From Ellen Nakashima, Washington Post: In the spring of 2010, a sheik in the government of Qatar began talks with the U.S. consulting company Booz Allen Hamilton about developing a plan to build a cyber-operations center.
He feared Iran’s growing ability to attack its regional foes in cyberspace and wanted Qatar to have the means to respond.
Several months later, officials from Booz Allen and partner firms met at the company’s sprawling Tysons Corner campus to review the proposed plan. . . .
That was when J. Michael McConnell, a senior vice president at Booz Allen and former director of national intelligence in the George W. Bush administration, learned that Qatar wanted U.S. personnel at the keyboards of its proposed cyber-center, potentially to carry out attacks on regional adversaries.
“Are we talking about actually conducting these operations?” McConnell asked, according to several people at the meeting. When someone said that was the idea, McConnell uttered two words: “Hold it. . . .”
“We can’t have Americans at the keyboard running offensive operations,” said McConnell, a retired admiral who also ran the top-secret National Security Agency, according to those present. “It could be interpreted as an act of war.”
The Qatar incident highlights the reality of a new arms race — the worldwide push to develop offensive and defensive cyber-capabilities. Like many other countries, Qatar wanted to improve its computer defenses in the face of a growing network warfare threat. And like others, Qatar turned to the United States, where technology firms are acknowledged leaders in the field of cyberwarfare and cyberdefense. . . .
Qatar, Saudi Arabia and countries such as Kuwait, Oman and the United Arab Emirates now are clamoring for cyber-tools and expertise. Like Qatar in 2010, many want help from the U.S. government and U.S. companies. Saudi Arabia is setting up a cyber-unit for defensive purposes and Saudi Aramco has hired U.S. consultants to help protect its networks.
The United States and its defense contractors have long sold sophisticated arms to allies and provided training in their use. Cyber-technology is the latest weapon to emerge as a product.
The export of these tools and instructions for using them is new enough that industry and government are still struggling to define a threshold that ensures that U.S. firms remain competitive in the global market, that allies can defend themselves and that the skills and technology do not wind up in the wrong hands. . . .
“Every modern country in the world is creating some sort of offensive or defensive cyber-capability either in its military or intelligence service,” said Richard A. Clarke, a former senior U.S. counterterrorism official whose firm Good Harbor provides cybersecurity advice but does not currently work for any foreign government in that area. “It’s getting to be the norm. . . .”
Under State Department export-control rules, U.S. companies need a license to train foreign governments in cyber-capabilities for a national security purpose. License applications are reviewed by the Pentagon’s Defense Technology Security Administration. The National Security Agency, which conducts electronic surveillance on foreign intelligence targets overseas, may also be consulted.
The State Department declined to say how many licenses have been issued. But one company, CyberPoint of Baltimore, was granted a license to provide advice on cyberdefense and policy to the United Arab Emirates. In September, the UAE established the National Electronic Security Authority to protect its computers against cyberthreats. Cyber Point declined to talk about the UAE license, but industry officials said its work is defensive, not operational. . . .
Booz Allen is not the only U.S. company to offer cyber services. So do major defense contractors such as Lockheed Martin, Northrop Grumman and General Dynamics. And the list of allies looking to buy their cyber-wares extends well beyond the Middle East.
But not everyone looks to the United States for help. Ecuador and Venezuela have turned to Cuba, where experts have been trained by top-tier Russians, according to industry officials.
“You thought we had the Wild West now in cyberspace?” said a former senior U.S. official. “We haven’t seen it yet. We thought it was script kiddies hacking computers from their basement, criminal gangs hacking businesses. We haven’t seen the Wild West of nation states and hacktivist organizations flexing cyber-muscle.”