A newly passed law will compel the U.S. State Department to report its criteria for sales of U.S. cybersecurity tools and services to foreign countries.
The legislation, which was tagged on to the State Department’s 2020 budget bill signed into law in December, 2019, also requires the agency to apprise Congress within 90 days of any action it has taken to punish countries for violating its policies. The bill was initially drafted in May, 2019 by Dutch Ruppersberger (D-MD), who sits on the House Appropriations subcommittee that moved it through Congress. Under the measure, U.S. companies selling hacking products or services to foreign governments must first obtain permission from the State Department. “Just as we regulate the export of missiles and guns to foreign countries, we need to properly supervise the sale of cyber capabilities,” said Ruppersberger, Reuters reported.
The law stems in part from a Reuters report in January 2019 that uncovered a secret hacking team run by U.S. cybersecurity contractors that included more than a dozen former U.S. intelligence agents who helped the United Arab Emirates (UAE) spy on other governments, militants and human rights activists using American technology. According to the report, the State Department sanctioned Good Harbor, a U.S. consultancy, CyberPoint, a cybersecurity provider, and defense contractor SRA to assist the UAE in the spying operation called Project Raven.
Karl Gumtow, CyberPoint’s chief executive, has previously denied conducting hacking initiatives or breaking U.S. laws, Reuters reported. And, in a prior communication, the State Department told Reuters that it is “firmly committed to the robust and smart regulation of defense articles and services export.” The agency grants export licenses for U.S. cybersecurity technology based on “political, military, economic, human rights, and arms control considerations,” officials said.
Concerns over U.S. cybersecurity weaponry ending up in foreign arsenals haven’t sprung from nowhere. In 2017, nation-state bad actors stole some of the U.S. National Security Agency’s (NSA) most guarded hacking secrets, and recently, state sponsored Chinese cyber spies recovered hacking tools used by the NSA in a 2016 attack on its systems and reverse engineered the code to hit targets in Europe and Asia.