Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
United States

Biden Tells Putin Certain Cyber-Attacks Should Be 'Off-Limits' (reuters.com) 209

U.S. President Joe Biden told Russian President Vladimir Putin on Wednesday that certain critical infrastructure should be "off-limits" to cyber-attacks, while the two leaders agreed in their summit to start cybersecurity talks. From a report: Biden said the list of organizations that should not be attacked includes the 16 sectors designated by the United States as critical infrastructure. The sectors, based on a description published by the U.S. Homeland Security Department, include telecommunications, healthcare, food and energy. "We agreed to task experts in both our countries to work on specific understandings about what is off-limits," Biden said. "We'll find out whether we have a cybersecurity arrangement that begins to bring some order." In a separate press conference, Putin said he agreed to "begin consultations" on cybersecurity issues. He also said that while the United States had requested information from Russia about recent cyber-attacks, Moscow had similarly asked for information about attacks he said were coming from the U.S. side and had not received a response.
This discussion has been archived. No new comments can be posted.

Biden Tells Putin Certain Cyber-Attacks Should Be 'Off-Limits'

Comments Filter:
  • WTF? (Score:4, Insightful)

    by Anonymous Coward on Wednesday June 16, 2021 @03:23PM (#61493954)

    He can't mean to say that the rest of us outside of those sectors are fair game for any sort of attack, surely?

    • Re:WTF? (Score:4, Insightful)

      by Arethan ( 223197 ) on Wednesday June 16, 2021 @03:39PM (#61494020) Journal

      I believe the point would be that cyber attacks on certain infrastructure is considered no different than sending boots on the ground to perform physical actions to have similar effect. There are a lot of facets to consider, like the targeted infrastructure should have already been hardened against cyber attack vectors (yet sadly often aren't), or quite simply should not be put on the Internet to begin with, and that it's difficult to prove or disprove if an attack was originated by a nationstate backed organization or was simply the local mob hoping to extort some easy money, but ultimately the crippling effect can be too great to just accept the current situation as the new normal. Instead, nations should expect to work together to prevent these sorts of actions. If your national security agencies can't identify and shut down the originating source on their own, then we expect you'll let us help you (ie United Nations). And to make things fair, I'd certainly hope the US would reciprocate that stance with other nations, should they show evidence of being attacked by sources from within the US (one can hope)

      • Re:WTF? (Score:5, Insightful)

        by rickb928 ( 945187 ) on Wednesday June 16, 2021 @03:43PM (#61494040) Homepage Journal

        Whereas, otherwise, attacks on mere commercial assets would not be like 'sending boots on the ground'. Not like availability of food, or clothing, fuel for heating your home, or any of a dozen other examples, would not be mistaken for an aggressive, offensive act.

        Any, ANY 'cyber attack' is an attack. None should be tolerated. None should be sanctioned. And none, certainly, by state-level actors.

        Good lord, we are in some trouble if that isn't obvious. Nations attacking nations is war. By other means, not bullets and bombs, no matter.

        • Re:WTF? (Score:5, Informative)

          by ShanghaiBill ( 739463 ) on Wednesday June 16, 2021 @04:05PM (#61494132)

          Any, ANY 'cyber attack' is an attack. None should be tolerated.

          Certainly. But there are different levels of response.

          1. The perp pays a fine.
          2. The perp goes to jail.
          3. Sanctions against the perp's home country.
          4. Retaliation in kind
          5. Disproportionate retaliation
          6 Military action.
          7. Nukes.

          What Biden is saying is that some types of attacks are moving from #2 to #3 or #4.

          • We've been past #2 for a while - individuals are being employed by states. We can move to #3 and #5 any time, it's time for punitive and deterrent responses.

            #4 isn't worth the trouble. Some of these recent, significantly escalated attacks, may be preparing the field for making #6 and #7 impotent or to appear disproportionate, and therefore unavailable.

            The very definition of asymmetric warfare, and very useful to our obvious adversaries.

          • by irving47 ( 73147 )

            I'm ready to see #5 at least once. AKA "The Chicago Way"

          • Putin already does #1-6 -- usually against political rivals or neighboring countries -- he's calls it Wednesday.

          • Gavrilo Princip (Score:3, Insightful)

            by Latent Heat ( 558884 )

            Mr. Biden seems given to the kind of naivetés of the Austrian government asking the Serbian Government essentially acceding to Austrian investigators "on the ground" in response to a certain Bosnian of Serbian extraction who shot dead the Austrian crown prince during a visit to Sarajevo.

            The Austrian claim that the ethnic Serb terrorists in Bosnia were getting "logistical support" from Serbia proper is probably true. Serbia of that day was probably like modern-day Pakistan, where you have a civilian

        • This x 1000.

          How does one even interpret this? "Oh hah hah Mr Biden. Certainly we can agree that small jests and cyber attacks on little targets is just in good fun between friendly rivals. Keep us both on our toes, yes?"

          How about if we're NOT enemies, we NOT attack each other. If we ARE enemies and we ARE attacking each other, let's just be open and honest about it and move forward.

        • by Arethan ( 223197 )

          I didn't go so far as to make the blanket statement that 'any cyber attack is intolerable', but I don't disagree with that statement either. Things get legally messy when crimes are committed by actors that aren't physically present within the nation where the event takes place - variances in local laws, etc. But overall, countries should basically be responsible for their own people, and nations around the world should expect some level of cooperation regarding bringing such criminals to justice.

          • Where the attackers are 'state-level' actors, the assumption is these are either sanctioned by the state, employed by the states, or have state resources available to them. Not all significant attacks are 'state-level', but those that are deserve a different response.

            And not all nations are 'responsible' for their citizens. The US, for instance. Those that can credibly claim such responsibility, they share in the fault. Let them share in the response.

          • Yes, a country should basically be responsible for their own people and nations should expect cooperation bringing criminals to justice, but it isn't always that simple.

        • by ceoyoyo ( 59147 )

          Cool. So somebody sends you a phishing e-mail that you suspect is from Russia. NUKE THEM NOW.

          Can't see that becoming a problem.

          • At least you're not an AC. Clearly we're not discussing phishing emails for low rent ransomware efforts. Your simple attempt to discredit the discussion is, however, noted.

            • by ceoyoyo ( 59147 )

              Any, ANY 'cyber attack' is an attack. None should be tolerated.

              Sucks when someone points out your rhetoric is ridiculous, hey? You even put quotes around "cyber attack" and shouted the second ANY for pete's sake. This is why they let the politicians rattle their sabres while the actual adults do the negotiating behind the scenes.

    • A meaningless distinction; I'm pretty sure the fire-bombings of Tokyo and Dresden are just as "legal" under international "law" as ever.

      Have we not supposedly got strategic nukes pointed at thousands of civilian targets as we speak?

      • by ceoyoyo ( 59147 )

        You might be sure, but you're also wrong. The Geneva conventions, among others, were enacted *because* of things like that.

        Pointing nukes at cities isn't illegal. Using them is, although the courts couldn't agree about whether using them in self defence is or not.

    • Re:WTF? (Score:4, Insightful)

      by Rick Schumann ( 4662797 ) on Wednesday June 16, 2021 @05:34PM (#61494450) Journal
      No, it's a very polite, diplomatic, iron-fist-in-velvet-glove way of saying "you're on notice, any of these get so much as breathed on by you, and you'll find out what a 900 pound gorilla the U.S. can be". It goes without saying that none of these attacks are considered in 'acceptable' in any way shape or form, it's just that attacks on critical infrastructure is a whole different ballgame entirely.
    • by hey! ( 33014 )

      In conventional warfare, certain targets are off the table. Things such as hospitals and civilian installations with no real impact on the war effort are off the table by what amounts to a mutual agreement. Forget international law, which in this case is more like international custom; nobody is enforcing international law but the parties themselves. Each side abides by these restrictions because it doesn't want those kinds of attacks reciprocated.

      While we aren't in a state of conventional war, Russia is

  • by dmay34 ( 6770232 ) on Wednesday June 16, 2021 @03:28PM (#61493972)

    If some things are explicitly "off limits" doesn't that mean that everything else is explicitly "far game". Like, sure, my company isn't critical infrastructure like a power plant or a hospital. Is Biden saying "sure hack into and cause problems for these kinds of companies."

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Wednesday June 16, 2021 @03:37PM (#61494010)
      Comment removed based on user account deletion
      • by DarkOx ( 621550 )

        Except after all the breaches in the last decade - we all know Putin better than anyone that "red line" is bullshit. Biden won't escalate over a cyber attack.

        The very very most he might do is retaliate with another cyber attack. Which by the way Putin would - LOVE - recall Russia has been reading itself for Internet isolation. Putin would enjoy a political excuse to pull the trigger on that. It might hurt his economy some but isolating most of Russia from the rest of the internet would do a lot cement HIS p

        • Which by the way Putin would - LOVE - recall Russia has been reading itself for Internet isolation. Putin would enjoy a political excuse to pull the trigger on that. It might hurt his economy some but isolating most of Russia from the rest of the internet would do a lot cement HIS power at least if he had the USA to blame.

          I wonder sometimes if isolating ourselves from most of the internet would do the bulk of us a world of good. Don't get me wrong... I've learned another language and about Natalie and the grits caliente on these here interWebz, but to be authentic, these magnificent tools of edification have been corrupted by the governors and the conspiracy weavers to the point of no redemption.

          Putin is not to be dealt with, neither by Joe a shadow of himself Biden nor Donald the dealmaker Trump, since it's clear on the ord

      • It's more like, "If you attack these targets, this will escalate and we will use government measures to intervene."

        How many hospitals? How many city and state government systems? How many hacks have occurred in the past where they actually escalated?

        I'll believe that bullshit when it happens. No, not slap-on-the-wrist happens. Actual escalation-and-intervention happens.

        ...It's more of drawing a line in a sand and saying you sure you want to do that? We can do that one back..

        Don't be so certain. Other countries, may have actually learned from the obvious mistakes of some, and taken their critical infrastructure security to a new level. Or better yet, offline.

      • by AmiMoJo ( 196126 )

        With conventional weapons it would just be a normal arms race, with each side wanting to make sure it can strike back equally. With cyber there is the additional problem of attributing where attacks are from. We have already seen lots of false flag ops, inserting snippets of Korean into Russian malware etc.

    • Comment removed based on user account deletion
      • by k6mfw ( 1182893 )

        P.S It's like how countries might have troops go to war and fight, but if someone whips out biological weapons or nuclear weapons shit is going to hit the fan.

        I wonder if these cyberattacks begin to affect the top political and business leadership then we will see some real action. Either serious counterattack, or effective security measures of letting knowledgable IT people do what they need to do, or not connect critical systems to the internet. Sending troops to battle doesn't effect the upper class (it's someone elses children that has to fight or it can be done remotely) but a nuclear or a biological strike will affect top leadership. So they avoid it.

        • That's already what happened. Even attacking hospitals in the peak of the pandemic didn't generate the attention the pipeline attacks did, and now suddenly the FBI can get ransom money back. Probably had the NSA step in for the so very important oil companies. Then Congress is immediately on top of it.
    • If some things are explicitly "off limits" doesn't that mean that everything else is explicitly "far game".

      Tell that to the APT group who just got handed the "off limits" too-much-heat list.

      Funny thing about criminals. They don't often play "fair".

    • by Macdude ( 23507 )

      If some things are explicitly "off limits" doesn't that mean that everything else is explicitly "far game".

      Yes. That's the basis of the phrase "The exception that proves the rule". By specifying these 16 sectors are "off-limits" means the rule is that everything else is on-limits. It's like a no parking zone, a sign specifying an area as "no parking" demonstrates that parking is allowed outside of that area.

      • by Ly4 ( 2353328 )

        So, if there's a no-parking sign on one side of the street, does that mean I can park in the middle of the street? Or in front of a driveway? Or on my neighbor's yard? Or in their living room?

        The answer to each of these is no, of course. The lack of an explicit sign just means that other rules apply.

    • But the media isn't going to phrase it like that so that they'll get a bunch of hate clicks. I fully expect this thread to get at least comments, whereas these days an actual tech thread on slashdot is lucky to get 20.

      And it worked too you commented right? So did I. We're just dancing to there tune.
    • If some things are explicitly "off limits" doesn't that mean that everything else is explicitly "far game". Like, sure, my company isn't critical infrastructure like a power plant or a hospital. Is Biden saying "sure hack into and cause problems for these kinds of companies."

      Yes it's just like if you see a no trespassing sign on a tree, that's an open invitation to walk to the next lot and piss and shit all over everything, fair game, because the game is to try to be total fucking dicks to each other always. God damn Biden, what was he thinking, he should have told Putin to don't do all the bad things.

      Another total failure of diplomacy, so I guess if you've been harmed online you'll have to appeal to the Digital and Internet Court in The Hague. If you can prove Internet Law h

    • Yes, it's called "the exception proves the rule". A philosophical concept, like "begging the question", that goes over most people's* heads .

      * (c) DJ Trump

  • All attacks ... (Score:4, Insightful)

    by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Wednesday June 16, 2021 @03:28PM (#61493974) Homepage

    should be off limits. What would they say that it was damaging physical assets ? Is it OK to throw bombs at some targets in other countries but some places should be off limits ? What are these guys smoking ?

    • Re:All attacks ... (Score:5, Informative)

      by geekmux ( 1040042 ) on Wednesday June 16, 2021 @04:08PM (#61494140)

      Is it OK to throw bombs at some targets in other countries but some places should be off limits? What are these guys smoking ?

      The Geneva Convention.

      Unroll that history book blunt of yours and learn a thing or two.

      • Not quite accurate. Yes the GC says what targets are OK in war...but in theory we're not at war with Russia.

        The Geneva Convention doesn't say that killing soldiers with bullets or bombing a military caravan AREN'T war...they just lay out that they're reasonable acts to perform in war.

        Realistically what Biden and Putin seem to be doing here, as nuts as it sounds, is essentially adding cyberattack guard rails to the rules of war.

        "Hey, we know you're attacking us...just not with bullets and bombs. So how about

        • Not quite accurate. Yes the GC says what targets are OK in war...but in theory we're not at war with Russia.

          The Geneva Convention doesn't say that killing soldiers with bullets or bombing a military caravan AREN'T war...they just lay out that they're reasonable acts to perform in war.

          There is another entire side to that coin. I was more addressing what targets are NOT OK in war.

          "The Geneva Conventions...established protections for the wounded and sick, and provided protections for the civilians in and around a war-zone."

          Realistically what Biden and Putin seem to be doing here, as nuts as it sounds, is essentially adding cyberattack guard rails to the rules of war.

          "Hey, we know you're attacking us...just not with bullets and bombs. So how about we agree that we can keep fighting, you just don't turn off our citizen's access to water and electricity."

          Realistically, all of this is theater for largely the fine print you identified. We purposely do not declare war anymore. They're merely "conflicts". And it's no mere theory as to why that is. Allows all manner of former rules of wartime "civility" to be essentially ignored, along with any rational justification to call to end it.

          "The last time the United States Congress met its constitutional mandate officially to declare war by deliberating and voting for the record to engage members of the U.S. military, each of whom takes an oath to protect and defend the U.S. Constitution, was 76 years ago, in 1942."

          And the problem with defining "critical" infrastructure, is kind of like the p

        • Dang that's genius. Don't declare war and you can do whatever you want.

          • yay police actions

          • Dang that's genius. Don't declare war and you can do whatever you want.

            Yes. In fact, it's become tradition now (written in 2018, but nothing has changed since):

            "The last time the United States Congress met its constitutional mandate officially to declare war by deliberating and voting for the record to engage members of the U.S. military, each of whom takes an oath to protect and defend the U.S. Constitution, was 76 years ago, in 1942."

  • The problem is (Score:5, Insightful)

    by Snotnose ( 212196 ) on Wednesday June 16, 2021 @03:29PM (#61493978)
    Russia doesn't have the tech to put their water plants, pipelines, energy distribution, etc, online. So we go to attack them and, um, there's nothing there.

    It's not like readers of the risks digest back in the 80s weren't warning of these things. The company could goose their quarterly earnings by 0.025%? Who needs a firewall. While we're at it, lets fire, um, lay off that sticky wheel that thinks he's getting some grease.
    • Re:The problem is (Score:5, Interesting)

      by FudRucker ( 866063 ) on Wednesday June 16, 2021 @04:07PM (#61494138)
      more likely Russia is not stupid enough to put critical networking online for any drive by hacker to discover and start worming their way into it, the cost of ramsomware far outweighs the cost of hiring a few employees to manage the system at the locale
    • Russia doesn't need to have the tech you are talking about for cyberattacks to be successful. Just look the Colonial Pipeline hack. Everyone was running out of gas because they hacked the billing system. I'm pretty sure Russians can do computerized billing....

  • Disconnect NOW! (Score:5, Interesting)

    by bjwest ( 14070 ) on Wednesday June 16, 2021 @03:37PM (#61494008)
    How about we take our critical infrastructure off the damn globally accessible internet AND hold the board and *EO's of these corporations accountable monetarily for their piss-poor security?
    • Re:Disconnect NOW! (Score:5, Insightful)

      by geekmux ( 1040042 ) on Wednesday June 16, 2021 @04:16PM (#61494164)

      How about we take our critical infrastructure off the damn globally accessible internet AND hold the board and *EO's of these corporations accountable monetarily for their piss-poor security?

      That, should now be the responsibility of the organization who just called for certain critical infrastructure to be off limits.

      Force all of them into Federal NIST compliance, prepare them for CMMC Level 4 or higher, and prioritize their compliance audits.

      And do it now. Don't allow government or private companies to corruptly treat compliance like the southern border.

      Anything less than that? They really don't want to fix this problem.

    • by AmiMoJo ( 196126 )

      It's all commercial considerations. I'm tangentially involved in a critical safety system for nuclear power plants in the UK the owner, EDF, is arguing in court today that they don't need it. "Too expensive, chances of things going wrong very low, we have deep pockets and will take it to the High Court if you persist."

      Not putting stuff on the internet has a cost. It requires someone to be paid to be on-site to monitor stuff. It's cheaper to pay a consultant to say it can be done securely over the internet.

  • You don't vaguely tell Putin they're off limits and expect him to understand that to you cyberconflict is like a game of "mother may I?"

    You tell him that attacks on critical infrastructure that leave them damaged or non functional for purpose - WHATEVER method, whether they are terrorists attaching bombs, or cyberwarriors in St Petersburg wrecking equipment via the interwebs - will be treated with identical seriousness and will be responded to with equal severity and the mode of our choosing.
    And yes, to be

  • Sure, non-stop attacks are a pain in the arse, however it forces everyone to be on their toes & keep their networks secure. It's far better coping with the stress of getting your ship in order during peacetime than wartime.

    The alternative is getting caught with your pants down in the middle of a war and being sent back to the technological stone age whilst staring down the barrel of a gun.

  • by macsimcon ( 682390 ) on Wednesday June 16, 2021 @03:42PM (#61494032)

    When will the lesson be learned? You cannot negotiate with psychopaths or sociopaths, they only respect force. It's like Democrats thinking Republicans will agree to a voting rights bill: WHY would Republicans give up their advantage? They know that they're more likely to win if fewer people vote.

    Similarly, Putin knows that our infrastructure is more exposed than Russia's, because we are a more open society, and there is a much larger attack surface. We need a strong President to deal with Putin, not President Milquetoast Joe. For instance, a strong President could threaten to accept more of Russia's neighbors into NATO, or further arm those which are already members. A strong President could threaten to release the U.S. strategic oil reserve and cause the price of oil to plummet. While this would hurt the U.S. economy as the world's largest oil producer, it would hurt Russia much more, as oil is the primary export supporting Russia's economy.

    • "For instance, a strong President could threaten to accept more of Russia's neighbors into NATO, or further arm those which are already members."

      First of all, one doesn't make threats in such a situation, least of all public threats. If the US President wanted to apply this kind of pressure, the thing would be to work on including more neighboring countries into NATO along with arming them. You don't threaten this, you just do it.

      As to doing such a thing, such would only strengthen Mr. Putin politica

      • The US does not have an informed electorate as everything in this /. thread demonstrates.
        It only has a cheerleading press with an electorate which loves be cheer-led with the daily red meat and has no motivation to find out what is really going on.

        The power relation between the US and the world is not between some benign leader and zombie enemies envious of its beauty, it's between a domineering bully with more power than the rest combined , and its vassals, and other players who want a degree of independen

    • For instance, a strong President could threaten to accept more of Russia's neighbors into NATO, or further arm those which are already members

      If you actually paid attention to world events, you'd remember that we just took additional steps towards Ukraine entering NATO, and we also shipped them a bunch of weapons to use against the Russians "vacationing" in the Eastern part of the country.

      A strong President could threaten to release the U.S. strategic oil reserve and cause the price of oil to plummet. While this would hurt the U.S. economy as the world's largest oil producer, it would hurt Russia much more, as oil is the primary export supporting Russia's economy.

      Russia exports most of that oil to Europe via pipelines. Oil from other sources would have to be shipped, making it more expensive. Which means this won't have nearly as large an effect as you seem to think.

  • by Murdoch5 ( 1563847 ) on Wednesday June 16, 2021 @03:43PM (#61494038) Homepage
    Instead of saying don't hack, how about we improve the security / protocols.
    • How about we retaliate?

      • What good would that do? Launching an attack in response to an attack only fosters more attacks. This should be a wake up call that we're not doing enough to secure what's critical.

        An example I use all the time is: "How many people encrypt and digitally sign their email?". This simple act takes email from a laughable bad way to communicate through to a validated system of checks to be mathematically sure who you're talking with.
    • by Jerrry ( 43027 )

      If these systems are critical to our infrastructure, why are they on the fucking global Internet?

  • translation: (Score:4, Insightful)

    by Anonymouse Cowtard ( 6211666 ) on Wednesday June 16, 2021 @03:45PM (#61494054) Homepage
    You're hacking our stuff. We know you're hacking our stuff. You know that we know that you're hacking our stuff. Now please do it more nicely.
  • Biden said the list of organizations that should not be attacked includes the 16 sectors designated by the United States as critical infrastructure.

    Are child care workers protected? I understand they are critical infrastructure...

  • every ransomware attack coming from Russia will have to be paid by the Russian Government or we cut Russia off from the IANA Root Domain Name servers,
  • Who's going to break the news to President Biden that son Hunter's laptop wasn't hacked by Russians?
  • read exactly what was on his cue cards. What is really amazing is that Putin and the rest of the world leaders are not walking around and laughing at President Biden and America in public. Oh Wait?
  • Some things are permissible in conventional war
    BUT
    modern "hybrid/limnal" war needs legal controls too!

    War is different today so lawfare should adapt.

  • Keeping us safe (Score:2, Interesting)

    by biggaijin ( 126513 )

    The best way to keep the country safe is to give one of our prime enemies a list of our most vulnerable targets and ask that he stay away from them? I suspect this is not the best idea.

  • Maybe it's the little cyber attacks that would save us from the big one.

    If they find a way to disrupt a small power grid and use it then at least we know to make the other power grids proof against it. Not that we would of course !

  • by oldgraybeard ( 2939809 ) on Wednesday June 16, 2021 @07:44PM (#61494812)
    of crimes(not to commit) to a despotic murdering dictator.
  • "U.S. President Joe Biden told Russian President Vladimir Putin on Wednesday that certain critical infrastructure should be 'off-limits' to cyber-attacks"

    This statement is a pretty clear admission that in the cyber-warfare arena, the United States is taking a Grade A rogering from Russia's hackers. You don't vote to make choke holds illegal when you've got your opponent locked up in one.

    • It's more that the US approach is to not burn assets until they are needed. Whereas the Russian approach is to get money while you can.

  • Yeah, sure, Trump was Putin's buddy ... okay. If you say so.

    • I'm still trying to figure out how a pipeline between the US and Canada is an unacceptable threat to the environment but one from Russia to Germany is just fine.

      It's like he has everything backwards. He had the leverage to extract concessions from Russia, but gave it away BEFORE any talks began! Did he think that Putin would be so happy about getting what he wanted that he would return the favor (which is how liberals approach international relations)? If so, he's an idiot. The only alternative expla

  • Comment removed based on user account deletion
  • Anyone here who thinks that Putin is at all afraid of Biden or America's response under his "leadership", please post contact information, because I have a wonderful business opportunity for you regarding a large bridge for sale.

    Good thing America is safe from Trump's mean tweets, because it isn't safer from anything else with Biden.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...