back to article Former US State Department cyber man: We didn’t see the Russian threat coming

Cyber threats have evolved from been a solely technical issues to core issues of government policy, according to a senior US lawyer and former cyber diplomat. Chris Painter, former co-ordinator for cyber issues at the US State Department, told delegates at the Black Hat EU conference that cyber issues have emerged as a core …

  1. Voland's right hand Silver badge

    “Tech people need to tell policy people about the next coming threat.”

    How Quaint.

    I would have accepted this at face value if USA did not use clandestine and outright open cyberattacks as far back as the 1980-es.

    So after concocting this: http://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-plot-led-to-huge-blast-in-Siberian-gas-pipeline.html USA pretends that they have no clue whatsoever about using software as an attack vector.

    It is in the same league with giving "freedom fighters" and "friendly opposition" around the world training on how to use Facebook, social media etc to promote their causes. Something they have been doing for 10 years now.

    It is almost as quaint as pretending that RT is something new and it is not doing exactly what Radio Free Europe and the BBC Russian Service did for 30 years before it.

    It is the same...

    There is a Russian saying: "Кто с мечом к нам придет, от меча и погибнет!". The rough translation is: "Who comes at us with a sword will die by the sword". I would suggest the esteemed gentlemen to do some study of it. It is very enlightening and it is in fact a rephrase of Mathew 26:52: "Put your sword back in its place," Jesus said to him, "for all who draw the sword will die by the sword".

    This relates not only to Russia by the way - StuxNet, stuff being used against China, the previous "not so convenient" Brasil government and pretty much everyone around the world.

    So pretending that he has no clue where it came from is frankly... How to call it... Quaint... How about having a look in the mirror for starters?

    In any case, we will not get anywhere on this one until BOTH sides abide by Mathew 26:52.

    1. Augie
      Pint

      Re: “Tech people need to tell policy people about the next coming threat.”

      Could'nt agree more Sir, very well put.

      1. tim292stro

        Re: “Tech people need to tell policy people about the next coming threat.”

        The problem is, for the past 20 or so years the Government has made it crystal clear that private tech is their adversary, to the point of prison and total annihilation of its own citizens rights. Now they want help, but we have Pai taking away Title 2, and Congress is still exchanging butt-plugs with RIAA/MPAA while stomping on fair-use...

        I'm not saying I advocate it, but for him as a National Security Analyst, they should be concerned if they were not considering that the destruction of the NSA or CIA in their current form might be a net positive for the whole planet - I'm certain that there are people out there who not only believe that, but are actively working towards that end.

        If you make it a crime to fight crime and investigate new ways people commit crime, the only possible outcome is anarchy.

        Then there is the other side - you and I as readers of The Register are more than likely technically inclined. While The Register reported on this story, I don't think the content the Reg reported was intended for us as an audience. Government Bureaucrats are an advanced persistent threat, and need to be treated as such (with a firewall, IDS/IPS, blue-team, etc...). The audience for these quotes was more likely a skittish and non-technical Congress, who wants to know what money and power they need to throw at an agency to "make the bad man stop"... We see that with the FBI holding their warrants in their hands looking solemn after a mass shooting, because they didn't work with Apple the day-of to unlock a phone or go through the legal requirement of getting a judge to sign a warrant in the first place - "No, just make a permanent back door" they say... then they go in front of cameras and Congress and say "Look! they said 'No we won't help'!!! Make them do it with a new law!!!!".

        Readers can spend all their effort knocking our current President if they want, but the way I see it, once a Government gets to a certain size and power, it tends to create its own "gravity" for more size and power. Companies cut staff due to redundancies, I think it's time we cut the size of our own so that we can even find those groups who are doing the bad stuff inside our own government, and focus our resources on those groups and programs that actually do some good.

    2. Anonymous Coward
      Anonymous Coward

      Re: “Tech people need to tell policy people about the next coming threat.”

      Policy people need to stop putting tech people in prison, and start listening to them perhaps.

    3. ecofeco Silver badge

      Re: “Tech people need to tell policy people about the next coming threat.”

      Policy people have this bad habit of only pretending to listen to experts.

      Fuck 'em. If they want to make policy then they need to educate themselves. Can't or won't? Then they are not qualified to make policy, are they, so fuck 'em.

      1. Doctor Syntax Silver badge

        Re: “Tech people need to tell policy people about the next coming threat.”

        "Policy people have this bad habit of only pretending to listen to experts."

        Or of only listening to experts who say what they want to hear.

    4. Anonymous Coward
      Anonymous Coward

      There is a Russian saying: ... "Who comes at us with a sword will die by the sword" ... it is in fact a rephrase of Mathew 26:52: "Put your sword back in its place," Jesus said to him, "for all who draw the sword will die by the sword".

      It's not a rephrase; those statements are at odds: one is threatening retaliation while the other says to turn the other cheek if you want to live. Together they imply that Russia will "die by the sword".

      The fact that perpetrators often cannot be identified or brought to justice means that attempting retaliation may harm an innocent person and cause further escalation. If you retaliate against a nation, then you are attacking the innocent 99%+ over the guilty few.

      Another way to rephrase Mathew 26:52 would be: to avoid losing a nuclear war, don't become a nuclear power.

      1. Bear

        Another way to rephrase Mathew 26:52 would be: to avoid losing a nuclear war, don't become a nuclear power.

        I didn't realise that Japan was a nuclear power in August 1945. Not only sword bearers die by the sword.

    5. Tom 38

      Re: “Tech people need to tell policy people about the next coming threat.”

      "Put your sword back in its place," Jesus said to him, "for all who draw the sword will die by the sword"

      If he can put the sword back in place, then he has already drawn it, no? And if he has already drawn it, then his death by sword has already been confirmed, so what is the purpose of putting it away again, the damage has been done.

  2. Martin Gregorie

    Tit for Tat at last?

    One thing that is already possible in greater international co-operation, something that can be achieved through diplomatic channel. Painter explained how whilst at the US State Department he struck a deal to get help from other countries in taking down nodes of a botnet that was attacking US banks in return for a promise of co-operation from the US in the event of those countries needing assistance at some future date.

    So, does that mean that the US will henceforth help the rest of the world to apprehend suspect US nationals and hand them over just as readily and with a similar degree of evidence as they demand from the rest of the world? Given that it would be a 'UGE break with recent practice and tradition, just how likely is that?

  3. Sir Runcible Spoon
    Windows

    “We didn’t see the Russian threat coming,” Painter said. “Tech people need to tell policy people about the next coming threat.”

    Fuck off, perhaps if the policy people had listed when tech people told them about emerging threats 15-20 years ago then you might have a point. Start listening, techies have been warning the morons in charge for ages, they've just been ignored because....NEEEEERRD! Arseholes.

    --> Grumpy today

  4. Anonymous Coward
    Anonymous Coward

    "Former US State Department cyber man"?

    Useless tosser, they should hire the Daleks next time.

  5. Gordon Pryra

    nice words

    Until you hear them coming from an American. Probably the most prolific country involved in state sponsored cyber-crime.

    When we hear about Russians or North Koreans its generally crap information given out to obfuscate our screw ups.

    Some good examples include the NHS blaming North Korea for "CYBER ATTACKS!!" instead of owning up to having spent the budget for upgrading from XP to a proper OS or the Americans claiming that Russia hacked their elections rather than just owning up to having been bank rolled by them.

    The US have become so blaze in their utter disregard to the rest of the worlds IT infrastructure that they have even allowed their hacking tool-kits to escape too the wild, allowing criminals access to tools more powerful than ever before. (though I believe a eastern European criminal hacker would still be the more trustworthy user of these tools than the Americans...)

    1. Version 1.0 Silver badge

      Re: nice words

      The USA lost the battle before we even knew we were being attacked ... it's kinda (sadly) amusing watching Putin's sock puppet trying to keep him happy ...

      On the plus side - nobody wins all the time and it will be fun to watch the Trump and the Republican party commit Seppuku in four years time.

      1. John Smith 19 Gold badge
        Coat

        "it's kinda (sadly) amusing watching Putin's sock puppet trying to keep him happy ..."

        Not necessarily....

        3 of the 4 US presidents who've have been murdered were Republicans (of some sort).

        Just saying.

        It's my dinner jacket. I've got tickets to the theatre.

      2. Stevie

        in four years time

        Don't kid yourself.

        There's no accounting for the sheer levels of stupidity a voter can bring to bear on any problem even at the best of times.

        And in three years if OPOTUS hasn't gotten himself a nice new shootin' war with his own name on it to help give him a landslide re-election I'll be very surprised indeed.

        Well, you didn't think all that Nork and Hamas baiting were from conviction, did you?

  6. amanfromMars 1 Silver badge

    And So IT Begins .....

    ..whilst at the US State Department he struck a deal to get help from other countries in taking down nodes of a botnet that was attacking US banks in return for a promise of co-operation from the US in the event of those countries needing assistance at some future date.

    That was most fortuitous. And a costly debt to repay with the issue of a simple promise.

    “We didn’t see the Russian threat coming,” Painter said. “Tech people need to tell policy people about the next coming threat.”

    Now there's a right royal task. Just where would you like to begin? And at the beginning, with a view to what end?

    Is it nonsense when some may say rules and regulations are made to be broken .... for they always favour unfair competition and a monopoly class of being?

    1. amanfromMars 1 Silver badge

      Re: And So IT Begins ..... Id, ego and super-ego breaking free from virtual chains

      And as for novel innovation and creative invention, are they and that with previously established command and presumed to be in control, absolutely terrified of being extraordinarily rendered for ever more mere spectator rather than leading player with absolute rights to myriad rewards?

  7. Anonymous Coward
    Mushroom

    свобода - это рабство

    Thus spaketh tim292stro:

    > [ ... ] the Government has made it crystal clear that private tech is their adversary to the point of prison and total annihilation of its own citizens rights

    ROFLMAO

    Really? Is that the same Government that lets tech companies get away with pretty much anything?

    > [ ...] total annihilation of its own citizens rights

    Really. Your rights have been totally annihilated. I assume you are referring to the US.

    Can you travel freely? Can you write dumb shit like your latest Internet opus, without fear of consequences or reprisal from the Government? Can you vote? Can you form a political party? Can you run for office? Can the right to work be taken away from you? Is your religion - whichever that may be - being persecuted? Conversely, are you subject to persecution because you have no religious affiliation -- i.e. agnostic or atheist? Can you own a gun? Can you get married? Are you allowed to have children? If you have children, can they attend kindergarten, school, high school, college and get an education? Can you own property? Do you own property? Does the Secret Police knock your door down, with a ram, at 3AM, and take you and your family to an undisclosed location, in a white armored van marked Wedding Cakes?

    Exactly which rights are being totally annihilated?

    Nice агитпроп piece.

    1. tim292stro

      Re: свобода - это рабство (Freedom is Slavery)

      For the record, I neither up or down voted your comment. I'd rather talk about it.

      > [...] Really? Is that the same Government that lets tech companies get away with pretty much anything?

      Oh you mean those tech companies who are funding and heavily lobbying the government to continue to erode our power in order to protect themselves? Yeah, the tech companies are not much better IMHO. I definitely believe Google internally changed their legal definition of "evil" so they could keep the facade of "Don't be Evil" in their motto. Think Ajit Pai isn't talking to Comcast, or Verizon, or AT&T off the record? There's no way he could be saying the things he's said or doing what he's doing without being bought and sold - and no one in power is stopping him.

      > [...] Can you write dumb shit like your latest Internet opus, without fear of consequences or reprisal from the Government?

      Nope, no I can't. This is on the interwebs forever - and if I get arrested for anything later, a gung-ho prosecutor can probably find it and twist or partially redact my words to change the context to fit their narrative while sending me up for some viciously up-charged crime to make an example out of me. The phrase "has a history of rejecting authority" comes to mind "just look at this online post!" they'd say. I'd rather frame it as "questioning authority", but if I'm in court later I have to deal with "peers" like you who would likely eat up the prosecution's story... Because in my country, YOU are part of the government by voting and serving on a jury, and I'm already catching reprisals from you. ;-)

      > [...] Can you vote? Can you form a political party? Can you run for office?

      Yup can do all of those things - but the effectiveness of all those things has been reduced to insignificance. I vote in what is effectively a two party system, in a state that votes differently from me on balance. When I go to another place in my own country and it is learned where I am from, assumptions are made as to my political leanings. That, yes does have an effective impact on how I am treated. Sure I could form a political party, and it would be an absolute waste of time and money as even if I could throw billions of my own dollars at my newly formed party to attempt to compete with the two dominant parties, the campaign donation laws passed by the two parties make that illegal. I could run for office, but when you sign on as one of the two parties that is likely to win, you have to accept their backing to be nominated and that seems to come with strings attached which would compromise my integrity.

      > [...] Can the right to work be taken away from you? Is your religion - whichever that may be - being persecuted? Conversely, are you subject to persecution because you have no religious affiliation -- i.e. agnostic or atheist?

      I am agnostic, because I see religion created by man (neuter) for man (neuter), to be fallible though it is taught as infallible - thus I don't care about religion, not an atheist how needs to shove that logic down people's throats. That said, I don't live in China, and I'm not being murdered for my organs by a totalitarian state - so there's that.

      > [...] Can you own a gun?

      Where I live (California), they would like to tell me "No" and for no other reason that for them to FEEL safe. It scares the crap out of me that there are people in my Government that just want to do away with those pesky constitutional rights because they are afraid.

      > [...] Can you get married?

      If I was gay in certain areas of my country, you might be surprised to find that the answer would be "No".

      > [...] If you have children, can they attend kindergarten, school, high school, college and get an education?

      Try NOT sending your kids to school see what happens.

      > [...] Can you own property? Do you own property?

      Try not paying taxes on the things you own, to see if you really own them.

      > [...] Does the Secret Police knock your door down, with a ram, at 3AM, and take you and your family to an undisclosed location, in a white armored van marked Wedding Cakes?

      Typically the police don't make it a secret when they do things these days, because people are so desensitized to being roughed up, detained or searched without cause - that if the police came to my door at 3AM, the most that would happen is a neighbor yelling "Be Quiet!" to me while I'm kicking an screaming. Police are so "well trained" on what passes for "bomb components" that if you were to happen to have both a full gas can and a few spare road flares in the same garage (never mind not stored anywhere near each other!) they could "lawfully" detain you for running a bomb factory. Don't even let them near your household cleaners... and oh my gosh he has a soldering iron! Once a life is ruined by those actions, trust me it doesn't go back to normal, but everyone else forgets about it and moves on.

      So - in summary response to your claim that I'm an "internet crazy", I'd counter are you and I really as "free" as you'd believe? Now your moment of meditation and reflection. You offer measures for freedom, but have you noticed how constrained those definitions have become? Is your line in the sand something that can easily be walked around without crossing it? Are you even equipped to notice?

      1. Anonymous Coward
        Terminator

        Re: свобода - это рабство (Freedom is Slavery)

        > [ incoherent rant omitted ]

        You, Sir, are very confused.

  8. Anonymous Coward
    Anonymous Coward

    Focus

    Perhaps if they spent much less time spying on their own citizens, they may have seen this coming.

  9. Anonymous Coward
    Terminator

    Mutant malicious cyber nodes attacking US banks

    "Black Hat Cyber threats have evolved from been a solely technical issues to core issues of government policy"

    Fighting cyber threats with political waffle isn't going to work.

    "an attack on civilian infrastructure such as a dam would be considered as warranting reprisals"

    No one but a cyber retard would connect a dam to the Internet. Apologies to any cyber retard that are going to down vote this :)

    "Painter .. struck a deal to get help from other countries in taking down nodes of a botnet that was attacking US banks"

    The solution is for Homeland Security to design their own botnets and supply them free-gratis to the cyber-market. Reason being that because DHS is so incompentent, the botnets are bound to fail. That and don't use a computer that can be so easily compromised by opening an email attachment or clicking on a malicious URL.

  10. Anonymous Coward
    Anonymous Coward

    Poor America

    Now their very own Cyber War Domain bites them !

    Or so Clinton claims. Most of it probably is just her desire to blame something external for her own wickedness. For example, nobody still discusses how she fixed the primary election, to the disadvantage of Sanders.ROOOSKIES !

  11. Nolveys
    Childcatcher

    Translations

    “Cyber is now seen as a core issue for defence policy, foreign policy and more… it’s not just a technical issue."

    Translation: We have the NSA, but we don't bother listening to them and they pretty much just do what they want. Plus, I can increase my political capital far better by building a completely new cash toilet.

    “Cyberspace is a new domain of war and all countries are involved in it,”

    Translation: I need to kind of pretend that I think this is important and that I give more than the atomic mass of one hydrogen atom's worth of a shit about this so I can get more tax money.

    “A lot of malign activity is occurring below the high threshold of what could be classified as an act of war,”

    Translation: We want unlimited scope in order to secure unlimited funding.

    “We’re doing a poor job at deterrence in cyberspace.

    Translation: We're doing a piss-poor job at pretty much everything at price points that are orders of magnitude higher than what other countries are doing even on a per-capita basis...and some of the other countries shit actually kind of works.

    The credibility of response is OK but timeliness is a problem partly because of attribution.”

    Translation: ???

    “We didn’t see the Russian threat coming,”

    Translation: The vastness and utter totality of the extent to which we don't give a shit is well beyond the comprehension of even the greatest minds in the world.

    “We need to expand the tool set,”

    Translation: We need to pour additional billions into creating software weapons that will end up being hauled out the front door of whatever letter agency in a wheelbarrow and unceremoniously dumped in front of the main headquarters of National Kleptomaniacs Anonymous.

    “Tech people need to tell policy people about the next coming threat.”

    Translations:

    "Tech people": crony dipshits

    "tell policy people about the next coming threat": consume massive amounts of tax money and produce absolutely nothing of value whatsoever.

    1. amanfromMars 1 Silver badge

      Re: Translations

      I take it from that post, Nolveys, Chris Painter, former co-ordinator for cyber issues at the US State Department, did not impress you with his views.:-)

      Such is quite probably why he is pastured out to a speaking circuit/circus and a former co-ordinator for cyber issues at the US State Department?

  12. a_yank_lurker

    Feral Stupidity

    So the ferals are so stupid not to realize that their spying antics will be used against them. If you vaguely understand how computer networks work, everyone is vulnerable to the same types of attacks. But the part of vaguely understanding is too much of a stretch for these imbeciles.

  13. Anonymous Coward
    Anonymous Coward

    Lame Narratives

    It sounds as though this gentleman has been told to support the official spook narrative of the US election being hacked to put the great orange one in. The obvious question is how they let it happen, so this is the lame excuse.

  14. John Smith 19 Gold badge
    Unhappy

    1 word. STUXNET*

    The US lost any "moral high ground" it had with that project.

    BTW It seems Iran has shown an amazing degree of restraint in not counter attacking the US or Israel, despite what looks like the D's ongoing provocation.

    Let's see how his decision to move the US's Israeli embassy to Jerusalem works out.

    * Or "Olypic Games" as it may have been identified within the TLA's involved.

    1. Stevie

      Re: 1 word. STUXNET*

      According to one documentary I've seen, Iran has counter attacked, specifically the banking system.

      They backed away, again per that documentary, after demonstrating their muscles, which could be one reason the Obama Iran Deal was so quickly passed. Maybe not. Documentaries are not historical record, after all.

      Same documentary claimed that the original attack was by a third nation state -named as Israel - who broke a tech sharing agreement and infected the world with a cavalier release without consulting the US. The logic runs that the widespread and unintended infections blew the gaff and negated he whole point.

      Again, not history, documentary. I don't doubt that the truth is quite different.

  15. Eclectic Man Silver badge

    And “Tech people need to tell policy people about the next coming threat.” again

    And years ago when we were saying that a 'secure perimeter' was not enough and they should have internal segregation of networks they didn't listen until Melissa and the love bug came along.

    And then there were people (myself included) who warned about the vulnerability of essential services like power stations etc. to attack if they were networked, and no-body noticed until Ukraine's power grid collapsed under cyber-attack.

    SO the question is - will 'policy people' listen to 'tech people' when we bring up the next big threat that will cost $oodles to fix but cost $squillions if exploited?

    (I suspect the answer is 'no'.)

    Happy Wineterval, everyone.

    1. amanfromMars 1 Silver badge

      Re: And “Tech people need to tell policy people about the next coming threat.” again

      And what do we know LOVE Application Networks, Eclectic Man? And the Sublime Internet Networking of Live Operational Virtual Environments? Viral Fact or Absolute Nonsense?

      And a Class Threat or Perfect Enough Treat for Virtual Realisation and Earthly Production and Presentation ‽ .

      Vrolijk Kerstfeest, Iedereen.

  16. Aodhhan

    A perfect example of how ignorant Hillary's State Department was.

    There is no doubt in my mind (due to where I worked) that the NSA, USSTRATCOM and a couple of other government letters reported to the State Department about the cyber threats from not just Russia but going back to the Soviet Union in the 80s.

    From 2007 through 2015 I know there are a variety of different cyber intel/threat reports directly addressed to the US State Department regarding activities from many unfriendly countries... including Russia. Some were provided for action for the Department to follow to increase information security, and some was provided due OCO/DCO activities within various countries.

    What we noticed, is most of the time, the State Department didn't care or follow strictly cyber security guidance. This was noted many times in annual IA reports for State Dept. systems. THis department would just accept or ignore many identified risks.

    So... if this guy thinks TECHIES aren't providing information to those setting and enforcing policy and procedures.. then he is just part of the system who ignored what is put together for them. I can point to many policies regarding cyber security from OPM to State Department regulations not to mention laws such as FISMA which have been in place for many years covering information security.

    So... this man is an ignorant fool to blame anything but himself for not knowing what is and has been in place for many years. Wait, he's not being ignorant, he's simply trying to make an excuse for how poorly the State Department followed guidelines, policy and laws regarding information security.

  17. oldrusty

    “We didn’t see the Russian threat coming”

    Erm, excuse me, but to which threat are you referring?

    It's never a good idea for America to feel threatened by anything, otherwise you know, T-bone rump and his chubby fingers go to town, signing legislation obviously in his own favour asking all his supporters to loan him money. The Russian threat must be all those Bankers at Alpha Bank and VEB Bank saying quite firmly "No!"

    Your talking about Bankers and Stock Brokers that know the only world view that America likes to paint is the one where the rays of golden sunshine flow down from Donald Trump, one day they'll realise it wasn't ray's of light from the Sun but rather the flushing of a toilet and they where on the end of the sewage pipe!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon