Picture: 123RF/PWSTUDIO
Picture: 123RF/PWSTUDIO

In the summer of 2012, an Iranian computer virus named Shamoon wiped data from tens of thousands of computers at two of the Middle East’s most important energy companies, Saudi Aramco and Qatar’s Ras Gas.

Shamoon was no Stuxnet.  Unlike the Israeli digital weapon that destroyed nuclear centrifuges in the Islamic Republic, the virus that attacked the energy companies did little damage to their operations.

But the demonstration of their vulnerability panicked policymakers in the Gulf Arab states. Saudi Arabia, Qatar, the United Arab Emirates, Kuwait and Oman  turned to the US for expertise to protect their vital national resources against cyberattacks. With the blessings of the Obama administration, American defence contractors specialising in cybersecurity were happy to help.

To meet the surging demand for their services, these firms recruited cyber-operatives and analysts from US intelligence agencies, offering what one former FBI agent described to me as “buy-yourself-a-Ferrari” salaries. For some, their job description evolved from playing defence against hackers to going on the offence, heading attackers off at the pass. Others were assigned to counterterrorism operations, doing for their new clients what they previously did for their country, and often using the same tools.

Nobody in Washington heard the sound of a can of worms being opened.

But it wasn’t very long before there were inklings of where the worms had wriggled off to. Within a couple of years, word was filtering back to the US intelligence community that some of their former colleagues were being deployed as cyberspies, to hack into the phones and computers of political dissidents, rights activists and journalists. These targets included American citizens.

The first clear sight of what the worms were up to came from a 2019 investigation by Reuters into the role of former US intelligence operatives in a UAE operation that, among other things, allegedly snooped on government critics. Earlier this summer, the UAE was among several governments accused of using spyware created by the Israeli company NSO Group to hack the smartphones of journalists, activists and business executives worldwide.

In January, CIA counterintelligence chief Sheetal T Patel took the unprecedented step of warning retired officers against working for any foreign government. Although she didn’t specifically cite cyber-espionage as an area of concern, the intelligence community could hardly be in any doubt about the nature of her concern.     

Now three men have admitted they shared critical US defence technology and secrets with Emirati government agencies and at least one unnamed private company. In an agreement with the US justice department, Marc Baier, Ryan Adams and Daniel Gericke agreed to pay nearly $1.7m to resolve criminal charges of computer fraud, access device fraud and violating export controls.

But we may not yet know all the consequences of opening that can of worms. The US routinely sells sophisticated military hardware and software to allies, and it is plainly in the interests of the US to help friendly countries ward off cyberthreats. There are rules to prevent these cybertools and expertise from being used against US citizens. Companies providing services to foreign governments must get clearances from the state department, the department of defence and, often, from the National Security Agency. 

The companies know there are red lines. For instance, the International Traffic in Arms Regulations require cybersecurity firms to forswear targeting Americans.

But policing this space is fiendishly difficult. It is especially hard to account for individuals acting badly. The three men allegedly helped to create “zero-click” hacking systems, capable of compromising devices without any action by the targets. These systems may have given their employers access to tens of millions of devices.

Will the justice department’s action against Baier, Adams and Gericke put others off following in their footsteps? Mark Lesko, the acting assistant attorney-general of the department’s National Security Division has warned that “hackers-for-hire and those who otherwise support such activities ... should fully expect to be prosecuted for their criminal conduct”.

At the very least, they now know that the US government is on the alert. With luck, whistle-blowers will now be encouraged to come forward with revelations about shady activity by other former intelligence operatives.

But companies will worry that the case will spook their employees and make it harder to recruit from the intelligence community, forcing foreign governments to seek cybersecurity services elsewhere. Their Russian rivals, to name just one, are not constrained by the same rules and anxieties. But that’s a whole other can of worms.

Bloomberg Opinion More stories like this are available on bloomberg.com/opinion

subscribe

Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.