It’s difficult to feel anything other than disappointment after reading Reuter’s investigation of activities by a U.S. contractor in the UAE. The allegations that former NSA analysts working for a private U.S. contractor may have aided in the surveillance of U.S. citizens raises troubling issues about the activities of private contractors and the lines that may have been crossed in executing intelligence collection on behalf of a foreign intelligence service.
The involvement of U.S. contractors providing intelligence and other assistance to foreign governments and intelligence services is not a new development; there are numerous existing legal contracts governed by U.S. export control regulations that operate in clearly defined areas of products and services. When does the testing of equipment or the training of foreign clients cross into the gray zone of executing or directly enabling actual intelligence collection on their behalf? And even worse, what if U.S. citizens, working on behalf of a foreign government, did engage in surveillance of U.S. persons at the behest of their employer?
There’s been a good deal of chatter among former Intelligence Community employees about some of the activities in the UAE as well as some of the companies supplying intelligence products and services. In the case of Project Raven, there are a range of potential legal violations – but equally troubling is a lack of ethics and a callous disregard for the rights of U.S. persons and others as part of a “wild west” mentality.
One of the most telling parts of the Reuters piece is the interview with Lori Stroud, a former contractor analyst for NSA. Ms. Stroud discusses her growing discomfort with the UAE operations and her decision to confront her supervisors, and then ultimately leave and share her story. What line was crossed for her? Apparently the one where actual U.S. citizens were targeted by Project Raven. While Ms. Stroud and others also walked away, what about those contractor employees who stayed on? What could possibly be their explanation for essentially working on behalf of a foreign intelligence service that allegedly targeted dissidents and even U.S. persons?
Ms. Stroud also discussed her initial enthusiasm for the Raven “counterterrorism” operations, noting that there was not a lot of “red tape” inhibiting the UAE intelligence operations – the type of annoying “red tape” she experienced while at NSA. Those of us who have dealt with the extremely complex legal issues relating to intelligence collection are quite familiar with the “red tape” that she found so inconvenient. The rules and procedures -sometimes quite frustrating– are to protect U.S. citizens or U.S. persons – to put controls on invasive technical capabilities. Their purpose is not expediency; their intent is to minimize surveillance of, and information disseminated about U.S. persons.
And yet, somehow, the U.S. contractor in the UAE and former NSA employees view their freedom from those pesky rules as an incentive for their work (at least an incentive beyond the obvious financial ones). They cast wide collection nets which could reasonably be predicted to sweep up information relating to U.S. persons. They believed they had “plausible deniability” because they did not “push the button” – their Emirati colleagues did. They also believed that they were ultimately helping U.S. national interests. They remained in their positions once their U.S. contractor was replaced by an Emirati concern. They leave us with a whole series of rationalizations justifying the considerable financial benefit they gained while enabling intelligence collection on behalf of a foreign power.
The U.S. employees of Project Raven believed that their company had secured permission from the U.S. intelligence community to carry out these activities. Stroud claims that she was told as much by the former NSA employee who recruited her. Their supervisors claimed to be briefing unknown NSA officials on a regular basis – an allegation that the original U.S. contractor, CyberPoint, denies. The State Department agreement with Cyberpoint required specific NSA approval before training Emirati personnel in Computer Network Exploitation (CNE) or attack (CNA) – there is no mention of specific attack assistance and certainly a clear prohibition of any program “used to exploit U.S. persons”. But this alleged wink and a nod was sufficient for some to continue the activities in the UAE. NSA coordination was assumed; but what evidence of this was ever presented to these employees and how many of them actually demanded it? Was there really anyone at NSA, in either an unofficial or official capacity, that maintained contacts with the U.S. contractors on Project Raven?
There is some implication in the article and subsequent commentary that the U.S. government (via NSA) somehow explicitly approved and supported Project Raven because it could collect information that NSA cannot collect legally itself. This is quite disturbing on several levels. Former and current NSA intelligence officers and analysts know the rule that a U.S. intelligence entity cannot delegate collection that is otherwise illegal to another country’s intelligence service. This includes not just U.S. persons but citizens of our “Five Eye” intelligence partners including UK citizens. In fact, Executive Order 12333 on Intelligence Activities speaks to “indirect participation” by U.S. Intelligence Agencies. It specifies that “no person employed by or acting on behalf of the U.S. Government shall participate in or request any person to undertake activities forbidden by this Order” (EO12333, 2.1). Didn’t this raise some concerns or issues beyond claims of unofficial or tacit consent from NSA? It certainly should have.
And who was conducting oversight over these actual activities? Who should have known whether “educating” foreign intelligence services about tools and advanced surveillance technologies had expanded into the actual conduct of surveillance operations by U.S. employees? Stroud implies that the FBI had an open investigation of Project Raven with which she refuses to cooperate. The lines of inquiry need to be a lot broader – who is watching the “for hire” spies and contactors? Is someone making sense of the difficult gray areas between services, training, and deployment of technology? And what are we telling departing employees about their ethical and legal obligations post-employment beyond the general “conflict of interest” rules? These answers are important - not just to the reputations of the U.S. Intelligence Community but also for the conduct of intelligence related activities abroad.
Most present and former NSA and IC employees will tell you that the oath they took to the U.S. Constitution remains a key moment in their careers and its spirit endures even after they left direct government employment. We undertook a moral and ethical obligation to serve the U.S. and we did not discard that commitment upon our departure. Further, as part of our government employment we are also subject to ethics rules including the broadly stated avoidance of “an appearance of impropriety” – meaning simply that it is not just the black letter of the regulation, but about how we represent the U.S. government and our Intelligence Community. This is another guiding principle that most of carry into our post-NSA activities.
How very sad that a small group of analysts and a problematic contractor seemed to show so little concern about their lucrative activities on behalf of a foreign government. It is difficult enough to maintain the public trust – so necessary to the US Intelligence Community – without the complete disregard of consequences by those who most definitely should know better.
Read more from Rhea Siers....