U.S. News

Security clearance loophole allowed ex-NSA hackers to work for UAE

WASHINGTON (Reuters) - How do you keep a coveted top-secret U.S. government security clearance while working for a foreign spy service? That question vexed U.S. intelligence operatives recruited to work as contractors for a secret United Arab Emirates hacking team.

But maintaining this privileged status, which allows access to America’s most sensitive secrets, wouldn’t be a problem, operatives say their employer told them.

In an arrangement that highlights a potential weakness in how Washington oversees an army of contractors engaged in classified projects, American recruits told Reuters they were allowed to maintain the U.S. intelligence community’s stamp of approval even after involving themselves in foreign hacking operations.

Security clearances are powerful tools. Having a “Top Secret” designation allows a U.S. contractor to be briefed on carefully guarded government information.

Before obtaining high level clearances, prospective government employees often undergo more than a year of investigation and lie detector tests. The designation can lead to lucrative jobs with U.S. defense contractors, positions that often require prospective employees to already have an existing clearance to even be considered.

A contractor who takes a job outside the U.S. government for several years may lose their clearance and have to be reinvestigated from scratch if they want to work for Washington again. Such a lapse can make an intelligence contractor ineligible for thousands of opportunities.

Former National Security Agency veterans who joined the UAE’s Project DREAD feared they would lose their clearances as they worked overseas, said five former operatives who worked on the program.

CyberPoint CEO Karl Gumtow, an American contractor whose company ran DREAD from 2010 until 2016, came up with a solution, five former operatives said. CyberPoint told some recruits the company could preserve their clearances even while they worked for another country’s spy service, former DREAD operatives said.

Founded in 2009, CyberPoint is a Maryland-based defense contractor that does work for the NSA.

The company made use of a little-known rule that allows defense contractors to maintain clearances for their staff even if they do no work on relevant U.S. government contracts.

In this case, Gumtow placed some operatives onto an unrelated NSA contract for which they did no work, according to former operatives and a copy of the NSA roster reviewed by Reuters.

Gumtow maintained a 67-name roster for a shell contract titled “Harborview” between CyberPoint and the NSA, a 2014 document shows.

Gumtow told Reuters the Harborview arrangement allowed him to ensure he could smoothly cycle his employees between classified U.S. government contracts and projects not needing a U.S. security clearance, such as DREAD. “To me it’s a pretty normal thing,” he said.

He acknowledged that perhaps “one or two” of his DREAD contractors on the roster never worked on an NSA contract while at CyberPoint.

In reality, at least six employees listed on the roster were American operatives who did no NSA contracting work after joining CyberPoint, according to 10 operatives interviewed by Reuters.

Use of shell contracts is common among large intelligence contractors. The practice is legal and allows employees to step through a revolving door between government and non-government work for an individual contracting company without having to worry about the status lapsing, said Daniel Meyer, a former executive director for the Inspector General’s office for the U.S. intelligence community.

“They are sort of on deck,” Meyer said, “so the agency can have a flexible pool of labor to draw from.”

CyberPoint’s offer to maintain individual clearances for DREAD recruits was seen as a hiring pitch to allay concerns their clearances would lapse while they worked for the UAE, said five former DREAD operatives.

Such an arrangement could cross an ethical line, even if it was technically legal, said Kel McClanahan, a national security attorney who specializes in clearance law. The idea that “you can do work for anyone about anything and you can keep your clearance without doing a day of work for any of these government agencies,” he said, “looks very sketchy.”

Yet the recruitment pitch gave some operatives confidence the program was operating with the U.S. government’s oversight and approval. “My initial assumption was that this is a cleared, U.S.-sanctioned mission,” said Jonathan Cole, a former DREAD operative.

This kind of contracting arrangement doesn’t mean the NSA is monitoring the employees, said Meyer. Ultimately, the little-understood process allows employees to maintain the imprimatur of elite U.S. intelligence agencies, without the ongoing scrutiny that comes with working for the government.

McClanahan said that because security clearances are so valuable in Washington, defense contractors often take advantage of a system with scant oversight. “It’s too difficult to police.”

An NSA spokesman did not respond to questions about the nature of the agency’s relationship with CyberPoint, its security clearance arrangement or its knowledge of DREAD. The spokesman pointed to a law that took effect in 2015 requiring certain former employees to report to the NSA any work for a foreign government within two years of leaving the agency.

But a former senior NSA official said the requirement is typically applied only to high-level managers and senior technical leaders, not the kind of mostly low to mid-level analysts later employed by DREAD.

Glenn Gerstell, the NSA’s general counsel, said those leaving the agency are “responsible for protecting the secrets of the federal government for their life.” But he added, “They are free to undertake whatever private sector activities they want.”

Reporting by Christopher Bing and Joel Schectman. Editing by Ronnie Greene and Jonathan Weber