In the summer of 2012, an Iranian computer virus named Shamoon wiped data from tens of thousands of computers at two of the Middle East’s most important energy companies, Saudi Aramco and Qatar’s Ras Gas.

The virus did little damage to operations. But the demonstration of their vulnerability panicked policymakers in the Gulf Arab states. Saudi Arabia, Qatar, the United Arab Emirates, Kuwait and Oman turned to the US for expertise to protect their vital national resources against cyberattacks. With the blessings of the Obama administration, American defence contractors specialising in cybersecurity were happy to help.

To meet the surging demand for their services, these firms recruited cyberoperatives and analysts from US intelligence agencies, offering what one former FBI agent described to me as “buy yourself a Ferrari” salaries.

Nobody in Washington heard the sound of a can of worms being opened.

But it wasn’t very long before there were inklings of where the worms had wriggled off to. Within a couple of years, word was filtering back to the US intelligence community that some of their former colleagues were being deployed as cyberspies, to hack into the phones and computers of political dissidents, rights activists and journalists. The targets included American citizens.

The first clear sight of what the worms were up to came from a 2019 investigation by Reuters into the role of former US intelligence operatives in a UAE operation that allegedly snooped on government critics. Earlier this summer, the UAE was among several governments accused of using spyware created by the Israeli company NSO Group to hack the smartphones of journalists, activists and business executives.

In January, CIA counterintelligence chief Sheetal T Patel took the unprecedented step of warning retired officers against working for any foreign government. Although she didn’t specifically cite cyberespionage as an area of concern, the intelligence community could hardly be in any doubt about the nature of her concern.

Now three men have admitted they shared critical US defence technology and secrets with Emirati government agencies and at least one unnamed private company. In an agreement with the US justice department, Marc Baier, Ryan Adams and Daniel Gericke agreed to pay nearly $1.7m to resolve criminal charges of computer fraud, access device fraud and violating export controls.

But we may not yet know all the consequences of opening that can of worms. The US routinely sells sophisticated military hardware and software to allies, and it is plainly in the interests of the US to help friendly countries ward off cyberthreats.

There are rules to prevent these cybertools and expertise from being used against US citizens. Companies providing services to foreign governments must get clearances from the state department, the department of defence and, often, from the National Security Agency.

The companies know there are red lines. For instance, the International Traffic in Arms Regulations require cybersecurity firms to forswear targeting Americans.

But policing this space is fiendishly difficult. It is especially hard to account for individuals acting badly. The three men allegedly helped to create “zeroclick” hacking systems, capable of compromising devices without any action by the targets. These systems may have given their employers access to tens of millions of devices.

Will the justice department’s action against Baier, Adams and Gericke put others off following in their footsteps? Mark Lesko, the acting assistant attorneygeneral of the department’s National Security Division has warned that “hackers for hire and those who otherwise support such activities ... should fully expect to be prosecuted for their criminal conduct”.