The United Arab Emirates has been hiring former White House executives and intelligence officials for spying missions, according to a report by Reuters on Tuesday.
Following the 11 September attacks, the former American counterterrorism czar, Richard Clarke, warned Congress, that the US needed more expansive spying powers to prevent another catastrophe. Five years after leaving government, he shopped the same idea to an enthusiastic partner: an Arab monarchy with deep pockets.
Reuters also revealed that in 2008, Clarke went to work as a consultant, guiding the UAE, as it created a cyber surveillance capability that would utilize top American intelligence contractors to help monitor threats against the small, but wealthy, nation.
Clarke, who had good relations with the UAE, helped create the Development Research Exploitation and Analysis Department (DREAD).
The secret unit that Clarke, who had good relations with the UAE, helped create had an ominous acronym: DREAD, short for Development Research Exploitation and Analysis Department.
In the years that followed, the UAE unit expanded its hunt far beyond suspected extremists to include a Saudi women’s rights activist, diplomats at the United Nations and personnel at FIFA, the world soccer body. By 2012, the program would be known among its American operatives by a codename: Project Raven.
Reuters revealed how a group of former American National Security Agency (NSA) operatives, and other elite US intelligence veterans, helped the UAE to spy on a wide range of targets.
Clarke informed Reuters that he was to create a unit capable of tracking terrorists. He disclosed that the plan which followed US law, was approved by the US State Department, the NSA and Good Harbor Consulting, a cyber risk management company.
“The incentive was to help in the fight against Al-Qaeda. The UAE is a very good counter-terrorism partner. You need to remember the timing back then, post 9-11,” Clarke stressed. “The NSA wanted it to happen.”
To chart the UAE spying mission’s evolution, Reuters examined more than 10,000 DREAD program documents and interviewed more than a dozen contractors, intelligence operatives and former government insiders with direct knowledge of the program. The documents Reuters reviewed span nearly a decade of the DREAD program, starting in 2008, and include internal memos describing the project’s logistics, operational plans and targets.
Clarke was the first in a string of former White House and U.S. defense executives who arrived in the UAE after 9/11 to build the spying unit. Utilizing his close relationship to the country’s rulers, forged through decades of experience as a senior U.S. decision-maker, Clarke won numerous security consulting contracts in the UAE. One of them was to help build the secret spying unit in an unused airport facility in Abu Dhabi.
In an interview in Washington, Clarke said that after recommending that the UAE create a cyber surveillance agency, his company, Good Harbor Consulting, was hired to help the country build it. The idea, Clarke said, was to create a unit capable of tracking terrorists. He said the plan was approved by the U.S. State Department and the National Security Agency, and that Good Harbor followed U.S. law.
The NSA did not answer written questions about its knowledge of DREAD or its relationship to any of the contractors. The State Department said it carefully vets foreign defense service agreements for human rights issues. UAE spokespeople at its Washington embassy and Ministry of Foreign Affairs did not respond to requests for comment.
Clarke’s work in creating DREAD launched a decade of deepening involvement in the UAE hacking unit by Beltway insiders and U.S. intelligence veterans. The Americans helped the UAE broaden the mission from a narrow focus on active extremist threats to a vast surveillance operation targeting thousands of people around the world perceived as foes by the Emirati government.
One of Clarke’s former Good Harbor partners, Paul Kurtz, said Reuters’ earlier reports showed that the program expanded into dangerous terrain and that the proliferation of cyber skills merits greater U.S. oversight. “I have felt revulsion reading what ultimately happened,” said Kurtz, a former senior director for national security at the White House.
At least five former White House veterans worked for Clarke in the UAE, either on DREAD or other projects. Clarke’s Good Harbor ceded control of DREAD in 2010 to other American contractors, just as the operation began successfully hacking targets.
A succession of U.S. contractors helped keep DREAD’s contingent of Americans on the UAE’s payroll, an engagement that was permitted through secret State Department agreements, Reuters found.
The program’s evolution illustrates how Washington’s contractor culture benefits from a system of legal and regulatory loopholes that allows ex-spies and government insiders to transfer their skills to foreign countries, even ones reputed to have poor human rights track records.
American operatives for DREAD were able to sidestep the few guardrails against foreign espionage work that existed, including restrictions on the hacking of U.S. computer systems.
Despite prohibitions against targeting U.S. servers, for instance, by 2012 DREAD operatives had targeted Google, Hotmail and Yahoo email accounts. Eventually, the expanding surveillance dragnet even swept up other American citizens, as Reuters reported earlier this year.
In an interview, Mike Rogers, former chairman of the U.S. House Intelligence Committee, said he has watched with growing concern as more and more former American intelligence officials cash in by working for foreign countries.
“These skill sets do not belong to you,” he said of ex-U.S. agents, but to the U.S. government that trained them. Just as Washington wouldn’t let its spies work in the pay of foreign nations while employed at the NSA, he said, “Why on God’s green earth would we encourage you to do that after you leave the government?”
An NSA spokesman said former employees are mandated for life not to reveal classified information.
For years before the creation of DREAD, Clarke grappled with the need for domestic surveillance in the United States, as well as its potential dangers.
Clarke, a counterterrorism czar to Bill Clinton and George W. Bush, is perhaps best known for offering an unequivocal public apology for Washington’s inability to prevent the 9/11 attacks.
“Your government failed you. Those entrusted with protecting you failed you. And I failed you,” Clarke said in 2004, one year after leaving government, testifying before a U.S. commission established to investigate intelligence failures leading to the 9/11 attacks.
To prevent future attacks, Clarke urged America to create a domestic spying service, while saying such a unit must avoid civil liberties violations. “We’d have to explain to the American people in a very compelling way why they needed a domestic intelligence service, because I think most Americans would be fearful of a secret police,” he said.
Clarke’s testimony to the 9/11 Commission helped lead to the creation in 2005 of a domestic intelligence service within the Federal Bureau of Investigation — described as “a service within a service” — staffed by federal agents, language analysts and surveillance specialists.
Two years earlier, Clarke had joined his former deputy Roger Cressey at the newly launched Good Harbor Consulting, a security advisory group. Clarke brought one of the most famous names in U.S. national security.
He also brought a decades-long relationship with a potential client of immense wealth: Sheikh Mohammed bin Zayed al-Nahyan, known as MbZ, the son of the UAE’s most powerful ruler. In the months preceding the 1991 U.S.-led war on Iraq, Clarke, then a senior American diplomat, had been sent to the Gulf to seek assistance from regional allies. MbZ stepped up as the U.S. prepared to go to war.
MbZ helped Clarke obtain permission from the Emirati government for bombing runs in UAE airspace, and he funneled billions toward the American war effort. In 1991, when Congress questioned whether Washington should allow a $682 million arms sale to UAE, Clarke bristled.
“They transferred $4 billion to the U.S. Treasury to support the war effort,” he told the House Subcommittee On Arms Control. “Is that the kind of nation that we should snub by denying them 20 attack helicopters? I don’t think so.” The UAE got the choppers.
In the years after Clarke joined Good Harbor in 2003, MbZ, the de facto ruler of the UAE, granted the company the rare opportunity to help build the country’s homeland security strategy from the ground up. Clarke’s Good Harbor soon won a series of security contracts to help the UAE secure its infrastructure, including work to protect the Gulf state’s seaports, nuclear projects, airports, embassies and petrochemical facilities, according to two people with direct knowledge of the contracts.
Along with helping stand up an emergency response department and maritime security unit, Clarke believed the UAE required an NSA-like agency with the ability to spy on terrorists. Clarke said he placed Good Harbor partner Paul Kurtz, himself a former White House veteran, in charge of the contract.
“At the highest level, it was cyber defense and how you protect your own networks,” Kurtz said in a phone interview with Reuters. The UAE wanted to know, he said, “How do I understand more about what terrorists may be doing?”
Asked whether he was concerned the UAE could use the capability to crack down on activists or dissidents, Clarke stressed that “the overarching concern was getting Al Qaeda.” He said he had limited visibility into the program at the time and that Kurtz was responsible for the day-to-day management of the contract to build the program.
Kurtz said his personal involvement was limited to high level consulting, with his knowledge of daily activities “next to none.” For technical expertise on hacking, he said, Good Harbor relied on subcontractors from the American defense company SRA International, managed by an executive named Karl Gumtow.
SRA, then a 7,000-employee operation based in Fairfax, Virginia, was chosen because of its experience with NSA contracts, Clarke said.
Utilizing eight contractors from SRA, Good Harbor started building DREAD in 2008 inside a building that resembled a small airplane hangar on the edge of the Al Bateen airport in Abu Dhabi. The program began as an arm of MbZ’s royal court, and was initially managed by the prince’s son, Khalid.
The contractors built the project from scratch. They trained potential Emirati staff in hacking techniques and created covert computer networks and anonymous Internet accounts the UAE could use for surveillance operations.
In 2009, the group set out to build a spy tool codenamed “the Thread,” software that would enable the Emiratis to steal files from Windows computers and transmit them to servers controlled by the Court of the Crown Prince, DREAD program documents show.
Beyond offering guidance and support, Good Harbor and SRA did not envision an active role in hacking operations.
The program was intended to leave the UAE equipped with the cyber capabilities to pursue terrorism threats on its own. But within months, the Americans could see they needed to take the lead from their less experienced Emirati colleagues, said three former DREAD operatives.
Some UAE trainees appeared disinterested and ill-equipped. One trainer, a former SRA contractor and ex-NSA cryptographer named Keith Tuttle, concluded one student had “lost interest” and another “continues to struggle with technology,” a program report card reviewed by Reuters shows.
That left the Americans with little choice but to get more involved, two former DREAD operatives told Reuters, eventually doing everything aside from hitting the final button on a computer intrusion. Tuttle, citing advice from his attorneys, declined to comment.
A spokesman for General Dynamics, the owner of SRA International after multiple business acquisitions, said the original contract with Good Harbor ended in 2010. He declined further comment.
The hacking requests from UAE security forces to the new unit accelerated after Christmas 2009, just one year after Good Harbor started on DREAD. UAE leaders received intelligence warnings that a violent extremist attack could be imminent. A panicked request came to the nascent hacker team: Help us spy on outbound Internet traffic coming from a suspected extremist’s home computer network located in the northern part of the country.
DREAD’s SRA handlers were still months from finishing the Windows hacking software, Thread. Suddenly, U.S. operatives were cobbling together makeshift spy tools based on computer security testing software found for free online, according to two people with direct knowledge of the incident.
Yet they succeeded within weeks, hacking the suspected extremist in a mission seen by the Emiratis as a key success that may have prevented an attack. The incident marked a crucial moment in the relationship. With that success came more targeting requests and a deeper role for the Americans, said two people with direct knowledge.
By the end of 2010, Good Harbor stepped back from DREAD, leaving control in the hands of SRA vice president Gumtow, program documents show. He had just started his own Maryland company, CyberPoint. “Our focus was to help them defend their country,” Gumtow said in a phone interview.
With Good Harbor’s departure, Kurtz joined CyberPoint, although he said his involvement in DREAD ended by 2011.
Within two years, Gumtow expanded the number of Americans on the program from around a dozen to as many as 40. More than a dozen were poached from the halls of the NSA or its contractor list. DREAD’s annual budget reached an estimated $34 million, project documents show.
Some American recruits had concerns about working for a foreign spy service. But the program’s connection to respected national security figures such as Clarke, Kurtz and Gumtow led them to conclude the effort was above board, four former operatives said.
Jonathan Cole, a former U.S. intelligence operative who joined DREAD in 2014, said he believed the UAE mission had Washington’s blessing due to the involvement of CyberPoint’s Maryland-based staff in other classified programs for the U.S. government. “I made some assumptions,” Cole said.
In 2011, the program moved to the first of a series of secret converted mansions, known as the Villa, and among its American contractors was given the codename Project Raven.
Gumtow told Reuters his U.S. contractors were hired only to train Emirati hackers, and were prohibited from assisting in operations themselves. U.S. law generally prohibits Americans from hacking computer systems anywhere, but specifically prohibits targeting of other American people, companies or servers.
Although Gumtow managed the DREAD contract for five years from Baltimore, he said he never learned of such activities occurring among his staff. He said his visibility was limited, as he visited his UAE staff five or six times a year.
“I did not get involved in day-to-day program activities,” Gumtow said. “If we had a rogue person, then there’s nothing I can do.”
Still, the American team soon occupied almost every key position in the program. American operatives helped locate target accounts, discover their vulnerabilities and cue up cyberattacks. To stay within the bounds of the law, the Americans did not press the button on the ultimate attack, but would often literally stand over the shoulders of the Emiratis who did, 10 former operatives told Reuters.
After the 2011 Arab Spring demonstrations shook the region, Emirati security experts feared their country was next. DREAD’s targets began to shift from counterterrorism to a separate category the UAE termed “national security targets” — assisting in a broad crackdown against dissidents and others seen as a political threat. The operations came to include the previously unreported hacks of a German human rights group, the United Nations’ offices in New York and FIFA executives.
Between 2012 and 2015, individual teams were tasked with hacking into entire rival governments, as the program’s focus shifted from counterterrorism to espionage against geopolitical foes, documents show.
*Read the complete report here