Business Day

US tries to put cyber worms back in the can

- Bobby Ghosh

In the summer of 2012, an Iranian computer virus named Shamoon wiped data from tens of thousands of computers at two of the Middle East’s most important energy companies, Saudi Aramco and Qatar’s Ras Gas.

The virus did little damage to operations. But the demonstrat­ion of their vulnerabil­ity panicked policymake­rs in the Gulf Arab states. Saudi Arabia, Qatar, the United Arab Emirates, Kuwait and Oman turned to the US for expertise to protect their vital national resources against cyberattac­ks. With the blessings of the Obama administra­tion, American defence contractor­s specialisi­ng in cybersecur­ity were happy to help.

To meet the surging demand for their services, these firms recruited cyberopera­tives and analysts from US intelligen­ce agencies, offering what one former FBI agent described to me as “buy yourself a Ferrari” salaries.

Nobody in Washington heard the sound of a can of worms being opened.

But it wasn’t very long before there were inklings of where the worms had wriggled off to. Within a couple of years, word was filtering back to the US intelligen­ce community that some of their former colleagues were being deployed as cyberspies, to hack into the phones and computers of political dissidents, rights activists and journalist­s. The targets included American citizens.

The first clear sight of what the worms were up to came from a 2019 investigat­ion by Reuters into the role of former US intelligen­ce operatives in a UAE operation that allegedly snooped on government critics. Earlier this summer, the UAE was among several government­s accused of using spyware created by the Israeli company NSO Group to hack the smartphone­s of journalist­s, activists and business executives.

In January, CIA counterint­elligence chief Sheetal T Patel took the unpreceden­ted step of warning retired officers against working for any foreign government. Although she didn’t specifical­ly cite cyberespio­nage as an area of concern, the intelligen­ce community could hardly be in any doubt about the nature of her concern.

Now three men have admitted they shared critical US defence technology and secrets with Emirati government agencies and at least one unnamed private company. In an agreement with the US justice department, Marc Baier, Ryan Adams and Daniel Gericke agreed to pay nearly $1.7m to resolve criminal charges of computer fraud, access device fraud and violating export controls.

But we may not yet know all the consequenc­es of opening that can of worms. The US routinely sells sophistica­ted military hardware and software to allies, and it is plainly in the interests of the US to help friendly countries ward off cyberthrea­ts.

There are rules to prevent these cybertools and expertise from being used against US citizens. Companies providing services to foreign government­s must get clearances from the state department, the department of defence and, often, from the National Security Agency.

The companies know there are red lines. For instance, the Internatio­nal Traffic in Arms Regulation­s require cybersecur­ity firms to forswear targeting Americans.

But policing this space is fiendishly difficult. It is especially hard to account for individual­s acting badly. The three men allegedly helped to create “zeroclick” hacking systems, capable of compromisi­ng devices without any action by the targets. These systems may have given their employers access to tens of millions of devices.

Will the justice department’s action against Baier, Adams and Gericke put others off following in their footsteps? Mark Lesko, the acting assistant attorneyge­neral of the department’s National Security Division has warned that “hackers for hire and those who otherwise support such activities ... should fully expect to be prosecuted for their criminal conduct”.

Newspapers in English

Newspapers from South Africa