Newly passed legislation will push the U.S. State Department to disclose how it polices the sale of cyber tools and services abroad.
The move followed a Reuters investigation which revealed that American intelligence contractors clandestinely assisted a foreign spying operation in the United Arab Emirates, helping the monarchy to crack down on internal dissent.
The legislation directs the State Department to report to Congress within 90 days on how it controls the spread of cyber tools and to disclose any action it has taken to punish companies for violating its policies.
Under U.S. law, companies selling hacking products or services to foreign governments must first obtain permission from the State Department.
U.S. lawmakers and human rights advocates have grown increasingly concerned that hacking skills developed for U.S. spy services are being sold abroad with scant oversight.
"Just as we regulate the export of missiles and guns to foreign countries, we need to properly supervise the sale of cyber capabilities," said congressman Dutch Ruppersberger of Maryland, who drafted the legislation.
The provision was a result of a Reuters investigation, congressional staffers said, which showed U.S. defense contractors ran a hacking unit in the UAE called Project Raven and that the State Department granted permission to three companies to assist the Emirati government in surveillance.
A State Department spokesman declined to comment. The agency previously said human rights concerns are carefully weighed before such licenses are issued but declined to comment on the authorizations granted for Project Raven.
The UAE Embassy in Washington did not respond to a request for comment. In response to Reuters reporting, a senior Emirati official last year said the country possessed a "cyber capability" that it needed to protect itself.
The new reporting guideline was part of the State Department's 2020 budget bill signed into law by President Donald Trump on Dec. 20.
The UAE program used former U.S. National Security Agency (NSA) operatives to target foreign rivals, human rights activists, and journalists, the Reuters reporting found. While the secret Emirati hacking unit was initially created to help the country fight terrorism, the Reuters investigation revealed that it quickly became a tool for the monarchy to crack down on internal dissent.
Reuters found the clandestine program helped local security forces track activists, who were sometimes later tortured.
Reuters reporting also showed how the State Department granted permission to three companies — U.S. consulting firm Good Harbor, cybersecurity company CyberPoint International, and defense contractor SRA International — to assist the Emirati government in surveillance operations.
CyberPoint and Good Harbor did not immediately respond to requests for comment. General Dynamics, which now owns SRA, declined to comment.
Good Harbor and CyberPoint have previously told Reuters that their companies obtained proper permissions from the State Department and followed all U.S. laws.
"This report will help Congress ensure these sales are advancing our foreign policy goals, especially in light of recent reports alleging human rights abuses," said Ruppersberger, whose district is home to the NSA.