Spies and lies: Aggressive UAE cyber ops expose ex-NSA hackers

Spies and lies: Aggressive UAE cyber ops expose ex-NSA hackers
Comment: The rise of cyberweapons and cyberwar calls out for rules for their use, writes Wilson Dizard.
5 min read
31 Jan, 2019
Americans working for the Emiratis used their experience of mass surveillance to hack iPhones [Getty]
The United Arab Emirates gained an upper hand over its online enemies by paying top dollar to former National Security Agency cyber mercenaries - American citizens - to track down human rights activists, journalists and leaders of rival countries, Reuters reported on Wednesday.  

But the Americans spies only backed out when they realised they were spying on fellow Americans on behalf of their Emirati bosses.

The Reuters report sheds light on the vulnerability of everyone on the internet to targeting hacking or sweeping surveillance by anyone with enough money to do it.

A person's life story, their family, friends, political views, are all subject to invasion if the invader is determined and rich enough to exploit security flaws in our mobile devices, our silicon souls. The fact that Americans were willing to do this to other human beings, as long as they weren't Americans, also points to something deeply rotten with how we live online in 2019.

The explosive revelations of the investigation reveal how American employees of the Emirates used their experience in the US mass surveillance to hack into the iPhones or infect the computers of people the Emirates considers a threat.

While the cover story for their operation was a mission of a purely defensive nature, safeguarding UAE data from attacks, their actual job was to play offense, drilling down into the lives of anyone critical of UAE domestic or foreign policy. As the Gulf diplomatic crisis worsened regional tensions, the Emirates only stepped up its cyber offensive.

Americans were okay with spying on human rights activists as long as they weren't Americans

"Some days it was hard to swallow, like [when you target] a 16-year-old kid on Twitter. But it's an intelligence mission, you are an intelligence operative. I never made it personal," said Lori Stroud, former employee of both the NSA and its Emirates equivalent, the National Electronic Security Authority (NESA), told Reuters.

Stroud has since moved back to the US, where she lives in an undisclosed location. Other former employees, who asked for anonymity, confirmed Stroud's version of events.

The report contains eye popping details of how the UAE conducts itself in cyberspace. Iranians and Qataris are prime targets for surveillance, and so are a few Americans. When Stroud and others found out, they started to have ethical misgivings about what they were doing.

US law prohibits the intelligence community from directly spying on American citizens (the Federal Bureau of Investigation fills that role), but that's what the Emiratis, under project Raven, were paying Americans to do.

The specifics of the programme are disturbing, but even more worrying is that these Americans were okay with spying on human rights activists as long as the activists weren't Americans. That's the distinction that mattered most to the cyber mercenaries: The nationality of their targets, not their humanity.

Read more: Karma police: American spies masterminded global UAE operation to hack US citizens and pro-democracy activists

What I find especially grotesque about this ex-NSA mercenary is that her conscience was only pricked when she was spying on Americans, as if all those Arab dissidents and journalists, whose freedom and lives she was risking, were worthless," author Khaled Diab wrote on Twitter.

The internet is incredibly new - something akin to a parallel dimension that meshes with our own, more familiar physical reality. As such, it does not seem to be "real life," but it very much is.

Its structures, servers and fiber optic cables, are also part of physical reality, but our presence there seems purely psychological, metaphysical almost. The human brain's ability to decipher right from wrong, or moral and immoral, was not prepared for this new world made of mirrors.

Back in the real world of human bodies and objects, grotesque violations of rights seem more clear cut. An American engineer who takes a giant sum of money to build internationally sanctioned cluster bombs or white phosphorus munitions cannot hide behind the "never made it personal" excuse Stroud did.

That an engineer does not personally hate the children he or she is burning alive does not make the children any less charred to cinders.

Iranians and Qataris are prime targets for surveillance, and so are a few Americans

The world only came to agree on rules protecting civilians in war after the deaths of tens of millions of people in two world wars, some of those deaths happening in factories that existed only to kill people. Mass murder and genocide have been around for as long as people have been, but only since the invention of steam power and the internal combustion engine has genocide become so easy.

The inventors of the steam locomotive in the 19th century likely never imagined a latter version of their invention would transport millions of people to their deaths. And the inventors of the repeating rifle probably never thought of the horrors of Europe's trench warfare decades later. What the survivors of World War I failed to realise is that no war can end all wars, only people can.

So what cyber weapons will this century see? Whole nations toiling under close and rigorous government surveillance?

Any dissident's silicon soul open for inspection by the highest bidder for that particular information? We're already there.

Metaphysical trolling bursting out from the cyber realm into the tortured last moments of a man walking into a consulate to see about marriage paperwork? We're already there.

The rise of cyberweapons and cyberwar calls out for rules for their use, preventing the targeting of civilians or civilian infrastructure anywhere.

Just as human rights law does not stop human rights violations, an international agreement on cyberwar law will not end abuses by governments, but at least they can provide a vocabulary for how to talk about them.

Right now, those words are hard to find. The Emirates targeting of civilians online thrives in that vacuum.

The UAE's aggressive cyber operations are a harbinger, a ghastly forerunner, that herald future horrors that await in the 21st century if the world chooses to ignore history. The internet is only as good as we are, and we have to be better.

Wilson Dizard is a reporter and photojournalist covering politics, media and culture. He enjoys bicycling. 

Follow him on Twitter: @willdizard

Opinions expressed in this article remain those of the author and do not necessarily represent those of The New Arab, its editorial board or staff.