US Fines Former NSA Employees Who Provided Hacker-for-Hire Services To UAE

The US Department of Justice has fined three former NSA employees who worked as hackers-for-hire for a United Arab Emirates cybersecurity company. From a report: Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, broke US export control laws that require companies and individuals to obtain a special license from the State Department's Directorate of Defense Trade Controls (DDTC) before providing defense-related services to a foreign government. According to court documents, the three suspects helped the UAE company develop and successfully deploy at least two hacking tools. The three entered into a first-of-its-kind deferred prosecution agreement with the DOJ today, agreeing to pay $750,000, $600,000, and $335,000, respectively, over a three-year term, in order to avoid jail time for their actions.

No jail time?

[mendax]

They should have gone to jail. No doubt about it. Fining people for such treachery just is not sufficient.

Re:No jail time?

[tragedy]

What really needs to be considered here is the web of connections that got those people working there in the first place. Apparently the three were contractors for a company named Darkmatter, which seems to be largely just a breakaway entity from another company called Cyberpoint. Whether it's truly independent or just exists to provide plausible deniability to Cyberpoint is hard to say. Cyberpoint is based in Baltimore, md (In other words, right outside Washington, D.C.) and itself has lots of ties to Booz Allen.

So, basically I think what we're seeing here is these guys getting a slap on the wrist to avoid exposing their politically-connected overlords from scrutiny (and the same criminal charges since these guys are probably just employees following directives from their supervisors). The people behind these companies are probably the same politically-connected swamp dwellers we see all the time. They run various "consultant" companies, they're probably "operatives" or money guys of some kind in one of the two major political parties and probably have a revolving door to positions in government (probably just below the cabinet level, but maybe even cabinet members sometimes) when their party is in power. This is exactly the kind of stuff that Guliani has been involved in, for example. Remember how he ran a "cybersecurity" company. He used to run a security consulting business as well. The role these guys play in this sort of thing is really as lobbyists and selling access. That means access to politicians, but also access to other human resources. Like, for example, former NSA employees.

The Book

[chill]

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth is an excellent book and details the story on these people and much more.

What was illegal?

[mumbojumbo21]

Didn't read the article or the law, but the summary says that they provided services to a UAE company and it is illegal to provide services to a foreign government. Government != company. What was illegal about what they did?

Re:

[dowhileor]

A person just can't "do" work for for a foreign office while a legal resident of the US without declaring "something" was done. Just being there and giving your opinion is one thing and I believe you can do just that. But developing sensitive infrastructure? Not so much and then "opinions" begin to fall in that category more and more.

Re:

[Opportunist]

They probably had a non-compete clause going. I mean, if I provided the same service that my employer is selling, I'd get into trouble, too.

Re:

[timeOday]

No, these were "former" employees. And not accused of stealing any classified tools or techniques from the US govt., at least not that the article says.

Re:

[bws111]

If the tools created were used by a foreign government, then they aided the government. Throwing a third party ('the company') in there doesn't change that.

US export law requires the 'exporter' to know who he is exporting to, and to ensure that the export does not end up where it is restricted.

Re:

[mumbojumbo21]

This would make posting a complaint to facebook about your service rifle jamming into a crime because the information could be used by a foreign government to aid in a potential military conflict with a power using that model of service rifle. I think the wording of "providing services" rather than "providing aid" is important in the law and implies a direct rather than indirect relationship between the service provider and the foreign government.

Re:

[MooseTick]

"If the tools created were used by a foreign government, then they aided the government."

So would you have liability if you wrote an OS a foreign government used? Or any app they like?

Re:

[flyingfsck]

In short: Yes. In not so short, you got to look at the classification of various types of software on the State Department export web site. Not everything is restricted. MS Windows and Mac OS for example have Mass Market licences and may be exported freely. In order to comply with the mass market license terms, these two OSs have certain design restrictions to make them unable to process Sonar and high quality military video properly - this is essentially done by adding deliberate jitter, so that it is

Re:

[mumbojumbo21]

The differed prosecution agreement makes me think maybe the govt wasn't sure they could win the case and the defendants didn't think they could afford to lose the case, so they agreed to a settlement. We know prosecutors will often overcharge in the hope of getting a settlement in a case they don't think they can win outright. This is based solely on watching Law & Order and Billions. Sounds like overzealous prosecution to me. :-(

Re:

[jgdnavy]

If you dig into the article's references, it appears the work they were doing for the company was specifically intended for use by the UAE government, and according to DOJ press releases, they had been warned that they needed to apply for a defense export license on multiple occasions. The summary makes it look it was essentially the equivalent of working for the UAE version of Microsoft, where the government will likely end up using some of your products, but it seems to be closer to equivalent to contrac

Re:

[mumbojumbo21]

That seems to clear it up then.

Re:

[flyingfsck]

Darkmatter is a small company in the UAE, which provides security related software and hardware to the UAE government. So the end user of the services was the UAE military.

So, they're traitors then.

[NoMoreDupes]

I find it interesting that they let these traitors get off with a plea/fine instead, since they clearly acted against citizens of the US and its government at the behest of another.

Re:

[inode_buddha]

Makes you wonder what kind of dirt they have on some other people in the US gov't

Re:

[MooseTick]

"they clearly acted against citizens of the US."

Aiding the UAE or any non-US entity does not equal acting against citizens of the US.

Considering their positions

[aerogems]

I agree with the others that this should have resulted in jail time, if not treason charges. As far as I'm concerned, (especially) anyone who holds, or has held, any level of security clearance for the US government, should be automatically charged with treason if they work for any foreign government, friendly or otherwise, unless they are given a special dispensation to do so. Jail time should be a given, not to mention monitoring of you, your family, and anyone else close to you, by your friendly neighbor

Re:

[yahooglesoft]

...monitoring of you, your family, and anyone else close to you, by your friendly neighborhood FBI field office for the remainder of your life.

Come join the NSA where you get paid a fraction of what private companies do AND monitoring of you, your family, and anyone else close to you, by your friendly neighborhood FBI field office for the remainder of your life. What a recruitment pitch.

Re:

[nocoiner]

Come join the NSA where you get paid a fraction of what private companies do AND monitoring of you, your family, and anyone else close to you, by your friendly neighborhood FBI field office for the remainder of your life. What a recruitment pitch.

Which roughly translates to: "Don't be a fucking treasonous idiot and you'll be fine the rest of your life"

P.S. being paid immensely elsewhere doesn't shield you from treason charges, but due to the spinelessness of the DOJ/FBI seems to mean you can get away with it by just paying a fine.

Re:

[Rujiel]

Being monitored the rest of your life is "fine" with you? Or rather, if your point is that someone who would work for the NSA deserves as little privacy as that agency would give any of us, then I agree.

Re:

[aerogems]

Did you even read my comment? Beyond the part you quoted anyway. The monitoring would only happen if you held a security clearance and then did work for a foreign government without getting clearance first.

Re:

[MooseTick]

"anyone who holds, or has held, any level of security clearance for the US government"

So anyone who was ever in the armed forced? And this lasts forever? Someone who was a Private in the Army for 2 years back in 1954 should need special permission to work for the Canadian forest service?

Re:

[aerogems]

Yes, I very deliberately left out practical details about how it might be implemented for the sake of brevity since we all know that ideas floated in /. comments are all unlikely to ever be given serious consideration for implementation, and even if they were, there'd be a bunch of people in government who would be responsible for working out the particulars.

Work for NSA and never work again?

[innocent_white_lamb]

I don't really get this.

If you work for the NSA and quit (or are fired, or whatever) you are then forbidden to work for anyone else in a related field ever again?

Why would anyone work for the NSA if that's the situation?

Baked Beans

[TechyImmigrant]

>broke US export control laws that require companies and individuals to obtain a special license from the State Department's Directorate of Defense Trade Controls (DDTC) before providing defense-related services to a foreign government.

Calling hacking a defense related service is like calling baked beans a defense related food because soldiers eat it.

Re:

[flyingfsck]

The problem is that they worked for Darkmatter, a military information security company in the UAE. Being in the security industry, they should have known better.

Traitors!

[BrendaEM]

In my day, that's the label applied.

Re:

[flyingfsck]

Traitors no, since the work they performed wasn't all that important, but they should have known better - that is why they are getting off with fines.