From the AP version (h/t @tareqak) [0], "identification of anyone engaged in foreign state-sanctioned malicious cyber activity". Key phrase, state-sanctioned.
This has less to do with tracking down cybercriminals, and more with creating a case for foreign policy agenda.
Remember it was WMD informant "Curveball" testimony to then Secretary of State Powell, that was used as one of the key pretexts to invade Iraq.
Essentially if an administration comes with an agenda to start a new war, they put the right people inside the State Department and then those guys just need to comb for anything (validated or not) to find "informants" to make the case for cyber attack. Followed by making the case in media that cyber attack is military attack and it requires military retaliation.
This will bypass the entire US intelligence system to validate the source of threat. It just needs one person to claim they were involve in cyber attack against US and it was sponsored by the government of Iraq, Iran, Venezuela, or any other country we want to go after.
I highly recommend watching this portion of the town hall with former US Congressman Dennis Kucinich talking about how non disclosure rules prevented the Congress from speaking out against US State Department spreading false information to American public [1].
> Essentially if an administration comes with an agenda to start a new war, they put the right people inside the State Department and then those guys just need to comb for anything (validated or not) to find "informants" to make the case for cyber attack. Followed by making the case in media that cyber attack is military attack and it requires military retaliation.
This will bypass the entire US intelligence system to validate the source of threat. It just needs one person to claim they were involve in cyber attack against US and it was sponsored by the government of Iraq, Iran, Venezuela, or any other country we want to go after.
That’s a very oversimplified odd narrative. Unlike Iraq and mysterious nuclear related material objects, cyber attacks are happening. And it’s quite evident US is lacking in this area. The US doesn’t need “one person” when there are clear signatures and traces that are substantiated not only by the US intelligence system but also by non-government entities.
Well sure, and just like in Iraq WMDs did actually exist at some point - the US sold some to Iraq - they were just destroyed.
The thing with cyberattacks is that they are even easier to misattribute. All it takes is for some country to use another countries tool, and then you've got actual evidence you can easily twist. That's how it works nowadays, you start with a kernel of truth or evidence, like the aluminium tubes in Iraq, and exaggerate wildly what suits your narrative. And it works, even to those that can know better.
My assertion was imprecise - the chemical weapons and the equipment to make them was technically bought from Italy Germany and the UK, but the US arranged for their sale to Iraq to go through and have advice to Iraq on how and where to use them.
I mean it's pretty commonly accepted at this point that Iraq was a US proxy for waging war in the middle east (similar to the mujihadeen against the russians)..I don't think it's too much of a stretch to arrive at the conclusion that the USA facilitated the sale of weapons of mass destruction (anthrax) to Iraq.
Even HN has torn a few of the analyses apart, e.g. when the auditors looked at Bezos' phone and claimed that a file from MBS might be malicious, HN called them out on the claims that it couldn't be decrypted:
Given that their entire analysis hinged on this one file being a malicious executable that couldn't be decrypted, well... suffice it to say I'm quite mistrustful of these things, especially when politics is involved.
The government should offer a similar reward for information on US corporations who run critical infrastructure, or hoard personal information on US citizens, and don't maintain proper security.
The payout should come from the company that has the vulnerability, not US taxpayers. So basically there needs to be a law that states that if you run critical infrastructure, or hoard personal information on US citizens then you are required to set aside X dollars to pay white hat hackers who find vulnerabilities.
Maybe turn it into something like a game of capture-the-flag? Anyone who stores sensitive information must also store an unique flag value which, if reported to the 'referee' by an external actor would constitute proof of a security breach and requisite payout.
Maybe the bar should be set to reasonable ongoing “effort”. It’s probably easier got a jury to judge at least an attempt equal the the stewardship of data they possess.
I think this could be a very effective countermeasure. It reduces trust between members of a crew, and between crews themselves. If you're constantly suspicious of Ivan the mail campaign guy ratting you out for a payday, it makes the whole business focus more on opsec and less on offense. Though sole operators can do plenty of damage on their own, they probably are less likely to be state-backed.
with known criminal background? That is my point - without State Department waiving such requirement and issuing GC/witness protection the Ivan would be easy reachable for FSB in any other country.
But wouldn't the methods needed to obtain that information generally carry a high risk of prosecution for illegal acts? I dont even want to go into specific chat rooms or browse the dark web for fear of being swept up in some overzealous prosecutor's net. Even if your innocent it can cost thousands of dollars and years of your life to prove it.
Totally agree. Some shitty prosecutor will 1000% make some Americans life miserable just to add a conviction to their belt. The risk is probably not worth the reward.
You'd think that, but no, not really. If you talk to a lawyer first and he registers what you're doing with the police first and you don't actually break the law, you'll be fine. Lots of bounty hunters and private investigators are in the same game. Going to the police saying "I want to earn this $10m reward by finding those horrid blokes and here is why I'm qualified" isn't going to completely blow their mind.
Most states require bounty hunters and private investigators to have a license.
Usually notifyingthe police is something they would do for physical situations. It could get tricky on the internet when dealing with jurisdiction. You would likely have to file something with the local police, state police, and DOJ/FBI/?. Honestly, the level of competence is not stellar. You could still be searched/raided/arrested and inconvenienced for days to years. Just look at how long Crosby was in prison with an all-star level legal team and protective agreement with the DA...
It might seem like a lot but it is not enough to betray the FSB, even if you defected/emigrated. Clearly they've demonstrated their capability to strike targets in other countries. $10M can't buy enough security or safety and who wants to look over their shoulder for the rest of their lives?
Wow. Wonder what Alan Einstein is advising the leadership on the effectiveness of this approach. You should work hard to minimize all of your taxes if this is how they are going to waste it.
I think that's a really, really bad idea if they're on Russian territory. Would create a precedent for the Russians (and other adversaries) to do the same to US citizens.
I agree that it probably would be a bad idea. That said, Russia executes state enemies on foreign territories already. And Vietnam kidnapped an asylum-seeker in Berlin in 2018. Another example, are the recent kidnapping allegations against Iran (https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-a...).
The problem with Russian hackers is the law there doesn't give a damn, so they're untouchable.
Why not ignore the law then? Put a price on their heads and use the same Russian criminal elements to take them out. Do that a few times and the problem will magically vanish. Nobody will be willing to work for these gangs.
It also makes the Russian courts have to consider whether they'd rather handle this inside the law or deal with consequences of it happening outside the law.
This would normalize extraterritorial direct action on both sides. Yes, Russia assassinates people in the UK with nerve agents. But if the USA follows the suggestion you proposed above, Russia will respond with regular direct action on American soil to target people they're interested in.
Plus the USA has enough control over global financial systems and extraditions from third party countries that the US government can make life difficult for individuals if they ever want to travel outside of Russia, spend/store money outside of Russia, or buy things directly from companies that are outside of Russia.
USA can do these things without inviting potential assassinations within its borders.
Russia responding with direct action on American soil will play very poorly. I'm not convinced that, politically, they can do any such thing. They depend very heavily on motivating genuine Americans to do their direct action for them.
In a sense that's what this is. It's sort of going, Russian oligarchs are impossibly wealthy and can pay to do anything they like and run their government and are/are like the Russian mob?
Fine. The United States as a country is also impossibly wealthy, Texas alone is worth more than the country of Russia GDP-wise. Therefore, go on with your oligarch selves and you can just compete with the State Department, bribe against bribe, payoff against payoff. Have fun.
Seems clever and practical to me. If you're up against folks who can put a price on anything, outbid 'em and you're fighting with their weapons on their terms.
Why exactly do we have internet lines to enemy countries that were at war with by proxy? We can block their routing with the flick of a switch. The harm done by countries were at war with far outweighs the benefits.
Does it really outweigh the benefits? It automatically splinters the internet into regional little nets. All those things that are currently possible, because internet exists in its current form cease to work.
And what countries are we at war with? Please be specific. This is not a trick question.
This has less to do with tracking down cybercriminals, and more with creating a case for foreign policy agenda.
Remember it was WMD informant "Curveball" testimony to then Secretary of State Powell, that was used as one of the key pretexts to invade Iraq.
Essentially if an administration comes with an agenda to start a new war, they put the right people inside the State Department and then those guys just need to comb for anything (validated or not) to find "informants" to make the case for cyber attack. Followed by making the case in media that cyber attack is military attack and it requires military retaliation.
This will bypass the entire US intelligence system to validate the source of threat. It just needs one person to claim they were involve in cyber attack against US and it was sponsored by the government of Iraq, Iran, Venezuela, or any other country we want to go after.
I highly recommend watching this portion of the town hall with former US Congressman Dennis Kucinich talking about how non disclosure rules prevented the Congress from speaking out against US State Department spreading false information to American public [1].
[0] https://apnews.com/article/technology-joe-biden-europe-busin...
[1] https://youtu.be/s-W9b-_K_Xo?t=2433