White House veterans helped Arab Monarchy build secret surveillance unit

In the years after 9/11, former U.S. counterterrorism czar Richard Clarke warned Congress that the country needed more expansive spying powers to prevent another catastrophe. Five years after leaving government, he shopped the same idea to an enthusiastic partner: an Arab monarchy with deep pockets.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

In 2008, Clarke went to work as a consultant guiding the United Arab Emirates as it created a cyber surveillance capability that would utilize top American intelligence contractors to help monitor threats against the tiny nation.

The secret unit Clarke helped create had an ominous acronym: DREAD, short for Development Research Exploitation and Analysis Department. In the years that followed, the UAE unit expanded its hunt far beyond suspected extremists to include a Saudi women’s rights activist, diplomats at the United Nations and personnel at FIFA, the world soccer body. By 2012, the program would be known among its American operatives by a codename: Project Raven.

Reuters reports this year revealed how a group of former National Security Agency operatives and other elite American intelligence veterans helped the UAE spy on a wide range of targets through the previously undisclosed program — from terrorists to human rights activists, journalists and dissidents.

Now, an examination of the origins of DREAD, reported here for the first time, shows how a pair of former senior White House leaders, working with ex-NSA spies and Beltway contractors, played pivotal roles in building a program whose actions are now under scrutiny by federal authorities.

To chart the UAE spying mission’s evolution, Reuters examined more than 10,000 DREAD program documents and interviewed more than a dozen contractors, intelligence operatives and former government insiders with direct knowledge of the program. The documents Reuters reviewed span nearly a decade of the DREAD program, starting in 2008, and include internal memos describing the project’s logistics, operational plans and targets.

Clarke was the first in a string of former White House and U.S. defense executives who arrived in the UAE after 9/11 to build the spying unit. Utilizing his close relationship to the country’s rulers, forged through decades of experience as a senior U.S. decision-maker, Clarke won numerous security consulting contracts in the UAE. One of them was to help build the secret spying unit in an unused airport facility in Abu Dhabi.

DREAD: HOW A COUNTERTERRORISM MISSION LOST ITS PATH

Drawn to the UAE with the promise of combating terrorism, dozens of American intelligence contractors cycled in and out of a secret hacking unit over the course of a decade. As time went on, the mission became less focused on preventing violent attacks than on targeting the country’s political enemies.

2008: Richard Clarke and his firm Good Harbor recommend the creation of a new cyber surveillance agency in the UAE, which the country asks for them to help build. The secret program is codenamed DREAD but will later be known as Project Raven.

2009: Construction of DREAD’s first headquarters is completed. Good Harbor utilizes a U.S. defense contractor, named SRA International, and by year’s end the subcontractors are assisting in hacking operations.

2010: Good Harbor gives up control of DREAD to Karl Gumtow, a former SRA vice president. Gumtow’s new Maryland-based company, CyberPoint, staffs DREAD with more former NSA hackers.

2011: The Arab Spring causes the UAE government to ramp up digital espionage against protesters and others critical of the monarchy. DREAD targets included activists such as Ahmed Mansoor, a prominent human rights defender.

2012: DREAD operatives are ordered to make British activist Rori Donaghy a top priority hacking target after UAE security officials were angered by his critical blog posts.

2013: DREAD develops a tool, codenamed Mercury Crush, that exploits flaws in Microsoft Word and Adobe Flash in order to implant surveillance software within a website visited by activists.

2014: DREAD targets hundreds of Qatari government officials. The program is increasingly tasked with hacking into entire rival foreign governments in the Middle East such as Iran and Qatar.

2016: DREAD’s American staffers are given a choice: go home or join Emirati firm DarkMatter, which is taking over control. Some stay despite warnings from colleagues. FBI agents approach former CyberPoint staff to learn what’s happening.

2017: The unit wields a new, elite hacking tool to remotely break into iPhones of media figures and rival foreign leaders, including the Emir of Qatar.

In an interview in Washington, Clarke said that after recommending that the UAE create a cyber surveillance agency, his company, Good Harbor Consulting, was hired to help the country build it. The idea, Clarke said, was to create a unit capable of tracking terrorists. He said the plan was approved by the U.S. State Department and the National Security Agency, and that Good Harbor followed U.S. law.

“The incentive was to help in the fight against Al Qaeda. The UAE is a very good counterterrorism partner. You need to remember the timing back then, post 9-11,” Clarke said. “The NSA wanted it to happen.”

The NSA did not answer written questions about its knowledge of DREAD or its relationship to any of the contractors. The State Department said it carefully vets foreign defense service agreements for human rights issues. UAE spokespeople at its Washington embassy and Ministry of Foreign Affairs did not respond to requests for comment.

Clarke’s work in creating DREAD launched a decade of deepening involvement in the UAE hacking unit by Beltway insiders and U.S. intelligence veterans. The Americans helped the UAE broaden the mission from a narrow focus on active extremist threats to a vast surveillance operation targeting thousands of people around the world perceived as foes by the Emirati government.

One of Clarke’s former Good Harbor partners, Paul Kurtz, said Reuters’ earlier reports showed that the program expanded into dangerous terrain and that the proliferation of cyber skills merits greater U.S. oversight. “I have felt revulsion reading what ultimately happened,” said Kurtz, a former senior director for national security at the White House.

At least five former White House veterans worked for Clarke in the UAE, either on DREAD or other projects. Clarke’s Good Harbor ceded control of DREAD in 2010 to other American contractors, just as the operation began successfully hacking targets.

A succession of U.S. contractors helped keep DREAD’s contingent of Americans on the UAE’s payroll, an engagement that was permitted through secret State Department agreements, Reuters found.

The program’s evolution illustrates how Washington’s contractor culture benefits from a system of legal and regulatory loopholes that allows ex-spies and government insiders to transfer their skills to foreign countries, even ones reputed to have poor human rights track records.

American operatives for DREAD were able to sidestep the few guardrails against foreign espionage work that existed, including restrictions on the hacking of U.S. computer systems.

Despite prohibitions against targeting U.S. servers, for instance, by 2012 DREAD operatives had targeted Google, Hotmail and Yahoo email accounts. Eventually, the expanding surveillance dragnet even swept up other American citizens, as Reuters reported earlier this year.

In an interview, Mike Rogers, former chairman of the U.S. House Intelligence Committee, said he has watched with growing concern as more and more former American intelligence officials cash in by working for foreign countries.

“These skill sets do not belong to you,” he said of ex-U.S. agents, but to the U.S. government that trained them. Just as Washington wouldn’t let its spies work in the pay of foreign nations while employed at the NSA, he said, “Why on God’s green earth would we encourage you to do that after you leave the government?”

An NSA spokesman said former employees are mandated for life not to reveal classified information.

FROM THE WHITE HOUSE TO THE GULF

For years before the creation of DREAD, Clarke grappled with the need for domestic surveillance in the United States, as well as its potential dangers.

Clarke, a counterterrorism czar to Bill Clinton and George W. Bush, is perhaps best known for offering an unequivocal public apology for Washington’s inability to prevent the 9/11 attacks.

“Your government failed you. Those entrusted with protecting you failed you. And I failed you,” Clarke said in 2004, one year after leaving government, testifying before a U.S. commission established to investigate intelligence failures leading to the 9/11 attacks.

To prevent future attacks, Clarke urged America to create a domestic spying service, while saying such a unit must avoid civil liberties violations. “We’d have to explain to the American people in a very compelling way why they needed a domestic intelligence service, because I think most Americans would be fearful of a secret police,” he said.

Clarke’s testimony to the 9/11 Commission helped lead to the creation in 2005 of a domestic intelligence service within the Federal Bureau of Investigation — described as “a service within a service” — staffed by federal agents, language analysts and surveillance specialists.

"The incentive was to help in the fight against Al Qaeda. The UAE is a very good counterterrorism partner ... The NSA wanted it to happen.” - RICHARD CLARKE, GOOD HARBOR CEO

Two years earlier, Clarke had joined his former deputy Roger Cressey at the newly launched Good Harbor Consulting, a security advisory group. Clarke brought one of the most famous names in U.S. national security.

He also brought a decades-long relationship with a potential client of immense wealth: Sheikh Mohammed bin Zayed al-Nahyan, known as MbZ, the son of the UAE’s most powerful ruler. In the months preceding the 1991 U.S.-led war on Iraq, Clarke, then a senior American diplomat, had been sent to the Gulf to seek assistance from regional allies. MbZ stepped up as the U.S. prepared to go to war.

MbZ helped Clarke obtain permission from the Emirati government for bombing runs in UAE airspace, and he funneled billions toward the American war effort. In 1991, when Congress questioned whether Washington should allow a $682 million arms sale to UAE, Clarke bristled.

“They transferred $4 billion to the U.S. Treasury to support the war effort,” he told the House Subcommittee On Arms Control. “Is that the kind of nation that we should snub by denying them 20 attack helicopters? I don't think so.” The UAE got the choppers.

In the years after Clarke joined Good Harbor in 2003, MbZ, the de facto ruler of the UAE, granted the company the rare opportunity to help build the country’s homeland security strategy from the ground up. Clarke’s Good Harbor soon won a series of security contracts to help the UAE secure its infrastructure, including work to protect the Gulf state’s seaports, nuclear projects, airports, embassies and petrochemical facilities, according to two people with direct knowledge of the contracts.

Along with helping stand up an emergency response department and maritime security unit, Clarke believed the UAE required an NSA-like agency with the ability to spy on terrorists. Clarke said he placed Good Harbor partner Paul Kurtz, himself a former White House veteran, in charge of the contract.

“At the highest level, it was cyber defense and how you protect your own networks,” Kurtz said in a phone interview with Reuters. The UAE wanted to know, he said, “How do I understand more about what terrorists may be doing?”

Asked whether he was concerned the UAE could use the capability to crack down on activists or dissidents, Clarke stressed that “the overarching concern was getting Al Qaeda.” He said he had limited visibility into the program at the time and that Kurtz was responsible for the day-to-day management of the contract to build the program.

Kurtz said his personal involvement was limited to high level consulting, with his knowledge of daily activities “next to none.” For technical expertise on hacking, he said, Good Harbor relied on subcontractors from the American defense company SRA International, managed by an executive named Karl Gumtow.

SRA, then a 7,000-employee operation based in Fairfax, Virginia, was chosen because of its experience with NSA contracts, Clarke said.

MISSION LAUNCHED 

Utilizing eight contractors from SRA, Good Harbor started building DREAD in 2008 inside a building that resembled a small airplane hangar on the edge of the Al Bateen airport in Abu Dhabi. The program began as an arm of MbZ’s royal court, and was initially managed by the prince’s son, Khalid.

The contractors built the project from scratch. They trained potential Emirati staff in hacking techniques and created covert computer networks and anonymous Internet accounts the UAE could use for surveillance operations.

In 2009, the group set out to build a spy tool codenamed “the Thread,” software that would enable the Emiratis to steal files from Windows computers and transmit them to servers controlled by the Court of the Crown Prince, DREAD program documents show.

Beyond offering guidance and support, Good Harbor and SRA did not envision an active role in hacking operations.

The program was intended to leave the UAE equipped with the cyber capabilities to pursue terrorism threats on its own. But within months, the Americans could see they needed to take the lead from their less experienced Emirati colleagues, said three former DREAD operatives.

Some UAE trainees appeared disinterested and ill-equipped. One trainer, a former SRA contractor and ex-NSA cryptographer named Keith Tuttle, concluded one student had “lost interest” and another “continues to struggle with technology,” a program report card reviewed by Reuters shows.

That left the Americans with little choice but to get more involved, two former DREAD operatives told Reuters, eventually doing everything aside from hitting the final button on a computer intrusion. Tuttle, citing advice from his attorneys, declined to comment.

A spokesman for General Dynamics, the owner of SRA International after multiple business acquisitions, said the original contract with Good Harbor ended in 2010. He declined further comment.

The hacking requests from UAE security forces to the new unit accelerated after Christmas 2009, just one year after Good Harbor started on DREAD. UAE leaders received intelligence warnings that a violent extremist attack could be imminent. A panicked request came to the nascent hacker team: Help us spy on outbound Internet traffic coming from a suspected extremist’s home computer network located in the northern part of the country.

DREAD’s SRA handlers were still months from finishing the Windows hacking software, Thread. Suddenly, U.S. operatives were cobbling together makeshift spy tools based on computer security testing software found for free online, according to two people with direct knowledge of the incident.

Yet they succeeded within weeks, hacking the suspected extremist in a mission seen by the Emiratis as a key success that may have prevented an attack. The incident marked a crucial moment in the relationship. With that success came more targeting requests and a deeper role for the Americans, said two people with direct knowledge.

By the end of 2010, Good Harbor stepped back from DREAD, leaving control in the hands of SRA vice president Gumtow, program documents show. He had just started his own Maryland company, CyberPoint. “Our focus was to help them defend their country,” Gumtow said in a phone interview.

With Good Harbor’s departure, Kurtz joined CyberPoint, although he said his involvement in DREAD ended by 2011.

40 AMERICANS AND $34 MILLION

Within two years, Gumtow expanded the number of Americans on the program from around a dozen to as many as 40. More than a dozen were poached from the halls of the NSA or its contractor list. DREAD’s annual budget reached an estimated $34 million, project documents show.

Some American recruits had concerns about working for a foreign spy service. But the program’s connection to respected national security figures such as Clarke, Kurtz and Gumtow led them to conclude the effort was above board, four former operatives said.

Jonathan Cole, a former U.S. intelligence operative who joined DREAD in 2014, said he believed the UAE mission had Washington’s blessing due to the involvement of CyberPoint’s Maryland-based staff in other classified programs for the U.S. government. “I made some assumptions,” Cole said.

In 2011, the program moved to the first of a series of secret converted mansions, known as the Villa, and among its American contractors was given the codename Project Raven.

Gumtow told Reuters his U.S. contractors were hired only to train Emirati hackers, and were prohibited from assisting in operations themselves. U.S. law generally prohibits Americans from hacking computer systems anywhere, but specifically prohibits targeting of other American people, companies or servers.

Although Gumtow managed the DREAD contract for five years from Baltimore, he said he never learned of such activities occurring among his staff. He said his visibility was limited, as he visited his UAE staff five or six times a year.

“I did not get involved in day-to-day program activities,” Gumtow said. “If we had a rogue person, then there’s nothing I can do.”

Still, the American team soon occupied almost every key position in the program. American operatives helped locate target accounts, discover their vulnerabilities and cue up cyberattacks. To stay within the bounds of the law, the Americans did not press the button on the ultimate attack, but would often literally stand over the shoulders of the Emiratis who did, 10 former operatives told Reuters.

After the 2011 Arab Spring demonstrations shook the region, Emirati security experts feared their country was next. DREAD’s targets began to shift from counterterrorism to a separate category the UAE termed “national security targets” — assisting in a broad crackdown against dissidents and others seen as a political threat. The operations came to include the previously unreported hacks of a German human rights group, the United Nations’ offices in New York and FIFA executives.

Between 2012 and 2015, individual teams were tasked with hacking into entire rival governments, as the program’s focus shifted from counterterrorism to espionage against geopolitical foes, documents show.

One target was UAE archrival Qatar, which in 2010 gained global attention by winning the right to hold soccer’s 2022 World Cup. In 2014, DREAD operatives targeted directors at FIFA, the Swiss-based body that runs international soccer, and people involved in Qatar’s World Cup organizing body.

The ploy was designed to steal damaging information about Qatar’s World Cup bid, which could be leaked to embarrass the UAE’s Gulf rival. Allegations that FIFA officials were bribed by Qatar in exchange for granting its World Cup bid surfaced in media reports in 2014.

The FIFA hacking operation, codenamed Brutal Challenge, was planned by an ex-NSA analyst named Chris Smith, according to DREAD operation planning memos reviewed by Reuters. The hackers sent boobytrapped Facebook messages and emails containing a malicious link to a website called “worldcupgirls.” Clicking on the link deployed spyware into the target’s computer.

It is not clear whether the mission succeeded. But the targets included Hassan Al Thawadi, secretary general of Qatar’s FIFA organizing body, and Jack Warner, a former FIFA executive who the U.S. later indicted on money laundering charges.

THE WORLDCUPGIRLS PHISHING SCAM

The hackers used a simple method to go after their victims. By hiding malware within messages that looked like ordinary spam, DREAD operatives believed the World Cup-themed phishing scheme was “low risk” because it would be difficult to trace back to their servers. Yet if the target clicked on a malicious link inside the message, their computer would be infected by spyware.

Qatar’s Supreme Committee for Delivery and Legacy, a governmental body in charge of helping organize the 2022 footballing tournament, had no comment. A spokesman for Qatar’s government said the country saw its successful bid to host the World Cup as “a chance for the world to see our region in a new light.”

In a statement, a spokeswoman said FIFA was “not aware” of any hacking incidents related to Qatar’s World Cup bid. A second spokesperson said a FIFA internal investigation did not find that Qatar paid bribes to win the right to host the tournament.

Warner, who is facing extradition to the United States from Trinidad and Tobago, could not be reached for comment. He has repeatedly proclaimed he is innocent of the charges. Smith did not respond to messages sent through email and social media.

FOREIGN LICENSE, SCANT OVERSIGHT 

To conduct its UAE business, CyberPoint obtained a State Department foreign defense services license in 2010 and 2014.

The agreements, reviewed by Reuters, are written in broad language. Hacking operations are described as “collecting information from communications systems inside and outside the UAE.” The agreements placed no restrictions against targeting human rights activists, journalists or U.S. allies.

A State Department spokesman said that before granting such a license, the agency carefully weighs human rights concerns. The authorization doesn’t grant the right to violate human rights, he said. But he declined to comment on the agreements between the agency and CyberPoint.

The DREAD agreements did prohibit the program from assisting in hacking operations against Americans or American-owned email servers. Doing so “could subject you to criminal liability under U.S. law, even if the activities were conducted overseas,” warned a CyberPoint legal counsel in a 2011 memo.

This restriction was often sidestepped, project documents show. CyberPoint employees assisted in the hacking of hundreds of Google, Yahoo, Hotmail and Facebook accounts, sharing screenshots from the intrusions in presentations with senior Emirati intelligence officers. For example, DREAD accessed Google and Yahoo accounts to steal its targets’ Internet browser history, with the hackers highlighting their porn preferences in reports to managers, documents show.

In 2012, the program targeted the Hotmail and Gmail accounts of five staffers of the Konrad Adenauer Foundation, a German pro-democracy group that at the time was pushing for greater press and speech freedoms in the UAE. DREAD intercepted messages from one foundation manager’s hacked Gmail account. “Assume all comm channels have been” compromised, the manager’s message to an employee read.

Behind the scenes, the German ambassador to the UAE was called to meet with officials from the Emirates’ Ministry of Foreign Affairs, who said the German non-profit must leave the country, said a person with direct knowledge. In March 2012, the group was ordered out. The foundation declined comment.

American operatives also helped target the Gmail and Facebook accounts of Ahmed Ghaith al-Suwaidi, an Emirati economist and member of the Muslim Brotherhood, in 2011. In January 2012, DREAD hackers reported Al-Suwaidi had emailed signed documents putting his wife in charge of his assets in case anything happened to him, DREAD operation documents show.

Two months later, al-Suwaidi was arrested and detained in a secret prison, where he said he was tortured and forced to sign a confession, said Amnesty International. In 2013, as part of a trial of 94 activists accused of fomenting a coup, he was convicted and sentenced to 10 years in prison. Mohamed Al Zaabi, a friend and fellow activist, said al-Suwaidi had never advocated for a coup and had simply pushed for political reform.

Gumtow said that, to the best of his knowledge, CyberPoint was careful to stay within the bounds of the license and U.S. law.

'SLIPPERY SLOPE'

Over time, conflict emerged between the Emiratis and Americans over the selection of targets, which Americans believed sometimes crossed the line into hacking U.S.-related entities. The locals began restricting the Americans’ access to surveillance databases, marking some “For Emirati Eyes Only.” Near the end of 2015, the UAE cancelled its CyberPoint contract and hired a UAE cybersecurity firm, DarkMatter.

Gumtow warned his employees that if they remained in the program, they would no longer be authorized under the State Department agreement and would be essentially going rogue. More than a dozen stayed.

While DarkMatter took over DREAD, the program was a tightly held secret, with even some company executives unaware of its existence, said six people with direct knowledge of the matter.

Under DarkMatter, DREAD targeted the United Nations’ offices in New York in a bid to compromise the email accounts of foreign diplomats from countries seen as UAE rivals, said a former operative. A UN spokesman confirmed the organization’s cybersecurity team identified attacks from a hacking group associated with the UAE.

In some cases, DREAD’s surveillance operations preceded the torture of targets.

In 2017, operatives hacked the emails of Saudi women’s rights activist Loujain al-Hathloul, after she tried to defy a ban against women driving in Saudi Arabia, a former DREAD operative said. Three years earlier, al-Hathloul, who was studying in the UAE, had been arrested by the Saudis after trying to drive across the border into Saudi Arabia and jailed for 73 days.

DREAD operatives monitoring al-Hathloul gave her the codename Purple Sword.

In 2018, just weeks before a royal decree allowed Saudi women to drive legally for the first time, UAE security forces arrested al-Hathloul again in Abu Dhabi and placed her in a private jet back to her home country. Once there, Saudi security forces jailed her on charges of sedition, torturing her in a secret facility outside Jeddah, her brother Walid al-Hathloul told Reuters. She was later moved to a prison near Riyadh where she remains, her brother said.

“It’s very disappointing to see Americans taking advantage of skills they learned in the U.S. to help this regime,” he said. “They are basically like mercenaries.”

Saudi Arabia and the UAE are close allies. A Saudi embassy spokesman did not respond to requests for comment.

In a brief emailed statement, DarkMatter said it was unaware of Reuters’ findings or any improper actions by the company.

A federal grand jury in Washington has been investigating whether American staff violated U.S. hacking laws in the UAE mission. The Federal Bureau of Investigation and the Justice Department declined to comment.

Congress is also asking questions, citing the earlier Reuters reports while pressing the State Department to explain DREAD and pushing for more transparency in foreign license agreements. Foreign governments “have apparently exploited the advanced training and expertise of individuals who developed their technical skills while in U.S. national service,” members wrote in May to the Director of National Intelligence and Secretary of State.

Rogers, the former House intelligence committee chairman, said it’s time for Washington to impose tougher restrictions on foreign intelligence contracting. “Outright eliminating those opportunities, I think, should absolutely be on the table,” he said.

Kurtz, who helped launch the program 10 years ago, agreed the U.S. government needs to reconsider how it controls the transfer of cyber capabilities overseas. “It can be a very slippery slope,” he said.

How do you keep a coveted top-secret U.S. government security clearance while working for a foreign spy service? That question vexed U.S. intelligence operatives recruited to work as contractors for a secret United Arab Emirates hacking team.

But maintaining this privileged status, which allows access to America’s most sensitive secrets, wouldn’t be a problem, operatives say their employer told them.

In an arrangement that highlights a potential weakness in how Washington oversees an army of contractors engaged in classified projects, American recruits told Reuters they were allowed to maintain the U.S. intelligence community’s stamp of approval even after involving themselves in foreign hacking operations.

Security clearances are powerful tools. Having a “Top Secret” designation allows a U.S. contractor to be briefed on carefully guarded government information.

Before obtaining high level clearances, prospective government employees often undergo more than a year of investigation and lie detector tests. The designation can lead to lucrative jobs with U.S. defense contractors, positions that often require prospective employees to already have an existing clearance to even be considered.

A contractor who takes a job outside the U.S. government for several years may lose their clearance and have to be reinvestigated from scratch if they want to work for Washington again. Such a lapse can make an intelligence contractor ineligible for thousands of opportunities.

Former National Security Agency veterans who joined the UAE’s Project DREAD feared they would lose their clearances as they worked overseas, said five former operatives who worked on the program.

CyberPoint CEO Karl Gumtow, an American contractor whose company ran DREAD from 2010 until 2016, came up with a solution, five former operatives said. CyberPoint told some recruits the company could preserve their clearances even while they worked for another country’s spy service, former DREAD operatives said.

Founded in 2009, CyberPoint is a Maryland-based defense contractor that does work for the NSA.

The company made use of a little-known rule that allows defense contractors to maintain clearances for their staff even if they do no work on relevant U.S. government contracts.

In this case, Gumtow placed some operatives onto an unrelated NSA contract for which they did no work, according to former operatives and a copy of the NSA roster reviewed by Reuters.

Gumtow maintained a 67-name roster for a shell contract titled “Harborview” between CyberPoint and the NSA, a 2014 document shows.

Security clearances are powerful tools. Having a “Top Secret” designation allows a U.S. contractor to be briefed on carefully guarded government information.

Gumtow told Reuters the Harborview arrangement allowed him to ensure he could smoothly cycle his employees between classified U.S. government contracts and projects not needing a U.S. security clearance, such as DREAD. “To me it’s a pretty normal thing,” he said.

He acknowledged that perhaps “one or two” of his DREAD contractors on the roster never worked on an NSA contract while at CyberPoint.

In reality, at least six employees listed on the roster were American operatives who did no NSA contracting work after joining CyberPoint, according to 10 operatives interviewed by Reuters.

Use of shell contracts is common among large intelligence contractors. The practice is legal and allows employees to step through a revolving door between government and non-government work for an individual contracting company without having to worry about the status lapsing, said Daniel Meyer, a former executive director for the Inspector General’s office for the U.S. intelligence community.

“They are sort of on deck,” Meyer said, “so the agency can have a flexible pool of labor to draw from.”

CyberPoint’s offer to maintain individual clearances for DREAD recruits was seen as a hiring pitch to allay concerns their clearances would lapse while they worked for the UAE, said five former DREAD operatives.

Such an arrangement could cross an ethical line, even if it was technically legal, said Kel McClanahan, a national security attorney who specializes in clearance law. The idea that “you can do work for anyone about anything and you can keep your clearance without doing a day of work for any of these government agencies,” he said, “looks very sketchy.”

Yet the recruitment pitch gave some operatives confidence the program was operating with the U.S. government’s oversight and approval. “My initial assumption was that this is a cleared, U.S.-sanctioned mission,” said Jonathan Cole, a former DREAD operative.

This kind of contracting arrangement doesn’t mean the NSA is monitoring the employees, said Meyer. Ultimately, the little-understood process allows employees to maintain the imprimatur of elite U.S. intelligence agencies, without the ongoing scrutiny that comes with working for the government.

McClanahan said that because security clearances are so valuable in Washington, defense contractors often take advantage of a system with scant oversight. “It’s too difficult to police.”

CLICK HERE TO READ MORE ON FOX BUSINESS

An NSA spokesman did not respond to questions about the nature of the agency’s relationship with CyberPoint, its security clearance arrangement or its knowledge of DREAD. The spokesman pointed to a law that took effect in 2015 requiring certain former employees to report to the NSA any work for a foreign government within two years of leaving the agency.

But a former senior NSA official said the requirement is typically applied only to high-level managers and senior technical leaders, not the kind of mostly low to mid-level analysts later employed by DREAD.

Glenn Gerstell, the NSA’s general counsel, said those leaving the agency are “responsible for protecting the secrets of the federal government for their life.” But he added, “They are free to undertake whatever private sector activities they want.”