Hackers as Global Private Contractors is a Pandora’s Box You Do Not Want to Open
In mid-September 2021, the U.S. Department of Justice (DoJ) fined three former National Security Agency (NSA) hackers who worked as service contractors for a United Arab Emirates (UAE) cybersecurity company named DarkMatter between January 2016 and November 2019. The DoJ charged them with acquiring “data from computers, electronic devices, and servers around the world including on computers and servers in the United. States,” and violating U.S. export laws restricting the transfer of military technology to foreign governments (the International Traffic in Arms Regulations, or ITAR). These three individuals were not the only former ex-U.S. Intelligence officers working for the company. DarkMatter employed more than a dozen former NSA hackers who helped create and develop cyber spying tools and iOS zero-click exploits giving attackers complete access to compromised devices. Under the moniker “Project Raven,” these persons would use the skills and techniques learned from the NSA to help the UAE target and compromise the phones and computers of its enemies. These “enemies” included human rights activists, journalists, and political rivals.
Spring 2017 geopolitical unrest may have escalated the activities of the former NSA hackers when the UAE, along with Middle Eastern allies, accused Qatar of trying to sow discontent throughout the region via its leveraging of media and political organizations. This prompted the UAE to impose a sea, air, and land blockade against Qatar. Project Raven came into full force shortly thereafter targeting media executives and journalists believed to be sympathetic to Qatar. Per some of the operatives, their goal was to identify evidence linking Qatar’s royal family to influencing Al Jazeera coverage and expose any connections between the Muslim Brotherhood and prominent media networks.
At the core of this issue is the fact that these ex-intelligence operatives used cutting-edge cyber-espionage tools learned from their time in the U.S. Intelligence Community on behalf of a foreign intelligence service. What’s more disconcerting is that Project Raven has roots in a United States company, known to support the U.S. government and to hire several ex-U.S. intelligence officers. The UAE established Project Raven in 2009 with the assistance of U.S. intelligence contractors and former senior White House officials. In 2008, Richard Clarke, the counterterrorism czar for Bill Clinton and a special advisor on cybersecurity to George W. Bush, consulted with the UAE on the development of DREAD (Development Research Exploitation and Analysis Department)– a secret unit whose mission was to target persons of interest. DREAD quickly blossomed into Project Raven with the assistance of CyberPoint, a U.S. company that initially provided bodies to support the venture.
Even if it is permissible for U.S. companies to sell cyber products and services to foreign states, the optics aren’t very good. It is bad enough that ex-U.S. intelligence contractors were involved in the acts to benefit a foreign government using the very capabilities they used in service of the U.S. government. But these contractors kept their security clearances and worked on at least one U.S. government contract for the NSA, even though they did no work. This can understandably create a perception that the U.S. government if even tacitly, had knowledge of their activities or supported them. This would certainly raise red flags for anyone following these developments. Playing such semantic games is a part of intelligence tradecraft, where plausible deniability and obfuscation are integral to operational success. But they can also create anxiety when they are uncovered, calling into question what the government knew and what it approved. The U.S. government will correctly deny any involvement but many in the world will remain skeptical.
Another issue for concern is the perception that such U.S. companies are actually shells for U.S. government-sponsored clandestine cyber operations, the kind that requires the use of such cut-outs. A private company looking to expand its global market share might be a difficult sell to the international community if they believe the company operates on behalf of Washington. After all, the United States government makes this argument when it cites potential links between foreign companies and adversarial intelligence services, suggesting impropriety on the company, the government, or both.
Hiring hackers as private contractors mimics the contract hire model of private security companies like the former Blackwater (now Academi), whose private military contractors were used in Iraq to guard officials, military installations, provide support for armed forces, and train the Iraqi army and police forces. However, one notable difference between private military contractors and the hackers associated with Project Raven is transparency. A physical presence is more visible as activities are more easily seen, reported, and recorded. The publicization of some of Blackwater’s questionable actions in Iraq is a testament to this, and Blackwater isn’t the only company called out for questionable behavior. Other security companies have had similar claims levied against them. This shows that public scrutiny is more easily imposed on these companies, and where appropriate, they can be held accountable for their transgressions. Such is not the case with cyber operations where operators are not visible, are largely unknown to anyone save their employers, and can function without monitoring, auditing, or restriction.
And this is where the practice of hiring hackers as private contractors is in desperate need of some form of regulation and oversight. The fallout from Project Raven is how these services can quickly deteriorate from noble missions to missions serving authoritarian masters without being held in check. As in the case of the three ex-NSA hackers, their operations can be applied against U.S. interests, whether directly or indirectly. Two former U.S. NSA hackers left DarkMatter because they had doubts about what they were doing, especially when directed to target U.S. citizens. If this doesn’t give the U.S. government pause for concern, it should.
The DoJ fines levied against the three ex-NSA hackers do not go far enough to tackle this issue, and there does not appear to be a law on the books addressing this behavior. Congress needs to look more rigorously at the cyber spying industry that employs ex-intelligence officers and/or ex-intelligence contractors looking to apply their trade to the highest bidder and see where it can institute some level of supervision or restriction, at least for a period after they leave that employment. A recent amendment to the National Defense Authorization Act would require the Department of State and the Office of the Director of National Intelligence to report on companies developing offensive cyber operations and hacking contract capabilities for authoritarian regimes. While promising, this is only a broad first step in trying to understand a problem that is difficult to rein in and moves at a speed that outpaces the glacial legislative process.
What is certain is that the appetite for such capabilities exists, as will the increasing demand for individuals possessing these skillsets from governments that do not have the indigenous capacity to create their own. And depending on the intent of those governments employing them, inappropriate surveillance against political and activist groups may be the least of our worries.
Opportunities for Advantage
All of this exponential disruption means we must make focused efforts to gain advantage. Stay informed on a variety of these critical issues at OODAloop.com and during our monthly OODA Network meetings and Salons.
OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.
You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.
Black Swans and Gray Rhinos
Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
Corporate Sensemaking: Establishing an Intelligent Enterprise
OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking
Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage
This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking
COVID-19 Sensemaking: What is next for business and governments
From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.
Space Sensemaking: What does your business need to know now
A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking
Quantum Computing Sensemaking
OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.
The OODAcast Video and Podcast Series
In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast