On September 14, 2021, the U.S. Department of Justice announced that three former employees of the U.S. Intelligence Community (USIC) and the U.S. military agreed to enter a deferred prosecution agreement (DPA) for conspiracy to violate the Arms Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR) in violation of Title 18, United States Code, Section 371. The Agreement restricts the three individuals’ future activities and employment as well as requires them to altogether pay approximately $1.68 million in penalties.
Court documents state that between 2016 and 2019, the three individuals worked as senior managers at a U.A.E. company that supported and carried out computer network exploitation (CNE) operations for the benefit of the U.A.E. government. Despite warnings that their work constituted a “defense service,” pursuant to the ITAR, and therefore required a license from the State Department’s Directorate of Defense Trade Controls (DDTC), the Defendants continued to provide their services without a license. Most notably, their services assisted in the development of sophisticated “zero-click” computer hacks and intelligence gathering systems – which allow a person to compromise a device without any action from the target. These systems allowed employees of the U.A.E. company to “illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States.”
Prior to joining the U.A.E. company and after their departure from government employment, the three Defendants worked for a U.S. company that provided cyber services to a U.A.E. government agency in compliance with the ITAR pursuant to a DDTC-issued Technical Assistance Agreement (TAA). When the three individuals transitioned to the U.A.E. company to provide the same services, the U.S. company warned the Defendants that their services constituted “defense services” under the ITAR and that they could not provide such services to the U.A.E. company without a separate TAA.
Under the DPA, the Defendant will pay $750,000, $600,000, and $335,000 respectively, over a three-year term. The Defendants also agreed to the immediate relinquishment of any foreign or U.S. security clearance as well as certain employment restrictions.
The Press Release is available here.
For more information on actions related to ITAR and cybersecurity, contact our team and see previous posts below.