement appears to be an extraordinarily forgiving resolution. In essence, it is a noncriminal resolution of a criminal investigation. A deferred prosecution agreement is rarely offered to individuals in export control prosecutions and likely is unprecedented for individuals who willfully violated the ITAR. Moreover, the conduct appears to be egregious because the defendants received express warnings that their work required a license, so evidence of their willfulness appears to be strong.
Although it may be tempting to view the deferred prosecution agreement as setting a precedent of lenient treatment for this type of conduct, the resolution in this case speaks more to its unique circumstances. Public reporting indicates that at least some of the concerning conduct began before DarkMatter took control of the project. At least one former member of Project Raven described the work under CyberPoint as including the targeting of a human rights activist and another foreign government, as well as collection of information from several U.S. citizens, including then-First Lady Michelle Obama. If true, CyberPoint employees’ participation in intelligence collection operations prohibited by the technical assistance agreement complicated the government’s ability to prove intent, because the defendants would likely have argued that they believed their conduct with DarkMatter was consistent with their activities at CyberPoint, which they understood to be lawful.
Additionally, the sheer number of U.S. persons who possibly violated the law at both CyberPoint and DarkMatter, and the fact that many of them served in the U.S. military and intelligence communities, would serve as evidence that it was not well known that such conduct was unlawful. This would further undermine prosecutors’ ability to prove that the defendants’ violation of the ITAR was willful. And, as a matter of fairness, the Justice Department likely faced challenges distinguishing the unlawful conduct of the three defendants from the “numerous” other U.S. persons at both CyberPoint and DarkMatter who engaged in the same or similar conduct but were not charged.
The case provides several key takeaways for any party providing offensive cyber capabilities to foreign governments or private companies.
The Justice Department is focused on limiting the spread of offensive cyber capabilities.
The fact that the department even brought this case indicates it is concerned about former U.S. military and intelligence members who offer their knowledge of and experience with offensive cyber operations to foreign nations. Although the department has prosecuted a number of individuals for “hacking,” in those cases the underlying conduct was unmistakably criminal, such as identity theft or ransomware attacks. Here, the defendants are U.S.-trained cyber operators who went to work for a U.S. defense contractor in assisting an ostensible U.S. counterterrorism ally collecting information outside of the U.S. The Justice Department is widening its aperture to more actively monitor and police companies and individuals who use information they learned from the U.S. government to support foreign interests.
In a recent speech about corporate enforcement trends, a senior official in the Deputy Attorney General’s office underscored this point by referencing this case as an example of the Justice Department’s focus on policing the transfer of “human knowledge” as an export violation. This new enforcement priority is a natural response to the exponential growth of companies and individuals with advanced cyber capabilities—especially those that were honed largely from their work for the U.S. government. As those companies and individuals market their skills beyond the U.S. government, the risk that they will be misused or otherwise fall into the wrong hands is heightened. This is not unlike the market for “zero-days” and other exploitation tools, which has grown exponentially as both state and non-state actors seek to make use of off-the-shelf cyber expertise. But just because you purchase an exploit does not mean you know how to use it. As more U.S. government contractors and more U.S. government-trained personnel explore work in the private sector, the Justice Department is keen on ensuring that they remain on the right side of the law.
The spotlight on offensive cyber services heightens the risk of detection.
These charges publicize the incentives for people to come forward and provide information about potentially unlawful conduct involving the sale of offensive cyber services, thereby making it more likely that this type of conduct will be detected and investigated. In this case, a combination of disgruntled employees, public interest groups and investigative journalists started lifting the veil on Project Raven as early as 2017. By 2019, articles and podcasts described in detail the nature of the operations, the names of companies and individuals involved, and the conduct that likely crossed the line. Although the department filed charges against three individuals, the former members of Project Raven who cooperated with the investigation do not appear to have been charged.
This fact reinforces the Justice Department’s National Security Division’s revised voluntary self-disclosure policy, which the Justice Department also highlighted in that recent speech on corporate enforcement efforts. The policy offers companies that self-report violations of the ITAR the ability to avoid a criminal conviction and fine. A requirement of the policy, however, is that the disclosure be timely; a disclosing party must come forward promptly after becoming aware of the problem, and not just before the government initiates an investigation. Now that the department has made clear it intends to prosecute government contractors and former U.S. government personnel who provide these types of offensive cyber capabilities, all parties involved have even more reason to speak up.
The Justice Department views providing offensive cyber capabilities as criminal.
The fact that the department entered into a deferred prosecution agreement with the three defendants in this case is not an indication that such agreements are likely in future cases. Far from it, this case is a warning that it considers the provision of exploits or the knowledge and guidance about how to use them as conduct it intends to investigate and charge criminally, even when conducted on behalf of a U.S. ally. Now that the department has charged and publicized this case, it will consider individuals and entities that engage in similar conduct to be on notice that their work implicates the ITAR and computer fraud statute. Such notice will make it easier in future cases for prosecutors to argue and establish that a company or an individual was aware that their conduct violated the law. That is likely a major reason why the department included the unprecedented ITAR charge for conduct that also involved computer fraud, as its inclusion had no real consequence for the defendants’ punishment.
The case also signals that the Justice Department, rather than the State Department’s DDTC, will likely take the lead in ITAR cases involving offensive cyber capabilities. DDTC has the authority to investigate, take administrative actions and levy fines for violating the ITAR. And the barrier for DDTC to act is lower than the Justice Department because its administrative and civil actions for ITAR violations require only proof of a violation, not proof that the violation was willful. But so far, the DDTC has not taken any action with regard to this conduct. This silence is unusual, especially because an admission in a criminal case alone is sufficient for DDTC to take action, and could signal that more lenient civil resolutions may be off the table.
Although it may not be clear where the Justice Department will draw the line between the acceptable and unacceptable sharing of “human knowledge” for cyber capabilities, we now know that line is more restrictive—and will be watched more closely—than it used to be.
The Justice Department also may soon have additional tools available to address this issue. In late September, the House Permanent Select Committee on Intelligence passed a bipartisan resolution that would place numerous restrictions on former members of the U.S. intelligence community who seek to engage in similar work in the private sector. Among other restrictions, the bill would prohibit former members of the U.S. intelligence community from taking certain jobs for 30 months after they leave the government and, once they are permitted to take such jobs, they would be required to report annually on any work they performed for a foreign government or foreign national. The bill would authorize the department to prosecute any violations of these requirements.
Regardless of whether this bill becomes law, it is clear the Justice Department is now focused on former U.S. military and intelligence members and efforts to promote offensive cyber capabilities of foreign governments. Having fired its warning shot, the department is looking for new targets.
Prosecuting Project Raven: A New Frontier for Export Control Enforcement is written by Brandon L. Van Grack, Joseph Folio for www.lawfareblog.com