Cybersecurity Technology Sales to Foreign Governments: Who’s In Charge?
Five years ago, a secret hacking team run by a U.S. cybersecurity contractor that included more than a dozen former U.S. intelligence agents, reportedly helped the United Arab Emirates (UAE) spy on other governments, militants and human rights activists by using American technology.
The surveillance effort, called Project Raven, soon expanded to use the latest U.S.-developed hacking tools to spy on Americans, according to a Reuters investigative report. While the contractor was granted approval by the U.S. State Department to sell American cybersecurity tools to UAE intelligence, the agency may not have known the whole story, the report suggested.
Jump ahead five months from the original Reuters report in January 2019. We have new legislation introduced earlier this month that would hold the State Department accountable for approving the sale of U.S. cybersecurity technology to foreign governments, Reuters reported. The bill, which passed the House Appropriations subcommittee, not only would compel the State Department to report to Congress its determining criteria for sales of U.S. cybersecurity tools to other countries, the agency would also have to detail its response to nations that violated its rules in the past year, according to the report.
A vote on the law by the full Committee is expected in the coming weeks before it gets sent to the House for consideration. Dutch Ruppersberger (D-MD), a member of the Committee, is reportedly “troubled” by the State Department’s approval process for selling cyber technology to foreign countries, Reuters reported. It was Ruppersberger who proposed adding the bill to an existing State Department budget.
The State Department, in an email to Reuters, said it is “firmly committed to the robust and smart regulation of defense articles and services export.” The agency grants export licenses for U.S. cybersecurity technology based on “political, military, economic, human rights, and arms control considerations,” officials said.
Mounting concerns over U.S. cybersecurity weaponry ending up in foreign arsenals has increased to a fever pitch prodded by nation-state bad actors stealing some of the U.S. National Security Agency’s most guarded hacking secrets in 2017. In the latest development, state sponsored Chinese cyber spies recovered hacking tools used by the NSA in a 2016 attack on its systems and reverse engineered the code to hit targets in Europe and Asia.
Karl Gumtow, the CEO of CyberPoint, the contractor involved in Project Raven, has previously denied conducting hacking initiatives or breaking U.S. laws, Reuters said.