Cyber War: The Next Threat to National Security and What to Do About It (5 page)

Each of those zombie computers was flooding these sites with requests to see their pages in another distributed denial of service attack. The U.S. websites were hit with as many as 1 million requests per second, choking the servers. The Treasury, Secret Service, Federal Trade Commission, and Department of Transportation web servers were all brought down at some point between July 4 and July 9. The NASDAQ, New York Mercantile, and New York Stock Exchange sites were also hit, as was the
Washington Post
. The DDOS aimed at the White House failed, however. To prevent the first DDOS attack against the White House in 1999, I had arranged with a company known as Akamai to route traffic seeking the White House website to the nearest of over 20,000 servers scattered around the world. When the Korean attack hit in 2009, the DDOS went to the White House servers nearest the source of the attacker. Thus, only sites hosting the White House website in Asia had trouble. White House spokesperson Nick Shapiro apologized in a halfhearted way to any web surfers in Asia who might not have been able to get onto the White House site. Then the second and third waves hit.

Another 30,000 to 60,000 computers infected with a different variant of the virus were told to target a dozen or more South Korean government sites, Korean banks, and a South Korean In
ternet security company on July 9. The attackers were apparently convinced that the attacks on U.S. sites were no longer going to be effective after the government and major corporations began working with Internet service providers (ISPs) to filter out the attacks. At 6:00 p.m. Korea time on July 10, the final assault began. The now estimated 166,000 computers in seventy-four countries started flooding the sites of Korean banks and government agencies.

Ultimately, the damage was contained. The attack did not attempt to gain control of any government systems, nor did it disrupt any essential services. But it was likely only meant as a shot across the bow. What we do know is that there was an agenda and motivation for the attack. This was not a worm simply released into the wilds of the Internet and allowed to propagate. Someone controlled and directed the attack and modified its target list to focus on the more vulnerable Korean sites.

The U.S. government has yet to directly attribute the attack to North Korea, though South Korea has not been shy about doing so. The timing of the attacks does suggest the North Korean regime is the prime suspect, but definite attribution is difficult. The infected computers attempted to contact one of eight “command and control servers” every three minutes. These servers sent instructions back to the infected zombie computers, telling them which websites to attack. The eight masters were in South Korea, the United States, Germany, Austria, and, interestingly, Georgia (the country).

The Korea Communications Commission has endorsed the judgment of a Vietnamese firm, Bach Khoa Internetwork Security (BKIS), that these eight servers were controlled from a server in Brighton, England. From there, the trail goes cold, though it does not look like the mastermind behind the attack was sitting in front of a keyboard near the beach in Brighton. South Korea’s National Intelligence Service (NIS) suspects that a North Korean military research institute set up to destroy South Korea’s communications
infrastructure was involved. The NIS said in a statement following the attack that it had evidence that pointed to North Korea.

The NIS maintains that the North Korean hacker unit, known as Lab 110, or the “technology reconnaissance team,” was ordered to prepare a plan for cyber attack on June 7. That order directed the unit to “destroy the South Korean puppet communications networks in an instant,” following the decision by the South Koreans to participate in Excercise Cyber Storm. The North called the exercise “an intolerable provocation as it revealed ambition to invade the DPRK.”

South Korea is now preparing for all-out cyber war with the North. Just before the attacks began, South Korea had announced plans for establishing a cyber warfare command by 2012. After the attacks, it sped up the timeline to January 2010. What the South’s new cyber warfare command will do the next time the North attacks in cyberspace is unclear.

If North Korea attacks in cyberspace again, options for responding are relatively limited. Sanctions cannot be made much tighter. Suspended food aid cannot be suspended further. Any military action in retaliation is out of the question. The 23 million residents of metropolitan Seoul live within range of North Korea’s artillery pieces, set along the demilitarized zone in what military planners refer to as “the kill box.”

There is also little possibility of responding in kind, since North Korea has little for either U.S. or South Korean cyber warriors to attack. In 2002, Donald Rumsfeld and other Bush Administration officials advocated the invasion of Iraq because Afghanistan was not a “target rich” environment, with not enough military hardware, bases, or major infrastructure for the U.S. to blow up. North Korea is the cyber equivalent of Afghanistan.

Nightearth.com compiled satellite photos of the planet at night taken from space. Its composite map shows a well-lit planet. South
Korea looks like a bright island separated from China and Japan by the sea. What looks like the sea, the Korean peninsula north of Seoul, is almost completely dark. North Korea barely has an electric grid. Fewer than 20,000 of North Korea’s 23 million citizens have cell phones. Radios and TVs are hardwired to tune only into official government channels. And as far as the Internet is concerned, the
New York Times
’s judgment from 2006 that North Korea is a “black hole” still stands.
The Economist
described the country as “almost as cut off from the virtual world as it is from the real one.” North Korea operates about thirty websites for external communication with the rest of the world, mostly to spread propaganda about its neighbor to the south. A handful of Western hotels are permitted satellite access, and North Korea does run a limited internal network for a few lucky citizens who can go to the Dear One’s website, but almost nowhere else.

While North Korea may not have invested much in developing an Internet infrastructure, it has invested in taking down the infrastucture in other countries. Unit 110, the unit suspected of carrying out the July cyber attacks, is only one of North Korea’s four cycle warfare units. The Korean People’s Army (KPA) Joint Chiefs Cyber Warfare Unit 121 has over 600 hackers. The Enemy Secret Department Cyber Psychological Warfare Unit 204 has 100 hackers and specializes in cyber elements of information warfare. The Central Party’s Investigations Department Unit 35 is a smaller but highly capable cyber unit with both internal security functions and external offensive cyber capabilities. Unit 121 is by far the largest and, according to one former hacker who defected in 2004, the best trained. The unit specializes in disabling South Korea’s military command, control, and communications networks. It has elements stationed in China because the Internet connections in North Korea are so few and so easily identified. Whether the Beijing government knows the full extent of the North Korean presence and activity is unclear, but
few things escape China’s secret police, particularly on the the Internet. One North Korean cyber war unit is reportedly located at the Shanghai Hotel in the Chinese town of Dandong, on the North Korean border. Four floors are allegedly rented out to Unit 110 agents. Another unit is in the town of Sunyang, where North Korean agents have reportedly rented out several floors in the Myohyang Hotel. Agents have apparently been spotted moving fiber-optic cables and state-of-the-art computer network equipment into these properties. All told, North Korea may have from 600 to 1,000 KPA cyber warfare agents acting in cells in the PRC, under a commander with the rank of Lieutenant Colonel. North Korea selects elite students at the elementary-school level to be groomed as future hackers. These students are trained on programming and computer hardware in middle and high school, after which they automatically enroll at the Command Automation University in Pyongyang, where their sole academic focus is to learn how to hack into enemy network systems. Currently 700 students are reportedly enrolled. They conduct regular cyber warfare simulated exercises against each other, and some infiltrate Japan to learn the latest computer skills.

The July 2009 attack, though not devastating, was fairly sophisticated. The fact that it was controlled and not simply released to do damage indiscriminately shows that the attackers knew what they were doing. The fact that it lasted for so many days is also a testament to the effort put into propagating the virus from several sources. These attributes suggest that the attack was not the work of some teenagers with too much time on their hands. Of course, North Korea sought “deniability,” creating sufficient doubt about who did the attack so that they could claim it was not them.

While researchers have found that part of the program was written using a Korean-language web browser, that would just as likely implicate South Korean hackers for hire, of which there are many in that highly wired nation. These same researchers, however, are trou
bled by the fact that the code writer didn’t try to disguise its Korean origin. Someone sophisticated enough to write the code should also have been sophisticated enough to cover his or her tracks. Perhaps whoever ordered the code written wanted that clue to be found.

The South Korean government and many analysts in the United States concluded that the person who ordered the attack was the Dear One, and that he had demonstrated North Korea’s strength in cyberspace at the same time that he had done so with the rocket barrage. The message was: I am still in charge and I can make trouble with weapons that can eliminate your conventional superiority. Having sent that message, a few weeks later North Korean diplomats offered an alternative. They were prepared to talk, even to free two American prisoners. Shortly thereafter, in a scene reminiscent of the movie
Team America: World Police
, Bill Clinton was sitting down with the Dear One. Unlike the marionette portraying UN nuclear inspector Hans Blix in the movie, Clinton did not drop through a trapdoor into a shark tank, but it seemed likely that North Korea had placed trapdoors on computer networks on at least two continents.

Months after the July 2009 North Korean cyber activity, Pentagon analysts concluded that the purpose of the DDOS attacks may have been to determine what level of botnet activity from South Korea would be sufficient to jam the fiber-optic cables and routers leading out of the country. If North Korean agents in South Korea could flood the connection, they could effectively cut the country off from any Internet connection to the rest of the world. That would be valuable for the North to do in a crisis, because the U.S. employs those connections to coordinate the logistics of any U.S. military reinforcements. The North Korean preparation of the cyber battlefield continued. In October, three months after the DDOS attacks, South Korean media outlets reported that hackers had infiltrated the Chemicals Accident Response Information System and had withdrawn a significant amount of classified information on 1,350
hazardous chemicals. The hackers, believed to be North Koreans, obtained access to the system through malicious code implanted in the computer of a South Korean army officer. It took seven months for the South Koreans to discover the hack. North Korea now knows how and where South Korea stores its hazardous gases, including chlorine used for water purification. When chlorine is released into the atmosphere, it can cause death by asphyxiation, as demonstrated horribly on the battlefields of World War I.

The new “cyber warriors” and much of the media herald these incidents as the first public clashes of nation-states in cyberspace. There are other examples, including operations by China, Taiwan, Israel, and others. Some have called the Estonian case “WWI”, that is, Web War One.

Others look at these and other recent incidents and do not see a new kind of warfare. They see in the Israeli attack a new form of airborne electronic jamming, something that has been happening in other ways for almost half a century. The American actions in Iraq appear to these doubters to be marginal and mainly propaganda. In the Russian and North Korean activities the doubters see only harassment and nuisance-value disruption.

Of course, the Syrians, Iraqis, Estonians, Georgians, and South Koreans saw these events as far more than a nuisance. I tend to agree. I have walked through these recent, well-known cyber clashes mainly to demonstrate that nation-state conflict involving cyber attacks has begun. Beyond that incontestable observation, however, there are five “take-aways” from these incidents:

Cyber war is real.
What we have seen so far is far from indicative of what can be done. Most of these well-known skirmishes in cyberspace used only primitive cyber weapons
(with the notable exception of the Israeli operation). It is a reasonable guess that the attackers did not want to reveal their more sophisticated capabilities, yet. What the United States and other nations are capable of doing in a cyber war could devastate a modern nation.

Cyber war happens at the speed of light.
As the photons of the attack packets stream down fiber-optic cable, the time between the launch of an attack and its effect is barely measurable, thus creating risks for crisis decision makers.

Cyber war is global.
In any conflict, cyber attacks rapidly go global, as covertly acquired or hacked computers and servers throughout the world are kicked into service. Many nations are quickly drawn in.

Cyber war skips the battlefield.
Systems that people rely upon, from banks to air defense radars, are accessible from cyberspace and can be quickly taken over or knocked out without first defeating a country’s traditional defenses.

Cyber war has begun.
In anticipation of hostilities, nations are already “preparing the battlefield.” They are hacking into each other’s networks and infrastructures, laying in trapdoors and logic bombs—now, in peacetime. This ongoing nature of cyber war, the blurring of peace and war, adds a dangerous new dimension of instability.