Cyberwar poses dilemma for US defence exporters

 

Washington

In the spring of 2010, a sheik in the government of Qatar began talks with the US consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center.

He feared Iran's growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.

Several months later, officials from Booz Allen and partner firms met at the company's sprawling campus in Tysons Corner, Va. to review the proposed plan. They were scheduled to take it to Doha, the capital of the wealthy Persian Gulf state.

That was when J. Michael McConnell, a senior vice president at Booz Allen and former director of national intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.

"Are we talking about actually conducting these operations?" McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: "Hold it."

Calls were made to U.S. government officials and experts in the elite world of defense consulting. It became clear to McConnell that the notion of conducting attacks was a deal-killer.

"We can't have Americans at the keyboard running offensive operations," said McConnell, a retired admiral who also ran the top-secret National Security Agency, according to those present. "It could be interpreted as an act of war."

The Qatar incident highlights the reality of a new arms race — the worldwide push to develop offensive and defensive cyber-capabilities. Like many other countries, Qatar wanted to improve its computer defenses in the face of a growing network warfare threat. And like others, Qatar turned to the United States, where technology firms are acknowledged leaders in the field of cyberwarfare and cyberdefense.

The potential worldwide market means that U.S. companies must walk a fine line between selling their products and staying within export controls that are struggling to keep pace with the rapid technological advances in the field.

After Booz Allen backed off, so did Qatar. But not for long, in the case of Qatar.

In August, a cyberattack shut down the website and some internal servers at RasGas, a major producer of liquid natural gas in Qatar. A similar attack destroyed computer data at Saudi Aramco, the Saudi national oil and natural gas operator and the world's most valuable company. In both cases, the U.S. intelligence community has concluded Iran was the aggressor.

A senior Middle Eastern diplomat seconded that view, saying Saudi Arabia is convinced that Iran attacked Aramco "to send a message that we can hurt you." But identifying the sources of cyberattacks is tricky, and some experts said they see no evidence that Iran was behind the episodes.

Iran understands the potential damage from a cyberattack. A virus called Stuxnet, attributed to Israel and the United States, disabled hundreds of centrifuges at its primary uranium enrichment plant in 2009 and 2010. Last year, Iran announced that it had started its own military cyber-unit, and Tehran has been blamed for several cyberattacks.

Qatar, Saudi Arabia and countries such as Kuwait, Oman and the United Arab Emirates now are clamoring for cyber-tools and expertise. Like Qatar in 2010, many want help from the U.S. government and U.S. companies. Saudi Arabia is setting up a cyber-unit for defensive purposes and Saudi Aramco has hired U.S. consultants to help protect its networks.

The United States and its defense contractors have long sold sophisticated arms to allies and provided training in their use. Cyber-technology is the latest weapon to emerge as a product.

The export of these tools and instructions for using them is new enough that industry and government are still struggling to define a threshold that ensures that U.S. firms remain competitive in the global market, that allies can defend themselves and that the skills and technology do not wind up in the wrong hands.

U.S. officials note that they can regulate only U.S. companies. "There's a lot more to be worried about when it comes to firms, organized crime, and others outside the United States who may recognize there are certain countries and organizations willing to pay quite a lot of money" for destructive malware and other cyber-capabilities, said a senior U.S. defense official who was not authorized to speak on the record. "That is extremely worrisome."

But helping friendly countries boost their cyberdefenses against a common foe is desirable to many in and out of the U.S. government.

"Every modern country in the world is creating some sort of offensive or defensive cyber-capability either in its military or intelligence service," said Richard Clarke, a former senior U.S. counterterrorism official whose firm Good Harbor provides cybersecurity advice but does not currently work for any foreign government in that area. "It's getting to be the norm."

Benjamin Powell, a former national security official, said the uncertainty of the new terrain means companies are treading carefully. "It's a sensitive thing for a company to go down the path of training for offense, even with approval," said Powell, a partner at the WilmerHale law firm who advises companies on export controls. "You're closer to the pointy end of the spear."

One challenge is that technology is evolving so quickly that it is difficult for the rules to keep up. Another is that the field is so new that many companies, especially smaller ones, may not always know what is required.

"There's not a lot of convention and structure around this," Powell said.

Under State Department export-control rules, U.S. companies need a license to train foreign governments in cyber-capabilities for a national security purpose. License applications are reviewed by the Pentagon's Defense Technology Security Administration. The National Security Agency, which conducts electronic surveillance on foreign intelligence targets overseas, may also be consulted.

The State Department declined to say how many licenses have been issued. But one company, CyberPoint of Baltimore, was granted a license to provide advice on cyberdefense and policy to the United Arab Emirates. In September, the UAE established the National Electronic Security Authority to protect its computers against cyberthreats. Cyber Point declined to talk about the UAE license, but industry officials said its work is defensive, not operational.

Industry officials interviewed for this article spoke on condition of anonymity because of the sensitivity of the topic and to avoid antagonizing customers.

The August attacks on RasGas and Saudi Aramco have been traced to a virus dubbed Shamoon. Experts said it wasn't overly sophisticated and was built using commercially available software. But it nearly destroyed more than 30,000 business network computers at Aramco and erased backup copies of data. Operating systems had to be reinstalled, and for two weeks the company could not conduct business.

Given that Saudi Arabian oil provides the vast majority of the kingdom's income and keeps the world's markets relatively stable, shielding Saudi infrastructure from cyberattacks has emerged as a top priority.

Saudi Arabia has been talking with Department of Homeland Security and other U.S. officials to "set up a system where it can provide protection against cyberattacks," said the senior Middle Eastern diplomat.

Technology industry officials said the U.S. government will not approve licenses that would allow a company's personnel to conduct attacks on behalf of another country. And they said there are general concerns about how sophisticated a capability the United States should provide even a friendly country.

Booz Allen is not the only U.S. company to offer cyber services. So do major defense contractors such as Lockheed Martin, Northrop Grumman and General Dynamics. And the list of allies looking to buy their cyber-wares extends well beyond the Middle East.

But not everyone looks to the United States for help. Ecuador and Venezuela have turned to Cuba, where experts have been trained by top-tier Russians, according to industry officials.

"You thought we had the Wild West now in cyberspace?" said a former senior U.S. official. "We haven't seen it yet. We thought it was script kiddies hacking computers from their basement, criminal gangs hacking businesses. We haven't seen the Wild West of nation states and hacktivist organizations flexing cyber-muscle."

Start your day with The Independent, sign up for daily news emails
PROMOTED VIDEO
Have you tried new the Independent Digital Edition apps?
ebooks
ebooksA special investigation by Andy McSmith
Arts and Entertainment
tv

First full-length look is finally here

Life and Style
life
Voices
A mother and her child
voices
Arts and Entertainment
Film director Martin Scorsese
film
News
news

The party's potential nominations read like a high school race for student body president

Voices
The veterans Mark Hayward, Hugh Thompson and Sean Staines (back) with Grayson Perry (front left) and Evgeny Lebedev
charity appealMaverick artist Grayson Perry backs our campaign
Arts and Entertainment
Cold case: Aaron McCusker and Christopher Eccleston in ‘Fortitude’
tvReview: Sky Atlantic's ambitious new series Fortitude has begun with a feature-length special
Voices
Three people wearing masks depicting Ed Miliband, David Cameron and Nick Clegg
voicesPolitics is in the gutter – but there is an alternative, says Nigel Farage
News
i100
News
people
Sport
Chelsea manager Jose Mourinho
footballI have never seen the point of lambasting the fourth official, writes Paul Scholes
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

iJobs Job Widget
iJobs General

Recruitment Genius: .Net / SQL Developer

£25000 - £35000 per annum: Recruitment Genius: A skilled .NET developer with e...

Recruitment Genius: IT Technical Support Engineer - PC/Mac

£25000 - £30000 per annum: Recruitment Genius: This IT support company are cur...

Ashdown Group: Product Manager - (Product Marketing, Financial Services)

£30000 - £35000 per annum + Benefits: Ashdown Group: Marketing Manager - Marke...

Recruitment Genius: External Relations Executive

£33000 per annum: Recruitment Genius: An External Relations Executive is requi...

Day In a Page

Isis hostage crisis: The prisoner swap has only one purpose for the militants - recognition its Islamic State exists and that foreign nations acknowledge its power

Isis hostage crisis

The prisoner swap has only one purpose for the militants - recognition its Islamic State exists and that foreign nations acknowledge its power, says Robert Fisk
Missing salvage expert who found $50m of sunken treasure before disappearing, tracked down at last

The runaway buccaneers and the ship full of gold

Salvage expert Tommy Thompson found sunken treasure worth millions. Then he vanished... until now
Homeless Veterans appeal: ‘If you’re hard on the world you are hard on yourself’

Homeless Veterans appeal: ‘If you’re hard on the world you are hard on yourself’

Maverick artist Grayson Perry backs our campaign
Assisted Dying Bill: I want to be able to decide about my own death - I want to have control of my life

Assisted Dying Bill: 'I want control of my life'

This week the Assisted Dying Bill is debated in the Lords. Virginia Ironside, who has already made plans for her own self-deliverance, argues that it's time we allowed people a humane, compassionate death
Move over, kale - cabbage is the new rising star

Cabbage is king again

Sophie Morris banishes thoughts of soggy school dinners and turns over a new leaf
11 best winter skin treats

Give your moisturiser a helping hand: 11 best winter skin treats

Get an extra boost of nourishment from one of these hard-working products
Paul Scholes column: The more Jose Mourinho attempts to influence match officials, the more they are likely to ignore him

Paul Scholes column

The more Jose Mourinho attempts to influence match officials, the more they are likely to ignore him
Frank Warren column: No cigar, but pots of money: here come the Cubans

Frank Warren's Ringside

No cigar, but pots of money: here come the Cubans
Isis hostage crisis: Militant group stands strong as its numerous enemies fail to find a common plan to defeat it

Isis stands strong as its numerous enemies fail to find a common plan to defeat it

The jihadis are being squeezed militarily and economically, but there is no sign of an implosion, says Patrick Cockburn
Virtual reality thrusts viewers into the frontline of global events - and puts film-goers at the heart of the action

Virtual reality: Seeing is believing

Virtual reality thrusts viewers into the frontline of global events - and puts film-goers at the heart of the action
Homeless Veterans appeal: MP says Coalition ‘not doing enough’

Homeless Veterans appeal

MP says Coalition ‘not doing enough’ to help
Larry David, Steve Coogan and other comedians share stories of depression in new documentary

Comedians share stories of depression

The director of the new documentary, Kevin Pollak, tells Jessica Barrett how he got them to talk
Has The Archers lost the plot with it's spicy storylines?

Has The Archers lost the plot?

A growing number of listeners are voicing their discontent over the rural soap's spicy storylines; so loudly that even the BBC's director-general seems worried, says Simon Kelner
English Heritage adds 14 post-war office buildings to its protected lists

14 office buildings added to protected lists

Christopher Beanland explores the underrated appeal of these palaces of pen-pushing
Human skull discovery in Israel proves humans lived side-by-side with Neanderthals

Human skull discovery in Israel proves humans lived side-by-side with Neanderthals

Scientists unearthed the cranial fragments from Manot Cave in West Galilee