How do the best and the brightest from the U.S. National Security Agency and Israel’s intelligence community go to work for America’s and Israel’s enemies, proliferate cyber espionage, and facilitate spying on dissidents the world over? Simple: they take the expertise they learned in the service of their country and sell it to the highest bidder. Who’s buying? Everyone. What has the democratic world, including the Biden administration, been doing? Nothing.

It’s time to fix the problem.

ISRAEL'S GOVERNMENT MIGHT BE FLAILING, BUT THE MOSSAD IS FLOURISHING

The challenge is familiar to those who follow the growing but still shadowy cyber domain. Take the case of “Project Raven,” a contract between the United Arab Emirates and the Baltimore-based firm CyberPoint. What began in 2014 as an American-led initiative to enhance the UAE’s cybersecurity prowess eventually became a foreign-led operation that put American hacking expertise to use surveilling U.S. citizens.

CyberPoint billed Project Raven as an effort to bolster cyber defense in the UAE, which is a frequent target of Tehran’s cyber aggression. In reality, however, it was a clandestine effort to help the regime stand up its own version of the American NSA. For the effort, CyberPoint employed a number of former NSA experts to help the regime surveil rival governments, militant groups, and dissidents within the country. Initially, Project Raven had U.S. government export approval so that the company and its American employees could share their hacking know-how with the UAE.

But in 2016, the UAE tapped the Emirati firm DarkMatter to replace CyberPoint as its contractor for Project Raven. Many of the Americans from CyberPoint transitioned to DarkMatter after the firm extended lucrative job offers to retain their expertise. As a foreign company, DarkMatter did not require U.S. approval to push ahead with the contract. Washington no longer had the power to regulate which knowledge and capabilities DarkMatter’s American employees could share with the UAE. Worse yet, as a foreign company, it faced no legal restrictions as it expanded target lists to include U.S. citizens. Eventually, DarkMatter turned its U.S. employees into national security threats by using U.S.-built expertise to collect information on U.S. citizens.

Or take another case in Bangladesh: The South Asian nation doesn’t rival Pakistan or Iran as a threat, but the Muslim majority country has no diplomatic relations with Israel. Indeed, Israel bans technology exports to Bangladesh over national security concerns. Nonetheless, last year the Dhaka government acquired reportedly acquired cyber surveillance tools from Intellexa, a firm owned by former Israeli Defense Forces spy chief Tal Dilian. Because Intellexa is based in Cyprus and not Israel, Tel Aviv has no veto power over the sale of digital spy capabilities to its adversary.

Not unnaturally, after government service, many military and intelligence cyber experts look to the private sector for their next job. This is particularly common in Israel, where IDF veterans routinely establish or work for technology companies. For instance, like Dilian, Niv Carmi helped found the notorious NSO Group — implicated in the surveillance of Gulf dissidents, including Jamal Khashoggi — after leaving Mossad. This has led to a robust surveillance-for-hire industry in Israel that Tel Aviv regulates and leverages for political benefits. Look no further than transactions that allegedly occurred around the Abraham Accords. Israel apparently approved contracts for the NSO Group to export its Pegasus spyware — one of the world’s most advanced software packages for spying on mobile phones — to Arab states in exchange for diplomatic support.

For some, however, even Israel’s loose regulations are too restrictive. They, like Dilian, establish companies abroad where their home country has no power to regulate the trade secrets they sell. A government’s ability to approve spyware contracts — or block them when they carry national security risks — only applies to firms operating within their borders. This is why Intellexa and its subsidiaries are able to sell spyware across Europe without needing permission from Israel. This is also why capabilities built on IDF expertise can end up in the hands of countries like Saudi Arabia and Bangladesh.

Foreign firms exacerbate this problem by poaching cyber talent from countries with a technologically superior labor force — mostly advanced industrial democracies. National security concerns often emerge as former government workers’ knowledge and experience can be used to target their home states. Unsurprisingly, military and intelligence talent and surveillance firms make a great match. The transition of expertise between public and private sectors is critical for introducing innovative cyber capabilities into legitimate intelligence, military, and law enforcement efforts. But brain drain across borders means that former government experts routinely become security threats to the countries they previously served. (Unfortunately, this is not limited to the tech sector: military veterans from both the U.S. and the U.K. have reportedly trained pilots in the Chinese military.)

Notwithstanding the well-documented problem, the Biden administration has largely been asleep at the wheel when it comes to this human and technological capital. Momentum is shifting, but far too slowly. President Joe Biden’s recent executive order on commercial spyware proliferation will buttress prior congressional action to prevent military and intelligence cyber experts from working for foreign governments or companies. But the White House’s proclivity for heavy regulation is unlikely to work for a market that is notoriously difficult to regulate. Former government employees choosing to sacrifice values for profits will always find loopholes.

A more effective approach hinges on punishing specific behaviors through economic sanctions or legal action. Only once democracies establish effective punitive measures against cyber-trafficking and commerce with hostile powers such as Russia or China can they start to curb a spyware market that helps surveil, jail, and murder journalists, democratic activists, and political opposition across the globe.

CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER

Jason Blessing, Ph.D., is a Jeane Kirkpatrick Visiting Research Fellow with the foreign and defense policy department at the American Enterprise Institute. His research focuses on cybersecurity as well as trans-Atlantic relations. Follow him on Twitter @JasonABlessing.