New US law to monitor sale of cyber-tools overseas

Newly passed legislation will push the United States State Department to disclose how it polices the sale of cyber-tools and services abroad.

The move followed an investigation by the Reuters news agency which revealed that US intelligence contractors clandestinely assisted a foreign spying operation in the United Arab Emirates, helping the monarchy to crack down on internal dissent.

The legislation directs the US State Department to report to Congress within 90 days on how it controls the spread of cyber-tools and to disclose any action it has taken to punish companies for violating its policies.

Under US law, companies selling hacking products or services to foreign governments must first obtain permission from the State Department.

US legislators and human rights advocates have grown increasingly concerned that hacking skills developed for US spy services are being sold abroad with scant oversight.

“Just as we regulate the export of missiles and guns to foreign countries, we need to properly supervise the sale of cyber-capabilities,” said Congressman Dutch Ruppersberger of Maryland, who drafted the legislation.

The provision was a result of a Reuters investigation, congressional staffers said, which showed US defence contractors ran a hacking unit in the UAE called Project Raven and that the State Department granted permission to three companies to assist the Emirati government in surveillance.

A State Department spokesman declined to comment. The agency previously said human rights concerns are carefully weighed before such licences are issued but declined to comment on the authorisations granted for Project Raven.

The UAE embassy in Washington, DC did not respond to a request for comment. In response to Reuters reporting, a senior Emirati official last year said the country possessed a “cyber-capability” that it needed to protect itself.

The new reporting guideline was part of the State Department’s 2020 budget bill signed into law by President Donald Trump on December 20.

The UAE program used former US National Security Agency (NSA) operatives to target foreign rivals, human rights activists, and journalists, the Reuters reporting found.

While the secret Emirati hacking unit was initially created to help the country “fight terrorism”, the Reuters investigation revealed that it quickly became a tool for the monarchy to crack down on internal dissent. Reuters found the clandestine program helped local security forces track activists, who were sometimes later tortured.

Reuters reporting also showed how the State Department granted permission to three companies – US consulting firm Good Harbor, cybersecurity company CyberPoint International, and defence contractor SRA International – to assist the Emirati government in surveillance operations.

CyberPoint and Good Harbor did not immediately respond to requests for comment. General Dynamics, which now owns SRA, declined to comment.

Good Harbor and CyberPoint have previously told Reuters that they obtained proper permissions from the State Department and followed all US laws.

“This report will help Congress ensure these sales are advancing our foreign policy goals, especially in light of recent reports alleging human rights abuses,” said Ruppersberger, whose district is home to the NSA.