back to article Biden to Putin: Get your ransomware gangs under control and don’t you dare cyber-attack our infrastructure

US President Joe Biden and his Russian Federation counterpart Vladimir Putin have traded barbs over cyber-attacks at a summit meeting staged yesterday in Switzerland. The readout of Biden’s post-summit press conference states that what the two presidents “… spent a great deal of time on was cyber and cybersecurity.” “I talked …

  1. Pete 2 Silver badge

    People who live in glass houses ...

    > The (russian) President added that Russia stands accused of ten attacks on US entities, but sent 45 complaints about US-sourced attacks to Washington in 2020 and another 35 so far in 2021.

    It does seem to me that the americans are far more concerned with their own cyber-vulnerabilities that the russians are with theirs. Even though the solution is entirely (OK, maybe not entirely) within their own control. It seems to me that if the SIX TRILLION DOLLAR MAN can toss around such huge sums as part of his "plans" for the USA, then it wouldn't take a particularly large portion of that money to build up the electronic defences of those 16 "specific entities" that seem to present the hacking world with a list of easy targets.

    And for those that cannot be secured, at least take the obvious measures and remove them from harm's way by getting them off the public internet.

    1. doublelayer Silver badge

      Re: People who live in glass houses ...

      It's not sixteen specific entities, but sixteen classes of targets. They could still do some things to better secure them, but it's at least hundreds of individual targets, E.G. different parts of the nationwide water system.

      1. DS999 Silver badge

        Re: People who live in glass houses ...

        Every city / metro area has its own water system and its own sewer system. That's tens of thousands of targets alone. If you add them all 16 categories up they aren't hundreds of individual targets but more like hundreds of thousands. At least.

        1. Michael Wojcik Silver badge

          Re: People who live in glass houses ...

          Yup. And history has shown, extensively, that improving security for legacy systems is difficult. It's not just a matter of throwing money at the problem.

          The Biden administration has already (with much fanfare) encouraged IT security improvements in Federal systems with Biden's Executive Order. Whether that will have any practical effect is debatable, and indeed has been debated at great length. But it's not like the administration is just ignoring the need for local action as well as diplomacy.

    2. DS999 Silver badge
      FAIL

      Obviously you don't know much about IT security

      Even companies that have great processes in place get attacked, because there are new exploits are discovered against common software/tools every day. Lax security makes it easier, but even the best security will not let you sleep peacefully. People trying to secure things have to be right 100% of the time, the attackers have to be right only one time.

      Plus the federal government can't easily force state/local governments and private business to improve their security. Let's say they allocate many billions of dollars to this. How do they spend it, do they send in a crack team of FBI/NSA hackers to force the fixes at gunpoint? Do they just write all these entities a check and hope they spend it wisely instead of making a few simple fixes and then wasting the rest on hookers and blow?

      1. NoneSuch Silver badge
        Devil

        TLDR

        If they specifically target you, no one is safe.

  2. Pascal Monett Silver badge

    It goes both ways

    We regularly hear, from Washington, about how a Russian hacker group is guilty of trying this or that. What we never hear of is what the NSA is doing in Russia, and nobody is going to be surprised to learn that the NSA has its fingers in Russia. I do not believe that the NSA is sitting pretty, hands away from keyboard, not doing anything in Russia.

    Russia has sent 45 inquiries ? Why haven't we heard about that ?

    If this situation is to be resolved, transparency will be needed on both sides. So come on, out with the dirty NSA laundry already.

    1. Anonymous Coward
      Anonymous Coward

      Re: It goes both ways

      We certainly heard about US-ian activities versus the Soviet Union; there was a well documented and carefully planned cyber attack in the 80's that blew a pipeline up.

      More recent activities, well, everyone denies where stuxnet came from but there are two logical candidates that are known to co-operate in such matters and have overt reason to target the country it was intended to hit.

      Brit Gov has made no secret of intent to develop and improve it's offensive capabilities.

      Nobody is clean in this business. You have to question the motives at state level. Screwing economies up is generally bad for everyone. Are those offensive capabilities a MAD gesture (i.e. dont you dare mess with me because I'll mess with you) or something larger, pre-emptive.

      Black Energy in the Ukraine had absolutely obvious motives to contribute to the eventual land grab - and specifically, that deep water port much desired.

      For me, the critical thing here is getting funding to those critical systems that we simply cannot afford to have them messed with so the opportunities to interfere are blocked. Underfunding of control systems is endemic amongst utility regulators; Ofgem and Ofwat both have blocked all of the work utilities WANT to do in this space. I might add that these blocks are at odds with what BEIS and the security Quangos want the utilities to do too.

      Stupid bloody game and it'll end with a bunch of people getting hurt - at least financially. Maybe worse.

      AC because of accusations levelled at regulators!

    2. Anonymous Coward
      Anonymous Coward

      Re: It goes both ways

      From the article:

      "The President added that Russia stands accused of ten attacks on US entities, but sent 45 complaints about US-sourced attacks to Washington in 2020 and another 35 so far in 2021."

      President Putin has been told that Russia has sent 80 complaints to Washington. We in the wider world don't know any details of these complaints, as neither Russia or the US has released any details. Perhaps if Russia released details of these complaints, it would make the situation clearer.

      You state

      "Russia has sent 45 inquiries? Why haven't we heard about that?"

      Without more information, we just don't know. Is the answer to your question "The complaints are fictitious. The numbers are made up.", or is the answer "These were all US-Govt-backed hacking attempts against the Russian State." Much more likely, it's somewhere in between (perhaps "The attempts were from compromised or rented computers on US soil, but the originators were elsewhere.")

      You are absolutely right that we don't see Russia airing the NSA's dirty laundry. Does that mean that they are choosing not to, or that it doesn't exist? Russia isn't saying. Doesn't that fact give you pause for thought?

    3. ST Silver badge
      Devil

      Re: It goes both ways

      > What we never hear of is what the NSA is doing in Russia [ ... ]

      You can always call them (NSA) and ask.

      1. stiine Silver badge

        Re: It goes both ways

        Or you can call your grandmother and ask because there's no need to look up a new phone number -- the NSA has them all tapped.

    4. DS999 Silver badge

      The NSA isn't trying to exploit everything it can find

      Not trying to let them off the hook, but which is worse: 1) the CIA/NSA attacking a small number of targets with specific goals (which probably include "don't break anything so we can continue to exfiltrate data") or 2) allowing criminal gangs to run rampant who will indiscriminately attack tens of thousands of targets per year from the smallest business or municipal government to the largest, because the attacks are automated and every successful attack adds to their bottom line?

      1. martinusher Silver badge

        Re: The NSA isn't trying to exploit everything it can find

        We really don't know what the NSA is trying to exploit. We know that they collect vast troves of information, we know they developed a bunch of mostly Wnidows hacking tools and we know they had systematic exploits in place. At the time -- this is years ago -- we were warned that trying to keep vulnerabilities secret was a losing game, sooner or later they'd be discovered and they'd be turned against us.

        Curiously enough, though, most exploits don't start with looking for obscure buffer overflow or privilege escalation bugs. They, like the Colonial pipeline exploit, started with a generic phish. Phishes work because we insist that email should be webpages and include active content (a real plaintext mail is completely bulletproof). The phish works because our systems are vulnerable to remote downloads, requiring just a user mouse click to load anything. This is really our fault for relying on obsolete software (it just won't work to tell people not to click on attachments -- sooner or later someone will). Anyway, blaming 'the Russians' is about as meaningful as blaming 'the Martians' -- maybe there's some Russians involved, maybe not. Most actual crime (rather than the tools) seems to originate from the US and UK although we can't be sure that the criminals are physically based there.

        1. DS999 Silver badge

          Re: The NSA isn't trying to exploit everything it can find

          Well that "starting with a generic phish" is the big difference. If the NSA hacks you, it is because you were specifically targeted and there's nothing you can do to secure yourself other than unplugging (not the network cable, the power cable)

          The reason you blame the Russians is because we know where these criminal gangs are, they know where these criminal gangs are. If Putin wanted them to stop, they'd stop because they would like the inside of a Russian prison a lot less than the inside of an American prison.

          Personally I think the switch from low value to high value targets in the past months could not have occurred without Putin's blessing. Previously the government probably told "as long as you don't attract too much attention in your targets we won't bother you". With Trump gone there was no longer any reason for Putin to hold them back.

        2. Michael Wojcik Silver badge

          Re: The NSA isn't trying to exploit everything it can find

          a real plaintext mail is completely bulletproof

          That's simply not true. We have plenty of documented instances of successful spearphishing and BEC using plaintext email (or, at any rate, not using links or other HTML features as part of the exploit). We have plenty of instances of other email-based social engineering that doesn't require HTML, such as 419 scams.

          I expect there are cases of conventional phishing working through plaintext email. There's no reason why you can't in principle convince some users to copy and paste a hostile URL.

          Social engineering works over any human communications channel.

          1. amanfromMars 1 Silver badge

            Re: The NSA isn't trying to exploit everything it can find

            User error, ..... the gift that keeps on rocking and rolling along and just giving.

            And to not accept and realise it is a semi-permanent ACTive communications feature to be worked around, has one catastrophically vitally disadvantaged in the astute agile and virtually dynamic fields for exploitation and enjoyment, deployment and employment in future progressing presentations, and stuck in a stagnant static loop position of perpetual loss and zero positive gain, and thus are you destined to have your fates decided by others practically unknown and virtually anonymous.

            Enjoy the coming rides ..... which you are responsible for phorming.

  3. _LC_ Silver badge
    Facepalm

    *lol*

    https://www.theregister.com/2021/06/17/gprs_encryption_backdoor/

    "GPRS-era mobile data encryption algorithm GEA/1 was 'weak by design', still lingers in today's phones"

  4. _LC_ Silver badge
    Happy

    Just want to add this from Germany

    https://www.nachdenkseiten.de/?p=73413

    Translation of the title. "When the representative of the killer-nation calls his colleague a killer"

    The picture underlying the title is from David Talbot's book "The Devil's Chessboard" about the Kennedy assassination.

    I have to say that the US (and their dogs from the press) pointing fingers is creating nothing but laughter increasingly.

  5. cb7

    Funny how we bomb the crap out of countries that attack our interests but who are not capable of hitting back in a meaningful way, but take a more softly softly approach with larger adversaries.

    In any case, why aren't smaller businesses off limits? Ransomware attacks can and do result in many smaller companies going out of business.

    Who needs to deal drugs for cash when you can deal ransomware and reap bitcoin? Seems like it's a crime that largely goes unpunished.

    1. Julz Silver badge

      The

      Raison d'etre for having a big stick or as others call it, a nuclear deterrent.

    2. imanidiot Silver badge
      Mushroom

      "In any case, why aren't smaller businesses off limits? Ransomware attacks can and do result in many smaller companies going out of business."

      --> Warning, below opinion of this humble commentard may lead to flames -->

      Because neither the Biden administration nor it's cronies care about smaller businesses? Nor did the Trump administration before that, or the Bush (jr) admin before that, or Clinton, or Bush (sr). It's probably been a LONG time since the US elite and politicians cared about smaller businesses.

      1. Graham Cobb Silver badge

        Because ransomware attacks on ordinary companies (large or small) are really a criminal activity but attacks on infrastructure are a military issue because they kill people and affect the country's ability to defend itself.

        Criminal activity is important, but infrastructure attacks are at least two orders of magnitude more important.

  6. wolfetone Silver badge

    Amazing how a country with the economic might of the USA can be so crippled and/or scared of a country with an economy the size of Italy.

    Either Russia are great at doing a lot with very little, or the Yanks are woefully inadequate at basic network security.

    1. _LC_ Silver badge
      Unhappy

      Nah, they just need an enemy. Always, at all times.

    2. imanidiot Silver badge

      Because that small nation still has a very large military force (though much of it a bit out of date still dangerous), a crap ton of nukes and a rather large finger in the pie in European continental politics by way of the backdoor through it containing large amounts of oil and natural gas? Personally I think China is more likely to be the major thread and potentially the next cold war adversary but we'll all just have to wait and see how that all pans out.

      1. Jellied Eel Silver badge

        Because that small nation still has a very large military force (though much of it a bit out of date still dangerous),

        One of the 'problems' is that Putin/Russia has been spending a lot of money (in relative terms) modernising and training it's forces. See-

        https://en.wikipedia.org/wiki/List_of_countries_by_number_of_military_and_paramilitary_personnel

        And this bit-

        For example, the United States Armed Forces has a tooth-to-tail ratio of 17%, meaning that for every combat unit there are around five support units.

        Which is a problem for the US military. And other NATO members, eg Germany decided investing in creche facilities was more important than having working tanks. Or modernising it's tanks. The UK is, but although it'll be fitted with a new, improved German gun.

        and a rather large finger in the pie in European continental politics by way of the backdoor through it containing large amounts of oil and natural gas?

        Yes, well, the black gold has always been a problem. Like Ukraine getting a tad worried that Russian oil & gas will bypass Ukraine, and thus it'll lose the transit revenues it skims off. Or just taking gas and not paying for it. Not sure if those disputes have been resolved yet. But the big man can always ask Hunter, given he worked (allegedly) for one of Ukraine's largest energy companies.

        But then Ukraine's in a rather tough spot. It lost Crimea and the break-away regions, and it's got a bit of a problem with neo-Nazis. So that doesn't exactly endear them to the EU. That makes Ukraine's accession about as likely as Turkey, despite it's 'color' revolution to pivot away from it's previous main trading partner to the EU. Who naturally imposed tariffs and quotas on Ukrainian produce.

        And then of course the US had a bit of an energy revolution with shale gas. And produces more than it can use, so built a bunch of LNG export terminals.. And then of course would rather prefer the EU got American gas. Even if that's more expensive than simply piping it from Russia.

        But such is politics. Russia is a rather huge country that is very rich in natural resources. It's gone from being a large importer of grains to a large exporter. Which also means it competes with other countries agricultural sector.. Which could end up being rather ironic, if the US is heading towards dust bowl conditions and would need to import. And of course there's California. Large producer of fruit & nuts, but running out of water. It was a great idea to grow water heavy crops like soft fruit & almonds in a state that's got a lot of desert, and not much water. It could fix some of those problems with a few nukes* and some desalination plants to water it's population.

        But Russia exports fun stuff like titanium, which is a rather handy metal. Ok, so there's a bunch of sanctions preventing US companies from trading with Russia. But the US has worked around that, like during the Cold War when it need titanium for some of it's strategic projects Russia can always sell strategic minerals to China or India instead.

        And of course if Biden decides he's going to live up to his Time magazine cover image, he might get tougher on both Russia and China.. Who of course might retaliate, and the supply of minerals and rare earths dries up. That would be awkward..

        *power stations, not glassing some of it's problem areas.

        1. Cliffwilliams44 Bronze badge

          "And of course if Biden decides he's going to live up to his Time magazine cover image, he might get tougher on both Russia and China.. Who of course might retaliate, and the supply of minerals and rare earths dries up. That would be awkward.."

          Don't hold your breath! I am sure China/Russia has all the receipts for the payments made to Hunter that were passed on to the "Big Guy".

          Does anyone besides the "Dementia in Chief" and his adolescent staff really think Russia and China care a shit about their "Standing in the international community?" Europe is, or will soon be, addicted to Russian oil and gas and they already are addicted to Chinese money!

    3. HausWolf

      The shareholders don't like paying for that basic network security, after all, they already purchased some politicians.

      1. _LC_ Silver badge

        We had several managers from mobile phone companies coming forward, telling us that they were mandated to use weak and or faulty algorithms.

    4. Michael Wojcik Silver badge

      Either Russia are great at doing a lot with very little...

      You might want to do a little basic reading on asymmetric conflict.

      In this environment attackers need far less resources than defenders do.

  7. My other car WAS an IAV Stryker Silver badge

    Putin quote

    What I imagine he was thinking: “In my opinion, this is extremely important,” Putin said, that we keep it up and then some.

    1. Michael Wojcik Silver badge

      Re: Putin quote

      To be fair, it is an important topic for high-level US-Russia diplomacy. Putin is perfectly aware that this is a hot issue in the US. He wants to see how the Biden administration is going to frame its diplomacy, what the tone and terms are going to be, so he and his team can construct the framework for Russia's response.

      Putin manages his relationship with the US carefully to minimize the political leverage the US administration has to act against Russian interests, while also minimizing any cost to Russia in concessions to the US. There are, of course, various other aspects of Russian foreign policy which are at least as important to him, but this is certainly one that matters.

  8. DMcDonnell

    I don't believe a word you said.

    Whenever I hear the USA accuse some other country of doing something nefarious my doubt meter pegs!

    Extreme skepticism

  9. Sudosu

    In other news

    Biden Tells Putin what American cities and bases not to target with nuclear weapons.

  10. Anonymous Coward
    Anonymous Coward

    FSB are ineffective.

    Dear Vlad,

    If the FSB were any good there would be no russian hacking gangs and your systems would be impregnable. Please improve yourselves.

    Signed

    Not Saying Anything,

  11. Sub 20 Pilot

    fucking hypocrites.

    As usual.

    US spies on everyone but complains when anyone else does it.

    US has shitload of nukes but complains if anyone else has one.

    US is happy to get cheap stuff from China and sell to the world at massive profit but does not want China to profit or indeed any other nation being able to obtain things from China when the US can sell them the same type of thing.

    Time they practiced a bit of what they throw at the rest of the world.

    Ot time the rest of the world start to grow a set of balls and carry on without involving them.

    I know it is not easy but we must make a start.

    1. Cliffwilliams44 Bronze badge

      Re: fucking hypocrites.

      "Or time the rest of the world start to grow a set of balls and carry on without involving them."

      There are many of us in the US who would be perfectly happy with this outcome. Including the man who last sat in the oval office. But then we have Europe, who likes to complain that the US should mind its own business and simultaneously protect them from the rest of the world. Trump caught flak from all of NATO for suggesting you pay your fare share. The share you agreed to. Many of us here would love to pull our troops out of Europe, out of all of the rest of the world, but then people like you, who say you want us out of your affairs call us "Right wing Extremists!" or "Nationalists".

      Why don't you Europeans spend the money, build up your armed forces and defend your own countries and stop depending on the US. Time to grow up!

      The current situation with the US, Russia and China was caused by the Left in the US. Obama, who "said" he wanted a new relationship with Russia started an uprising in a country on Russia's border. Why wouldn't Russia be pissed off at us. He started an insurgency in Russia's main ally in the Middle East, Syria. Why? Syria was one of the only middle eastern countries where Christians could worship openly? The only people Assad was "mean" to were the radical islamists in his country.

      The US left are in bed with the Chinese. They so want to establish the same neo-Fascist regime the Chinese have in this country.

      1. Anonymous Coward
        Anonymous Coward

        Re: fucking hypocrites.

        Syria wasn't about religion, it was about Putin having a naval port on the Mediterranean coast.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021