State Department debars ex-NSA cyber mercenaries who aided vast UAE surveillance operation

The State Department has banned three former National Security Agency employees from working on any matters related to International Traffic in Arms Regulations, which regulates the sale of military technologies overseas, due to their involvement in helping the United Arab Emirates carry out a widespread surveillance campaign to spy on dissidents, journalists and politicians as well as U.S. companies.

The so-called disbarment for the former intelligence operatives will last at least three years, according to a State Department ruling released late last week.

The agency’s settlement with Ryan Adams, Marc Baier and Daniel Gericke for alleged violations of State Department-administered ITAR is just the latest development in a scandal first revealed by Reuters in 2019. Adams, Baier and Gericke entered into a deferred prosecution agreement with the Justice Department in September under which they admitted to their conduct and agreed to give up both their security clearances and $1.7 million.

At the time, FBI Cyber Division Assistant Director Bryan Vorndran called the charges a “clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company.”

The State Department’s administrative settlements resolve the ITAR charges that the men provided unauthorized “defense services involving electronic systems, equipment, and software that were specially designed for intelligence purposes that collect, survey, monitor, exploit, analyze, or produce information from the electromagnetic spectrum to foreign persons in the United Arab Emirates.”

The UAE is a well-known user of foreign commercial surveillance tools. The regime also has been under fire for holding human rights activist Ahmed Mansoor in isolation since 2017, spurring calls from the United Nations, U.S. government and others for his release. Mansoor was found to have NSO-produced Pegasus spyware on his phone in 2016.

Adams, Baier and Gericke worked in a secret hacking unit of the UAE-based cybersecurity firm DarkMatter, which paid former U.S. intelligence officers to help the UAE hack into phones of activists such as Mansoor. Former DarkMatter employees told Reuters that the hacking unit, known as “Project Raven,” also spied on U.S. citizens and companies.

In September, CyberScoop reported that prosecutors alleged the men were responsible for two zero-click exploits that leveraged vulnerabilities in a U.S. tech company’s systems to break into millions of smartphones. The men also were accused of stealing documents and passwords from computers around the world.

Some suggested the State Department resolution following a deferred prosecution agreement with the Justice Department didn’t go far enough.

“Their conduct severely jeopardized national security and that is why I’m surprised DOJ didn’t seek a more stringent punishment,” said B. Stephanie Siegmann, who was a federal national security prosecutor for 18 years and is now a cybersecurity partner at Hinckley Allen. “They likely advanced the UAE’s offensive cyber operations and that is a serious national security concern.”

Siegmann said an ITAR violation of this nature could carry a 20-year sentence, but the Justice Department did not charge the three with violating those regulations in the criminal case. She suspects the relatively light punishment is due to law enforcement concerns about “discoverable classified information” though she acknowledged the men may not have ultimately been criminally prosecuted and incarcerated due to their cooperation with the FBI.

She called their conduct “far more egregious than numerous people prosecuted by DOJ over the years for ITAR violations.” 

Clarified 8/31/22: to include additional information from B. Stephanie Siegmann about why the men may not have ultimately been prosecuted due to their cooperation with the FBI