Cybersecurity: Crime and Espionage

Project Raven: What Happens When U.S. Personnel Serve a Foreign Intelligence Agency?

By Robert Chesney
Monday, February 11, 2019, 8:00 AM

It’s been known since 2012 that a Baltimore-based company called Cyber Point had a contract with the United Arab Emirates (UAE) to assist its newly-established signals intelligence agency (then called the National Electronic Security Authority) with “advice on cyberdefense and policy,” as Ellen Nakashima reported at the time for the Washington Post. Later, there were suggestions that Cyber Point might be involved in helping the UAE service acquire malware that the UAE used to support surveillance activities that included monitoring of political opponents. And now, Reuters has  a remarkable piece from Chris Bing and Joel Schactman, published last week, that goes deeper and raises important questions about the role of U.S. citizens in working for foreign intelligence agencies.

The Reuters report explains that Cyber Point hired a group of ex-NSA employees to work in the UAE in support of the UAE signals intelligence service, under the name of “Project Raven.” Later, the Project Raven team was transferred in some fashion from the Cyber Point contract to a contract with the UAE-based firm DarkMatter. Along the way, the Americans came to appreciate that their efforts at times did indeed include surveillance of political opponents of UAE authorities, and further that the UAE service at times targeted Americans despite assurances that this would not occur (or at least that the operations Project Raven in particular conducted or supported would not be directed at Americans). They probably should not have been surprised by any of that. But be that as it may, the story understandably has excited concern that the United States lacks a sufficient policy-and-law framework to regulate situations of this kind.

What policy concerns, precisely, does this story illustrate? It’s important to be clear on that question before asking whether the U.S. has an adequate legal architecture for addressing scenarios like Project Raven.

I see at least four distinct areas of concern implicated by the Project Raven story, each implicating existing or potential legal architectures in different ways:

  1. Whether Americans in general should ever serve in a foreign intelligence agency;
  2. Whether former intelligence community employees in particular should not do this;
  3. Whether the United States adequately protects classified information;
  4. Whether the United States adequately protect the privacy of Americans from foreign surveillance.

Let’s take those in sequence.


1. Whether Americans in general should ever serve in a foreign intelligence agency

The question here does not concern serving secretly as an asset for foreign governments, which U.S. law obviously should (and does) discourage. Instead, the question is whether it is inherently bad for U.S. persons (American citizens and lawful permanent residents) to have overt work relationships with foreign intelligence agencies. Some might argue that all such service is inherently unfriendly to the U.S. government at least at some level, with some contexts plainly much more so than others. Might some form of ban, with exceptions, therefore be desirable? And if so, does the U.S. not already have something like this?

The case for having some form of ban begins with the idea that there is inherent tension between owing a duty of loyalty to the United States and providing services to a foreign government in direct relation to that government’s pursuit of its own security and foreign policy goals, which in some cases may be inimical to the security and foreign policy goals of the United States. There is also the possibility that the actions of U.S. persons abroad, even when working under the direction and control of a foreign government, could be held against the United States, fairly or not. On the flip side, there are of course circumstances in which interests align enough to make such service with a foreign intelligence agency beneficial for the United States. The balance of equities, then, is highly context-dependent.

This suggests that the optimal legal framework would be one that allows such service only where there has been some degree of vetting on the front end, and some degree of ongoing monitoring on the back end—that is, a licensing model, as opposed to a flat ban.

As it turns out, the U.S. already has a version of this. But as the Project Raven story itself illustrates, the current system seems incomplete.

The existing licensing model was created primarily to address military-relevant materials and services. Under the Arms Export Control Act, the executive branch is authorized to prohibit the unlicensed export of “defense articles” and “defense services.” The meaning of those broad categories is explicated at great length and detail through the International Traffic in Arms Regulations (ITAR) and the U.S. Munitions List (USML). Things that fall within them cannot be exported without a license from the State Department’s Director of Defense Trade Controls (DDTC). DDTC can—and does—impose conditions on the licenses it grants, including, where appropriate, limitations designed to prevent U.S.-provided articles and services from being used by foreign recipients in ways that violate human rights or that otherwise harm U.S. interests.

Does this apply to things or services provided to foreign intelligence services? The question is a tricky one, at least on paper, for the regulations are dense and their references to intelligence activities are sparse (and not tailored to clearly address grey zone activities in the cyber domain). That said, the Project Raven/Cyber Point episode itself makes clear that DDTC does view at least some such activity as coming within the licensing system; Cyber Point applied for and received a license, after all.

The more important questions—the ones the Project Raven story raises in relation to this particular policy concern—are whether the licensing system is sufficiently probing on the front end when the license is being granted, and whether there is adequate back-end monitoring for compliance with license conditions. The nuances in the Project Raven story, so far can be gleaned from the Reuters account, are tricky on both points.

Reuters writes that Project Raven transitioned out from under Cyber Point (and its license) at some point, moving to UAE-based DarkMatter. Conduct subsequent to that shift probably cannot be laid at Cyber Point’s door, and thus would not violate the Cyber Point license. On that view, one cannot fault the front-end screening by DDTC, unless it turns out that the Project Raven activities violated the license terms all along. On the other hand, that same logic compels the conclusion that the U.S. persons who remained working for the UAE at that point no longer had the benefit of a DDTC license, yet they continued providing “defense services” to the UAE. This suggest a possible enforcement gap in the licensing scheme, though perhaps time will yield an enforcement gap now that the story has become public.

At any rate, one potentially-attractive policy response to the whole episode would be to increase the resources devoted to both front-end screening and in-progress monitoring for DDTC licenses. And perhaps the statute could be amended to support that in-progress monitoring by imposing increased requirements for periodic compliance-reporting.

Before moving on, it’s worth noting how things might look if the country decided licensing was not the right way to go and, instead, wanted to move to a flat ban. That idea has a close parallel in the context of foreign military service. In that setting, American criminal law has long made it a crime to enlist or otherwise enter into the service of a foreign military (unless that foreign military is at war with a state against which the U.S. too is at war), and separately it has also long been a crime to take a foreign government’s commission to serve in war against a party with which the United States is at peace. To be sure, there are ample historical examples of the government looking the other way; enforcement has not been anything like uniform or rigid over time. But still, there it is.

Should the U.S. treat foreign intelligence service the same way as foreign military service, with a flat ban? This would certainly help minimize Project Raven scenarios in which U.S. persons end up contributing to undesirable foreign intelligence activities. But perhaps it would overcorrect to too great an extent, for it also would preclude U.S. persons from contributing to desirable activities, such as the sort of counterterrorism functions that the Project Raven personnel originally thought would be their focus. A well-tailored and well-resourced licensing system seems to me to be the better alternative.


2. Whether former intelligence community employees in particular should not do this

Even if Americans in general should have the option of foreign intelligence service, subject to proper licensing, one might argue that former intelligence community employees are a special case for whom no such license should be granted.

The case for a flat-ban for former intelligence community employees might go something like this: First, as the Project Raven story suggests, the fact that an American working for a foreign service once was an intelligence community employee considerably enhances the extent to which the actions of the foreign entity may come to reflect back on the United States, even if unfairly so. Second, much like the analogous scenario in which bans or at least delays are imposed before former public officials can engage in lobbying related to their former jobs, the U.S. should worry about both the appearance of impropriety (which undermines public regard for the entity in question, and thus inhibits that entity’s ability to pursue its mission) and the possibility that people in public service might be influenced in their decisions by future employment prospects. Third, officials might worry (as noted below) about the opportunities for compromise of U.S. personnel that are created by working with a foreign intelligence service. (Indeed, it is not hard to see how the UAE service could have taken advantage of the growing murkiness of the Project Raven activities so as to create leverage over at least some of those former NSA employees).

The case against such a flat ban, in contrast, builds from the premise developed above: there are some circumstances in which it is in the U.S. national interest to improve the efficacy of foreign intelligence services by allowing Americans to work with them. If that’s the case, it stands to reason that the persons most able to provide that boost, in at least some cases, will be former intelligence community employees. On that view, the licensing system to must function well enough to police against undue risk of the kinds just noted in the preceding paragraph.


3. Whether the U.S. adequately protects classified information

The preceding discussion draws attention to a related, but distinct, concern: Does the Project Raven scenario highlight an undue risk that classified information involving cyber capabilities will leak to a foreign service as a result of former intelligence community personnel serving with a foreign agency?

Yes and no. The good news is that the U.S. doesn’t lack for relevant criminal laws in this area. Though there always is risk that a former employee will choose to violate those laws or be compromised into doing so, there’s not much cause for trying to expand or strengthen the legal guardrails when it comes to obvious concerns such as exposure of specific tools like custom malware, access to staging servers, specialized physical equipment, etc. And the Project Raven story does not suggest otherwise.

But on the other hand, there also is great value in the sheer practical knowledge—the tactics, techniques and procedures (TTPs)—for which the foreign agency is hiring these former intelligence community personnel in the first place. Whether and when that know-how is itself classified information can be tricky, to say the least. Knowledge concerning a specific software vulnerability—of a zero day—might readily count, but TTPs involving best practices for detection avoidance and lateral movement within a system might present a murkier case. And the less clear things are, the more likely it is the former employee will simply use the TTP in the new job, with the new employer and new colleagues gaining that know-how along the way even if the U.S. person never intended to “train” them in any formal sense.

It seems to me the TTP-sharing issue is intractable to a certain extent. If one takes a sweeping approach to classifying know-how and then ensuring intelligence community employees understand there will be a strict approach to enforcement, this runs the risk of effectively prohibiting those employees from going on to do related work for anyone outside the government, not just foreign intelligence agencies. This in turn would make the already-serious challenge of recruiting talented hackers and defenders much more so.


4. Whether U.S. law adequately protects the privacy of Americans from surveillance by Americans working for a foreign government

Perhaps the most striking element of the Project Raven story is the reference to UAE surveillance of Americans. My read of the story was that the Americans were not themselves engaging in this activity. If that’s right, then all that’s at issue is the fact that foreign intelligence services spied on U.S. citizens—an important thing to know, but not something that warrants some innovation in the U.S. legal architecture). But what if that’s not right? That is, what if some of the Americans associated with Project Raven were engaged in surveillance of their fellow citizens, on behalf of a foreign government?

The short and complete answer is that they would be in serious legal jeopardy, for neither their license (which surely excludes such activity anyway) nor the cloak of UAE domestic law would do anything to make such activity legal from the perspective of U.S. law. Various U.S. laws—the Wiretap Act, for example, and the Computer Fraud and Abuse Act—might come into play.

Indeed, the Reuters report notes that the FBI has taken a keen interest in Project Raven participants. Perhaps this is one of the reasons why? Time will tell. For now, it is enough to say that this is not an area where the legal framework seems lacking.