
How Russia Recruited Elite Hackers - saycheese
http://mobile.nytimes.com/2016/12/29/world/europe/how-russia-recruited-elite-hackers-for-its-cyberwar.html
======
linkregister
This was an informative article and not filled with hysteria. I thought it was
strange that the convict chose to go to prison rather than work for the FSB;
it seems irrational to make that choice. Maybe it's hard to stop working for
the FSB; can someone add context?

I see Russian computer network exploitation talent being recruited with far
better methods than in the U.S., which is hamstrung by strict security
clearance requirements, such as criminal records and drug abuse.

From what I speculate from the article, the Russian FSB and GRU manage to use
the risky hires by using government contractors as intermediaries, and there
compartmentalize information to a degree that the risky hires only know about
the operation they perform. It appears that these hackers have a lot of
latitude in their operations.

To contrast this with the U.S. model, the only way a person who isn't eligible
for clearance to help is to sell their exploit to a broker and the DoD/CIA/FBI
eventually buy it. This means only exploit developers even have the
opportunity. Computer crime ex-convicts have to join a consultancy for
business clients instead, despite having a good skill set.

------
hackuser
As the article says, every country's security services need to deal with IT
security and need skilled professionals to do it, so everyone recruits. They
all recruit naval engineers too.

The Russian gov't reputedly recruiting criminals is a story, but only a small
part of this one. The Russian government's aggressive recruiting tactics are
somewhat of a story, but probably not specific to this segment of the labor
market.

~~~
gph
I think the article would have been more interesting if it probed into why
Russia so far appears to be winning at both recruiting talent and utilizing
that talent.

If Arab Spring is the type of offensive cyberthreat that the U.S. has created,
it doesn't seem nearly as effective as the fake hacktivist cyberthreat that
Russia has established. But maybe that's just because I have an overly US-
centric view.

~~~
linkregister
I appreciated the limited scope of this article.

As far as winning the talent wars, I'm not sure if that is what is happening.
(Russia has been making use of its talent to fantastic success, however!)
Russian efforts have been bolder and focused on political and military
objectives. U.S. efforts so far have been for intelligence gathering and the
"Stuxnet" Iranian centrifuge sabotage.

The recent email phishing hacks required very little technical talent. More
impressive Russian activities would be government and corporate network
intrusions, which are not detected frequently. That is probably the best
comparison with most of U.S. computer network exploitation activity.

Involvement in the Arab Spring didn't involve an offensive cyber threat; I'm
not sure what you mean. Maybe some NGOs that were CIA-funded were behind some
of the Twitter and Facebook posts (I haven't come across any compelling
evidence to suggest they were, but I will allow for the possibility), but I
wouldn't consider that an offensive cyber threat.

~~~
gph
[http://drshem.com/2012/11/15/cyberwarfare-and-hacktivism-
in-...](http://drshem.com/2012/11/15/cyberwarfare-and-hacktivism-in-the-
middle-east/)

I guess the Arab Spring hacktivism didn't really amount to much, and the links
to the U.S. on it are extremely tenuous, so I probably shouldn't have even
mentioned it.

But if those attempts were backed in some way by the U.S., they were
definitely a pathetic attempt compared to what Russia has been doing.

That said, you are likely right about America having the capability, but up to
this point simply haven't had the desire or boldness to go as far as the
Russians. Will be interesting to see if we do sink to their level, probably be
a whole lot of leaked emails and internal memos if so.

------
adamnemecek
I wonder about the skill levels of the people working for these organizations.
On some level it's still a government job and I can't imagine the govt to be
able to attract the best of the best.

~~~
otoburb
Note that the cyber warfare programs mentioned in the article seem to be
military programs, so a better comparison would be comparing skill levels of
people working in comparable elite branches of the military.

The existence of highly trained and highly skilled special forces units in
various forms (e.g. GRU Spetsnaz[1]) in various countries implies that with
enough political willpower and funding the skill levels of at least a small
subset of people working for these organizations should be somewhat
formidable.

[1]
[https://en.wikipedia.org/wiki/Spetsnaz_GRU](https://en.wikipedia.org/wiki/Spetsnaz_GRU)

~~~
adamnemecek
What's the market rate for a guy in spetznaz? I don't think he has one.

~~~
linkregister
It's kind of a non-sequitur to compare a great software developer or
vulnerability researcher to Spetznaz.

A guy in Spetznaz has a high market value to private military companies.
Companies like Blackwater/XE and Triple Canopy hire ex-special forces
operators to perform private security and military advisor services.

