US Individuals Providing Defense Services Abroad Need a State Department License or Face Potential Prosecution

On September 7, 2021, three former U.S. Intelligence Community and military personnel (Defendants) entered into a Deferred Prosecution Agreement (DPA) with the U.S. Attorney’s Office for the District of Columbia and the U.S. Department of Justice, National Security Division (collectively, DOJ) in relation to the Defendants’ provision of computer network services, including computer network exploitation (CNE) services, to the U.A.E.
On

Specifically, the DPA relates to alleged violations of the International Traffic in Arms Regulations (ITAR) for the provision of “defense services” without a license from the U.S. State Department’s Directorate of Defense Trade Controls (DDTC), as well as computer fraud and access device laws. This alert will focus on the alleged violations of the Arms Export Control Act and ITAR.

Under the DPA, the Defendants will pay $1,685,000 (the amount they made during their employment) over the course of three years. The Defendants also relinquished any foreign or U.S. security clearances, are banned from ever obtaining U.S. security clearances in the future, are prohibited from working in the CNE field, are prohibited from exporting ITAR-controlled defense articles or furnishing ITAR-controlled defense services, and cannot work directly or indirectly for any U.A.E. Government organization responsible for law enforcement, national security, intelligence, armed forces, or defense services.

What Happened?

After leaving government service, the Defendants worked for a U.S. company that provided cyber services to certain U.A.E. Government agencies. These cyber services are controlled under the ITAR as “defense services.” The U.S. company provided these defense services with DDTC authorization, including Technical Assistance Agreements (TAAs). The TAAs authorized the U.S. company, including the Defendants who at the time were employees, to provide defense services to the UAE and contained several restrictions, including that the parties (1) would not “target or exploit U.S. Persons;” (2) reexport or retransfer goods, services, information and data to third parties without prior consent from DDTC; and (3) seek preapproval from the U.S. Government before releasing “any presentations and/or content pertaining to cryptographic analysis and/or computer network exploitation or attack.” While employed by the U.S. company, the Defendants received training on ITAR compliance and were made aware that their U.A.E.-related work was controlled under the ITAR and only lawful if compliant with the terms of the U.S. company’s DDTC authorizations.

In January 2016, the Defendants left the U.S. company for a U.A.E. company that also provided CNE services to the U.A.E. Government. Before and shortly after joining U.A.E. Company, the U.S. company notified Defendants that the company and its employees were prohibited from “sharing TAA-protected information and material with U.A.E. Company and its employees, that supporting U.A.E Company’s [cyber hacking] operations and related services would constitute ‘defense services’ under the ITAR, and that U.S. persons could not lawfully provide such services to foreign entities without a TAA or license from DDTC.” The U.S. company also notified the Defendants that if they joined the U.A.E. Company (1) their activities, which were covered by the ITAR, would no longer be covered by the U.S. company’s DDTC authorizations, (2) the Defendants would need to obtain their own DDTC authorizations to continue providing CNE services to the U.A.E., and (3) they could not access or distribute the U.S. company’s ITAR-controlled technical data.

Despite these warnings, Defendants hired employees from the U.S. company and caused them to provide access to the U.S. company’s ITAR-controlled information without obtaining DDTC authorization. Additionally, after joining the U.A.E. Company, Defendants “expanded the breadth and the sophistication” of the cyber-hacking operations the firm was providing to the U.A.E. Government by purchasing on multiple occasions third-party computer exploits from U.S. companies and developing two remote computer exploitation systems for foreign intelligence gathering purposes. Defendants at no point applied for a DDTC authorization for the provision of the CNE defense services to the U.A.E. Company.

And this Violated the ITAR How?

Like the export or reexport of defense articles and technical data, the provision of defense services is also covered under the ITAR. Under the ITAR, defense services include the:

  • furnishing of assistance, including training, to foreign persons, whether in the United States or abroad in the “in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing or use of defense articles”;
  • furnishing technical data to foreign persons, whether in the United States or abroad;
  • military training of foreign units and forces of foreign persons in the United States or abroad.

As such, the provision of ITAR-controlled defense services requires authorization from DDTC.

The two remote computer exploitation systems are both electronic intelligence gathering systems classified on the U.S. Munitions List (USML) in Category XI(b). DDTC determined that the Defendants assisted U.A.E. persons and entities in the use, design, development, engineering, production, modification, testing, maintenance, processing, or operation of the two remote computer exploitation systems and therefore provided defense services for which they should have obtained DDTC authorization.

For many years, there has been confusion about how the ITAR authorization requirement for the export of defense services applied to U.S. citizens employed by foreign entities. Did U.S. citizens need to register with DDTC as exporters of defense services? And just how did an individual apply for authorization? Did they apply for a TAA which then must be signed by the foreign employer, or should they use a DSP-5 or some other vehicle?

DDTC answered these questions in January 2020 when it published FAQs related to the provision of defense services by U.S. Persons abroad. The FAQs explain that while U.S. persons do not need to register with DDTC, they must file a General Correspondence (GC) request to DDTC’s Licensing Division and obtain authorization to provide the defense services. The non-U.S. employer can assist with the GC submission, although the GC authorization is issued directly to the U.S. person, who is responsible for ensuring compliance with the ITAR. Applications may also be grouped together if multiple U.S. persons employed by the same non-U.S. entity need authorizations.

What Have We Learned?

This action demonstrates the U.S. Government’s willingness to enforce the ITAR against U.S. persons providing defense services to non-U.S. employers and foreign governments, and DDTC’s view that the provision of CNE services may constitute a defense service. U.S. citizens and green card holders who provide such services to non-U.S. employers must obtain a GC from DDTC before engaging in such activities. The GC request to DDTC’s Licensing Division should include:

  1. A description of the scope of the request, including:
    1. A description of the program or defense article that is the subject of the
    2. proposed defense service; and
    3. A description of the defense services to be provided (ITAR § 120.9(a)).
  2. A description of the defense service provider’s ties to the United States, including:
    1. Any employment/education in the United States;
    2. A full description of any previous work activities or coursework that pertain to
    3. USML-controlled defense articles or defense services; and
    4. Information about any prior work on any U.S. government program(s), including the name of the program(s).

The GC should also include the U.S. individual’s resume and a detailed job description.

Contacts

Continue Reading