New US law says intelligence agencies must report risks of ex-spies working overseas
The US has passed legislation that requires its spy agencies to provide an annual report detailing the risks posed by former spies going to work for foreign governments.
Congress passed the law in response to a report that surfaced last year, which detailed ex- US intelligence operatives helping the United Arab Emirates spy on prominent Arab media figures with alleged ties to Qatar, as well as a British activist and several US journalists.
The report from a Reuters investigation had found that ex-National Security Agency (NSA) employees helped the UAE spy on the chairman of Al Jazeera, as well as dissidents, journalists and critics.
The attacks, part of the Emirati "Project Raven", used a cyber weapon called Karma, which allowed operatives to remotely hack into iPhones by inputting a target's phone number or associated email address into the attack software.
Max Rose, a Democratic Congressman from New York, called the idea of ex-US spies working for foreign governments “absolutely chilling” when he initially proposed the legislation on the floor of the US House of Representatives last year, Reuters reported.
In an emailed statement this week, Rose said the US government has “no comprehensive understanding” of the national security implications triggered by the practice.
The new measure, Rose said, will help Congress learn “the full scope of this issue and what steps are needed to keep our nation’s secrets safe.”
This provision was signed into law as part of the Defense Department’s spending bill last month. It will require Washington’s intelligence community to provide Congress with an annual assessment of risks to national security posed by “retired and former personnel of the intelligence community” who work as contractors to foreign governments, Reuters said.
The legislation is the second measure Congress signed into law in recent weeks targeting foreign spying work. Another new piece of legislation directs the State Department to report to Congress how it controls the spread of cyber tools and to disclose any action it has taken to punish companies for violating its policies.
Before offering hacking tools or services to foreign governments, contractors must generally obtain approval from the US State Department, according to Reuters.
Last year the State Department said that human rights concerns are carefully weighed before such approval is issued, but declined to comment on the authorizations granted for Project Raven.
While it has been legal for retired intelligence personnel to work for foreign governments – provided they don’t reveal US secrets – some defense experts and lawmakers fear the practice poses risks to the United States.
The phone-hacking operation revealed last year dated back to June 2017, the same week that four Arab countries, including the UAE and Saudi Arabia, broke diplomatic ties and imposed a blockade on Qatar.
According to documents seen by Reuters, three days after the blockade began, Raven operatives hacked into the iPhone of Gisele Khoury, the Beirut-based host of BBC Arabic's "The Scene", a current affairs programme.
Former Raven operatives told the news agency that they were also tasked with finding material showing that Qatar's royal family had influenced the coverage of Al Jazeera, the influential, Doha-based media network, and other outlets.
The operatives also said they were asked to uncover any ties between Al Jazeera and the Muslim Brotherhood.
The Office of the Director of National Intelligence said it was aware of the new legislation but did not respond to further questions, Reuters said. The UAE Embassy in Washington did not respond to the news agency's request for comment.
Last year, Dana Shell Smith, the former US ambassador to Qatar, said she found it alarming that US intelligence veterans were able to work for another government in targeting an American ally.
She said Washington should better supervise US government-trained hackers after they leave the intelligence community.
"Folks with these skill sets should not be able to knowingly or unknowingly undermine US interests or contradict US values," Smith told Reuters.
It appears the UAE's efforts to spy on people's phones did not stop after details of Project Raven were revelealed last year. In fact, its spying efforts may have cast a broader net, targeting the general public.
Earlier this month, the New York Times reported that the Emirati government was using ToTok, a messaging service similar to WhatsApp or Skype, to track intimate details of those who had installed it.
The app has been downloaded free by millions of users.
The company behind ToTok, Breej Holding, is most likely a front company affiliated with DarkMatter, an Abu Dhabi-based cyberintelligence firm currently being investigated by the FBI, the NYT reported.