CORRECTION: This article has been updated. The previous version stated that Daniel Gericke pleaded guilty. Gericke has only accepted a deferred prosecution and has not pleaded guilty. Gericke worked for DarkMatter – not BlackMatter, and he has never worked within the Intelligence Community.
The events of the past couple of weeks has placed ExpressVPN in a ticklish position. The virtual private network (VPN) provider is in the midst of being acquired by Israel-British cybersecurity company Kape Technologies for a whopping $936 million. While the deal is due to close in the coming months (Q4 2021), the world learns one of the members of their c-suite, their CIO, Daniel Gericke, has accepted a deferred prosecution in the United States for “violations of U.S. export control, computer fraud and access device fraud laws.” Logically, this turn of events causes a chink to be chiseled into the trust armor every VPN company requires to maintain their customer base.
Ironically, one of the first critics with respect to the “trustworthiness” of ExpressVPN was the infamous Edward Snowden who Tweeted, “If you’re an ExpressVPN customer, you shouldn’t be.”
Who is Daniel Gericke
Daniel Gericke is a former U.S. Marine, who developed into an offensive cybersecurity specialist. He worked for Cyberpoint International, a contractor involved in classified work with the United States and with foreign entities under ITAR/TAA process. He left the employ of Cyberpoint and moved to the UAE firm DarkMatter, and it was the work he conducted while employed by DarkMatter and their contract with the UAE’s National Electronic Security Authority (NESA), the UAE equivalent of the NSA, which put Gericke in the hot-seat. He renounced his U.S. citizenship in 2017 and is believed to have joined ExpressVPN in December of 2019.
The umbrella of an ITAR/TAA
While in the UAE, Gericke was covered by a State Department approved ITAR/TAA which was provided to Cyberpoint International, his employer. When the UAE NESA segued the contract away from the U.S. company, Cyberpoint, and moved it to the UAE company DarkMatter, Gericke and his colleagues were no longer operating under the umbrella of the ITAR/TAA. Their work for the infamous Project Raven and the follow-on Project Karma was now being conducted on behalf of the UAE. Project Raven targeted terrorists and foes of the UAE according to the Reuters January 2019 expose. Project Karma, targeted those, as well as U.S. companies and international journalists via a zero-click exploit of the iPhone.
Gericke accepted a deferred prosecution agreement “regarding violations of U.S. export control, computer fraud and access device fraud laws.”
“Left unregulated, the proliferation of offensive cyber capabilities undermines privacy and security worldwide. Under our International Traffic in Arms Regulations, the United States will ensure that U.S. persons only provide defense services in support of such capabilities pursuant to proper licenses and oversight,” said Acting U.S. Attorney Channing D. Phillips of the District of Columbia. “A U.S. person’s status as a former U.S. government employee certainly does not provide them with a free pass in that regard.”
What does ExpressVPN say?
ExpressVPN must have seen this coming, as the announcement of the acquisition by Kape Technologies came six days after Gericke had accepted the deferred prosecution agreement and two days before that agreement was made public by the DOJ. Ample time to put in place their holding responses to the critics which they knew would surely appear.
Internally, the employees of ExpressVPN questioned the company culture with someone of Gericke’s background involved with the company. The company’s response, was clear and concise, explaining how the company knew of his background when hired, did not know that the work in the UAE with DarkMatter was illegal with respect to the U.S., and they had full confidence in Gericke in advancing the security of the company’s VPN offering. They explained that Gericke brought to the table a different way of looking at threats, given his experiences having worked on the offensive side of the equation, according to Reuters.
To the public critics, like Snowden, the company went on to post a specific blogpost in which they discuss in length the value Gericke brings to their table and how, “We hope this blog post has helped shed light on why we believe that we provide the most rigorous privacy and security protections in the industry, and how, by applying his background and expertise, Daniel has been central in helping ExpressVPN protect our customers.”
FSO’s take note
Facility Security Officer’s (FSO) and their staff need to take note of this case and the teachable moment it provides. Perhaps Gericke denouncing his citizenship was his way of absolving himself from the broken trust and ethics exhibited with respect to Project Raven and Karma. The former was covered by a State Department approved ITAR/TAA and performed via a U.S. government cleared contractor working government of UAE NESA with the consent of the U.S. government. When that contract expired, those employees should have stepped away from the UAE work. Some did; Gericke didn’t.
Whether their employer at the time, Cyberpoint, explained the situation is unclear. For those multinational entities whose FSO’s are also responsible for the ITAR engagement, keep in mind this scenario for future scenarios when those foreign contract conclude.
It’s helpful that national security contractors have many options to choose from when it comes to VPN providers. It’s best to choose one that aligns well with needs, capabilities, and security guidelines.