The mercenary threat of U.S. hackers-for-hire

- ADVERTISEMENT -

In the summer of 2012, an Iranian computer virus named Shamoon wiped data from tens of thousands of computers at two of the Middle East’s most important energy companies, Saudi Aramco and Qatar’s Ras Gas. Shamoon was no Stuxnet: Unlike the Israeli digital weapon that destroyed nuclear centrifuges in the Islamic Republic, the virus that attacked the energy companies did little damage to their operations.

But the demonstration of their vulnerability panicked policymakers in the Gulf Arab states. Saudi Arabia, Qatar, the United Arab Emirates, Kuwait and Oman all turned to the U.S. for expertise to protect their vital national resources against cyberattacks. With the blessings of the Obama administration, American defense contractors specializing in cybersecurity were happy to help.

To meet the surging demand for their services, these firms recruited cyber-operatives and analysts from U.S. intelligence agencies, offering what one former Federal Bureau of Investigations agent described to me as “buy-yourself-a-Ferrari” salaries. For some, their job description evolved from playing defense against hackers to going on the offense, heading attackers off at the pass. Others were assigned to counterterrorism operations, doing for their new clients what they had previously done for their country, and often using the same tools.

Nobody in Washington heard the sound of a can of worms being opened.

But it wasn’t very long before there were inklings of where the worms had wriggled off to. Within a couple of years, word was filtering back to the U.S. intelligence community that some of their former colleagues were being deployed as cyber-spies, to hack into the phones and computers of political dissidents, rights activists and journalists. These targets included American citizens.

The first clear sight of what the worms were up to came from a 2019 investigation by Reuters into the role of former U.S. intelligence operatives in a UAE operation that, among other things, allegedly snooped on government critics. Earlier this summer, the UAE was among several governments accused of using spyware created by the Israeli company NSO Group to hack the smartphones of journalists, activists and business executives worldwide.

In January, the Central Intelligence Agency’s counterintelligence chief, Sheetal T. Patel, took the unprecedented step of warning retired officers against working for any foreign government. Although she didn’t specifically cite cyber-espionage as an area of concern, the intelligence community could hardly be in any doubt about the nature of her concerns. Now, three men have admitted they shared critical American defense technology and secrets with Emirati government agencies and at least one unnamed private company. In an agreement with the U.S. Justice Department, Marc Baier, Ryan Adams and Daniel Gericke have agreed to pay nearly $1.7 million to resolve criminal charges of computer fraud, access device fraud and violating export controls.

But we may not yet know all the consequences of opening that can of worms. The U.S. routinely sells sophisticated military hardware and software to allies, and it is plainly in the American interest to help friendly countries ward off cyber-threats. There are rules to prevent these cyber-tools and expertise from being used against U.S. citizens. Companies providing services to foreign governments must get clearances from the State Department, the Department of Defense and, often, from the National Security Agency.

The companies know there are red lines. For instance, the International Traffic in Arms Regulations require cybersecurity firms to forswear targeting Americans.

But policing this space is fiendishly difficult. It is especially hard to account for individuals acting badly. The three men allegedly helped to create “zero-click” hacking systems, capable of compromising devices without any action by the targets. These systems may have given their employers access tens of millions of devices.

Will the Justice Department’s action against Baier, Adams and Gericke deter others from following in their footsteps? Mark Lesko, the acting assistant attorney general of the department’s National Security Division has warned that “hackers-for-hire and those who otherwise support such activities… should fully expect to be prosecuted for their criminal conduct.”

At the very least, they now know that the U.S. government is on alert. With luck, whistleblowers will now be encouraged to come forward with revelations about shady activity by other former intelligence operatives.

But companies will worry that the case will spook their employees and make it harder to recruit from the intelligence community, and force foreign governments to look elsewhere for cyber-security services. Their Russian rivals, to name just one, are not constrained by the same rules and anxieties.

But that’s a whole other can of worms.

– – –

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners. Bobby Ghosh is a Bloomberg Opinion columnist. He writes on foreign affairs, with a special focus on the Middle East and Africa.