US-Trained Spy Worked at Qatari Telco Before Spying for UAE

Following the revelation that US-trained comms spy Lori Stroud was paid by the United Arab Emirates (UAE) to work on a surveillance program which targeted American journalists and rival Arab leaders, it has emerged that Stroud was given access to systems inside the telecoms operator of another Gulf state. A reliable source indicated that Stroud had been working on a project inside incumbent Qatari operator Ooredoo shortly before she began work as an outsourced intelligence operative for the UAE. Apparently the Ooredoo project involved Stroud reviewing the security of Ooredoo’s systems, as part of a team from Booz Allen Hamilton.

Stroud’s profile on ICWATCH, a Wikileaks-hosted database of US intelligence workers, confirms that Stroud was employed by Booz Allen Hamilton as a “Security and Defense Market Associate” during the time they were reportedly conducting an IT security review for Ooredoo. Stroud seemingly did not hide her affiliations to the USA’s National Security Agency (NSA) during the time she worked for Booz Allen Hamilton. She even appeared in a documentary movie where she talked about working alongside Ed Snowden, the intelligence community’s most notorious whistleblower. The filmmakers presented this biography for Stroud:

From 2009 to April 2014 Mission Technical Lead in the Booz Allen Hamilton (BAH) team providing intelligence support to the NSA’s Cryptologic Center in Hawaii.

Stroud began work as an outsourced UAE intelligence operative on 1st May 2014, per ICWATCH, and this is consistent with the recent Reuters story about American-trained mercenary spies working for the UAE. This raises a whole series of questions about the wisdom of telcos employing US security consultants soon before, or after, they work in actual intelligence operations for one or other nation state.

UAE vs Qatar

The rulers of these two Gulf countries are currently at loggerheads and both have been connected to numerous reports of electronic comms espionage. The UAE broke off diplomatic relations with Qatar in June 2017 over Qatar’s alleged support for terrorists, and the current degree of hostility was illustrated during a semi-final match at the recent Asian Cup, where spectators from host country UAE threw their shoes at the football team of Qatar. However, the ill will between these countries has deep roots, and has been exacerbated by the alleged hacking of Qatari government websites by the UAE, and claims that the emails of a UAE envoy were hacked by Qatar. There have also been credible accusations that the UAE purchased Israeli spyware with the intention of listening to the phone calls of the Emir of Qatar.

In such a context, how wise is it for Qatar’s leading telco to grant security access to a person who was known to work as a comms spy for hire, and who could then fly to a hostile country and start helping their surveillance efforts the day after?

China vs USA

You can hardly miss the current hullabaloo about Huawei and whether their equipment could be abused by Chinese spies wanting back door access to telco networks worldwide. But why make a fuss about back doors in network technology if you are willing to allow a spy affiliated to a foreign country to walk through the front door of a telco’s office? Huawei technology may pose a security risk, but at least they make equipment that works and is cheaper than that offered by rivals. Human beings also pose a security risk, and arguably that risk is greater. Telcos must vet the people granted access to the sensitive systems and vast amounts of data they possess.

A quote from a former US intelligence official for an article in NEWSREP illustrates the dangers. When asked about intelligence contractors currently working in Yemen, he said:

Their god is money.

The US has a penchant for training sophisticated electronic comms spies, then encouraging them to join the private sector, then allowing them to work for the highest foreign bidder. It is dangerous for telcos to trust individuals with connections like these. Hiring cybersecurity expertise inevitably means finding people with genuine experience, but telcos risk far more than they gain by asking for assistance from skilled experts who have the means and the connections to work against their security interests. The hiring of American-trained consultants should be treated with as much caution as the purchase of Chinese-made equipment.

USA vs Rest of the World

When challenged by Reuters about spying on politicians, journalists, and human rights advocates, there was only one rule that Lori Stroud cared about.

“I don’t think Americans should be doing this to other Americans,” she told Reuters. “I’m a spy, I get that. I’m an intelligence officer, but I’m not a bad one.”

What use is this rule if she is employed by a Qatari telco to protect their interests and the interests of their nation? What use would this rule be in a Mexican telco, or a Brazilian telco, or a German telco? This supposedly moral principle is of no value to anybody but American citizens, because it defends their interests but offers no protection to anyone else.

We should remember that Stroud worked alongside Ed Snowden. He leaked the unpalatable truth that operatives like Stroud bugged the phone of German Chancellor Angela Merkel, bugged the phone of former Brazilian President Dilma Rousseff, and intercepted the emails of former Mexican President Felipe Calderon.

There is no doubt about which country Stroud is loyal to. Though she may work as a cyber-mercenary in foreign countries, her personal opinions have been made clear during the course of several interviews about Ed Snowden and the spying she did for the UAE. When asked about the NSA monitoring Angela Merkel’s phone calls, Stroud said:

The NSA always makes assessments weighing up the goals up against the possible violation of privacy.

When asked about the rules that the NSA adheres to, Stroud said:

I believe in the mission of the NSA which is to help protect the interests of the United States and the free West. With regard to the methods, these are governed by law. I also believe we are operating within the necessary ethical and moral guidelines.

But when asked about the laws she obeyed when spying on behalf of the UAE, she said:

It was incredible because there weren’t these limitations like there was at the NSA. There wasn’t that bullshit red tape.

Lori Stroud clearly sees herself as a patriotic and loyal American, in contrast to the ‘traitor’ Ed Snowden. But she makes money by offering to serve the interests of businesses and governments that belong to other countries. The risk is obvious: one person cannot loyally serve two masters whose interests are in conflict. The US has interests which conflict with those of other countries, just as the UAE has interests which conflict with those of Qatar. Any business outside of the USA should ask themselves a serious question before engaging her services. If this former NSA operative is not considered a serious security risk, then who is?

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.