Consumer Electronics Daily was a Warren News publication.

DOJ Settlement Involving Hacking, ITAR Violations May Have Sent 'Mixed Signals,' Lawyers Say

The Department of Justice may issue severe penalties in the future for foreign hacking that violates U.S. export controls despite the “lenient” deferred prosecution agreement it announced in September (see 2109150031), national security lawyers said. Companies shouldn't expect that case to signal the start of a trend of minor penalties for hacking, the lawyers said, and should be especially cautious before providing cyber services to foreign governments.

The September agreement described International Traffic in Arms Regulations violations committed by three former U.S. intelligence community members who provided hacking and other cyber services to the United Arab Emirates government. Not only was the case notable because it represented the first time the Justice Department charged hacking as an ITAR violation, but it also sent “mixed signals” to industry about how the agency will assess similar violations in the future, Morrison & Foerster lawyers wrote Oct. 20 in Lawfare Blog.

The lawyers described the deferred prosecution agreement -- which will drop all criminal charges against the three people in three years if they don’t violate the agreement -- as a “slap on the wrist.” They also called the settlement a “rarely used and extraordinarily lenient resolution” in an export control prosecution case, especially in one that described “egregious” and “willful” violations of the ITAR.

“On its face,” the lawyers said, “the U.S. government appears to be sending mixed signals by investigating a case criminally and resolving it with an apparent slap on the wrist.” But they said the DOJ’s leniency only “reflects the unique circumstances of this case rather than a commitment to treat similar conduct the same way.”

The three people named in the deferred prosecution agreement reportedly were authorized to perform services subject to the ITAR while they worked for a U.S. company, CyberPoint, but they didn’t receive the same clearance or a technical assistant agreement after they began working for DarkMatter, a UAE company.

“If true, CyberPoint employees’ participation in intelligence collection operations prohibited by the technical assistance agreement complicated the government’s ability to prove intent,” the Morrison & Foerster lawyers said, “because the defendants would likely have argued that they believed their conduct with DarkMatter was consistent with their activities at CyberPoint, which they understood to be lawful.” The lawyers also said “the sheer number of U.S. persons who possibly violated the law at both CyberPoint and DarkMatter ... would serve as evidence that it was not well known that such conduct was unlawful.”

But now that DOJ has publicized this case, it can use it as precedent for pursuing future prosecutions, the lawyers said, which will likely come with harsher penalties. “Such notice will make it easier in future cases for prosecutors to argue and establish that a company or an individual was aware that their conduct violated the law,” they said. “Although it may not be clear where the Justice Department will draw the line between the acceptable and unacceptable sharing of ‘human knowledge’ for cyber capabilities, we now know that line is more restrictive -- and will be watched more closely -- than it used to be.”