Monday, December 22, 2014

Limited Options

In response to North Korea's cyber-attack against Sony, the Obama Administration promised a "proportional response."  And it looks like that response is now underway.

According to the Washington Post and other media outlets, North Korea's limited internet infrastructure is current experiencing "major outages," raising suspicions that the U.S. is retaliating for the attack on Sony.  

Experts at and Dyn Research tell the Post that Pyongyang may be getting taste of its own medicine:

“I haven’t seen such a steady beat of routing instability and outages in KP before,” said Doug Madory, director of Internet analysis at Dyn Research. “Usually there are isolated blips, not continuous connectivity problems. I wouldn’t be surprised if they are absorbing some sort of attack presently.”

Depicted graphically, the widespread outages look something like this:


But before anyone takes a digital victory lap, it's worth remembering this "attack" (regardless of the source) is totally oblivious to most of North Korea's 25 million citizens.  That's because internet access is tightly controlled.  Only senior members of the military, the political elites and personnel assigned to DPRK cyber units are allowed on-line.  For more than 99% of North Korea's population, the internet is an alien concept--hardly surprising in a country where all media is controlled by the government, and does little more than sing the praises of Kim Jong-un's regime.

While the DPRK has clearly developed cyber-warfare skills, its use of the internet for commercial and social purposes remains extremely limited.  The New York Times reports the country has barely 1,000 know IP addresses and less than 50 websites; by comparison, there are billions of IP addresses in the U.S. alone.  So, today's interruption may be an inconvenience for Mr. Kim and his cohorts, but few others.

It's also unclear if the on-going DDofS  (distributed denial of service) attacks have had any impact on North Korea's cyber-warfare units, which are based in Shenyang, China.  At one time, members of at least one cyber detachment, known as Bureau 121, were housed in Shenyang's Chilbosan Hotel, though it's unclear if the unit still operates from that location.  Some tech experts have reported that e-mails released as part of the recent Sony hack were placed on-line at the St. Regis Hotel in Bangkok.  A  defector claims that DPRK cyber specialists operate in various locations around the world, enjoying privileges and luxuries that are unknown to most of their countrymen.

The apparent counterstrike against North Korea underscore the problems of going after an enemy with considerable cyber skills, but little on-line exposure.  The Obama Administration appears to be treading very carefully in this matter, trying to gain China's support, while preventing possible spillover into Beijing's digital networks.  Pyongyang depends on China for access to the internet, and many of those connections run through Beijing's state-run telecommunications company.

There are other issues as well.  Advanced viruses and other sophisticated forms of malware--designed for specific targets--can be copied by hackers and used to launch copycat attacks.  In other words, whatever was used to take down North Korea's limited internet connections could be used against us, though (based on early descriptions) it does not appear that today's attack was sophisticated; just a brute-force DDofS that caused Pyongyang's networks to crash.

By comparison the Stuxnet virus used against Iranian nuclear facilities in 2011 (and widely attributed to the U.S. and Israel) was designed to go after specific computers and networks employed Siemens  software that controlled centrifuges and other key components.  If the virus didn't find the Siemens program, it went dormant.  Stuxnet was reportedly inserted into Iranian computers via flash drives, illustrating the targeted nature of the attacks--and efforts to keep it off the internet.  Ultimately, those efforts failed; stuxnet eventually made its way onto the web, providing a blueprint for the next generation of hackers.

Will Pyongyang respond?  The answer would seem to be "yes," but most countries want to avoid demonstrating the full range of their cyber capabilities.  So, a response by the DPRK may be delayed until Kim Jong-un decides if he wants to escalate the cyber conflict, and what his next target set will be.  Currently, there are no indications that North Korea has the ability to go after elements of our critical infrastructure, such as the power grid, though the acquisition of those skills may be just a matter of time.    

A better course of action, it might argued, would be going after banks and other financial institutions that serve North Korean elites.  That tactic was used a decade ago, after Pyongyang walked away from nuclear talks.  Sanctions against a bank in Macau kept Kim Jong-il from paying his cronies and generals; the DPRK returned to the negotiations less than two months later.  However, a cyber attack of that type carries the risk of involving third parties (notably, China and Switzerland) and it could compromise valuable intelligence sources.

As with other issues in the realm of offensive cyber ops, there are complicated choices and few clear-cut options.  But as the Director of NSA noted last month, staying purely defensive is a "losing strategy."  On the other hand, revealing too much of your offensive skills can be counter-productive as well, since adversaries learn about capabilities and begin taking steps to counter-act them--and in some cases, upgrade their own cyber arsenal as well.   
ADDENDUM:  Most of Pyongyang's internet capability was restored within nine hours, so the DDofS attack was of limited duration. 


1 comment:

Anonymous said...

If the DDOS or whatever is hitting NK Party leaders, and not the general populace, I'd say that was good shooting.