Cyber War: The Next Threat to National Security and What to Do About It
Page 4
Right before the Fourth of July holiday, a coded message was sent out by a North Korean agent to about 40,000 computers around the world that were infected with a botnet virus. The message contained a simple set of instructions telling the computer to start pinging a list of U.S. and South Korean government websites and international companies. Whenever the infected computers were turned on, they silently joined the assault. If your computer was one of the zombies, you might have noticed your processor was running slowly and your Web requests were taking a bit longer to process, but nothing too out of the ordinary. Yes, it was another DDOS attack by zombies in a botnet. At some time over the weekend, the U.S. government did notice when dhs.gov and state.gov became temporarily unavailable. If anyone actually thought of consulting the Department of Homeland Security terrorist threat level before deciding to go watch the fireworks on the National Mall, they would not have been able to gain that information from the Department of Homeland Security’s website.
Each of those zombie computers was flooding these sites with requests to see their pages in another distributed denial of service attack. The U.S. websites were hit with as many as 1 million requests per second, choking the servers. The Treasury, Secret Service, Federal Trade Commission, and Department of Transportation web servers were all brought down at some point between July 4 and July 9. The NASDAQ, New York Mercantile, and New York Stock Exchange sites were also hit, as was the Washington Post. The DDOS aimed at the White House failed, however. To prevent the first DDOS attack against the White House in 1999, I had arranged with a company known as Akamai to route traffic seeking the White House website to the nearest of over 20,000 servers scattered around the world. When the Korean attack hit in 2009, the DDOS went to the White House servers nearest the source of the attacker. Thus, only sites hosting the White House website in Asia had trouble. White House spokesperson Nick Shapiro apologized in a halfhearted way to any web surfers in Asia who might not have been able to get onto the White House site. Then the second and third waves hit.
Another 30,000 to 60,000 computers infected with a different variant of the virus were told to target a dozen or more South Korean government sites, Korean banks, and a South Korean Internet security company on July 9. The attackers were apparently convinced that the attacks on U.S. sites were no longer going to be effective after the government and major corporations began working with Internet service providers (ISPs) to filter out the attacks. At 6:00 p.m. Korea time on July 10, the final assault began. The now estimated 166,000 computers in seventy-four countries started flooding the sites of Korean banks and government agencies.
Ultimately, the damage was contained. The attack did not attempt to gain control of any government systems, nor did it disrupt any essential services. But it was likely only meant as a shot across the bow. What we do know is that there was an agenda and motivation for the attack. This was not a worm simply released into the wilds of the Internet and allowed to propagate. Someone controlled and directed the attack and modified its target list to focus on the more vulnerable Korean sites.
The U.S. government has yet to directly attribute the attack to North Korea, though South Korea has not been shy about doing so. The timing of the attacks does suggest the North Korean regime is the prime suspect, but definite attribution is difficult. The infected computers attempted to contact one of eight “command and control servers” every three minutes. These servers sent instructions back to the infected zombie computers, telling them which websites to attack. The eight masters were in South Korea, the United States, Germany, Austria, and, interestingly, Georgia (the country).
The Korea Communications Commission has endorsed the judgment of a Vietnamese firm, Bach Khoa Internetwork Security (BKIS), that these eight servers were controlled from a server in Brighton, England. From there, the trail goes cold, though it does not look like the mastermind behind the attack was sitting in front of a keyboard near the beach in Brighton. South Korea’s National Intelligence Service (NIS) suspects that a North Korean military research institute set up to destroy South Korea’s communications infrastructure was involved. The NIS said in a statement following the attack that it had evidence that pointed to North Korea.
The NIS maintains that the North Korean hacker unit, known as Lab 110, or the “technology reconnaissance team,” was ordered to prepare a plan for cyber attack on June 7. That order directed the unit to “destroy the South Korean puppet communications networks in an instant,” following the decision by the South Koreans to participate in Excercise Cyber Storm. The North called the exercise “an intolerable provocation as it revealed ambition to invade the DPRK.”
South Korea is now preparing for all-out cyber war with the North. Just before the attacks began, South Korea had announced plans for establishing a cyber warfare command by 2012. After the attacks, it sped up the timeline to January 2010. What the South’s new cyber warfare command will do the next time the North attacks in cyberspace is unclear.
If North Korea attacks in cyberspace again, options for responding are relatively limited. Sanctions cannot be made much tighter. Suspended food aid cannot be suspended further. Any military action in retaliation is out of the question. The 23 million residents of metropolitan Seoul live within range of North Korea’s artillery pieces, set along the demilitarized zone in what military planners refer to as “the kill box.”
There is also little possibility of responding in kind, since North Korea has little for either U.S. or South Korean cyber warriors to attack. In 2002, Donald Rumsfeld and other Bush Administration officials advocated the invasion of Iraq because Afghanistan was not a “target rich” environment, with not enough military hardware, bases, or major infrastructure for the U.S. to blow up. North Korea is the cyber equivalent of Afghanistan.
Nightearth.com compiled satellite photos of the planet at night taken from space. Its composite map shows a well-lit planet. South Korea looks like a bright island separated from China and Japan by the sea. What looks like the sea, the Korean peninsula north of Seoul, is almost completely dark. North Korea barely has an electric grid. Fewer than 20,000 of North Korea’s 23 million citizens have cell phones. Radios and TVs are hardwired to tune only into official government channels. And as far as the Internet is concerned, the New York Times’s judgment from 2006 that North Korea is a “black hole” still stands. The Economist described the country as “almost as cut off from the virtual world as it is from the real one.” North Korea operates about thirty websites for external communication with the rest of the world, mostly to spread propaganda about its neighbor to the south. A handful of Western hotels are permitted satellite access, and North Korea does run a limited internal network for a few lucky citizens who can go to the Dear One’s website, but almost nowhere else.
While North Korea may not have invested much in developing an Internet infrastructure, it has invested in taking down the infrastucture in other countries. Unit 110, the unit suspected of carrying out the July cyber attacks, is only one of North Korea’s four cycle warfare units. The Korean People’s Army (KPA) Joint Chiefs Cyber Warfare Unit 121 has over 600 hackers. The Enemy Secret Department Cyber Psychological Warfare Unit 204 has 100 hackers and specializes in cyber elements of information warfare. The Central Party’s Investigations Department Unit 35 is a smaller but highly capable cyber unit with both internal security functions and external offensive cyber capabilities. Unit 121 is by far the largest and, according to one former hacker who defected in 2004, the best trained. The unit specializes in disabling South Korea’s military command, control, and communications networks. It has elements stationed in China because the Internet connections in North Korea are so few and so easily identified. Whether the Beijing government knows the full extent of the North Korean presence and activity is unclear, but few things escape China’s secret police, particularly on the the Internet. One North Korean cyber war unit is reportedly located at the Shanghai Hotel in the Chinese town of Dandong, on the North Korean border. Four floors
are allegedly rented out to Unit 110 agents. Another unit is in the town of Sunyang, where North Korean agents have reportedly rented out several floors in the Myohyang Hotel. Agents have apparently been spotted moving fiber-optic cables and state-of-the-art computer network equipment into these properties. All told, North Korea may have from 600 to 1,000 KPA cyber warfare agents acting in cells in the PRC, under a commander with the rank of Lieutenant Colonel. North Korea selects elite students at the elementary-school level to be groomed as future hackers. These students are trained on programming and computer hardware in middle and high school, after which they automatically enroll at the Command Automation University in Pyongyang, where their sole academic focus is to learn how to hack into enemy network systems. Currently 700 students are reportedly enrolled. They conduct regular cyber warfare simulated exercises against each other, and some infiltrate Japan to learn the latest computer skills.
The July 2009 attack, though not devastating, was fairly sophisticated. The fact that it was controlled and not simply released to do damage indiscriminately shows that the attackers knew what they were doing. The fact that it lasted for so many days is also a testament to the effort put into propagating the virus from several sources. These attributes suggest that the attack was not the work of some teenagers with too much time on their hands. Of course, North Korea sought “deniability,” creating sufficient doubt about who did the attack so that they could claim it was not them.
While researchers have found that part of the program was written using a Korean-language web browser, that would just as likely implicate South Korean hackers for hire, of which there are many in that highly wired nation. These same researchers, however, are troubled by the fact that the code writer didn’t try to disguise its Korean origin. Someone sophisticated enough to write the code should also have been sophisticated enough to cover his or her tracks. Perhaps whoever ordered the code written wanted that clue to be found.
The South Korean government and many analysts in the United States concluded that the person who ordered the attack was the Dear One, and that he had demonstrated North Korea’s strength in cyberspace at the same time that he had done so with the rocket barrage. The message was: I am still in charge and I can make trouble with weapons that can eliminate your conventional superiority. Having sent that message, a few weeks later North Korean diplomats offered an alternative. They were prepared to talk, even to free two American prisoners. Shortly thereafter, in a scene reminiscent of the movie Team America: World Police, Bill Clinton was sitting down with the Dear One. Unlike the marionette portraying UN nuclear inspector Hans Blix in the movie, Clinton did not drop through a trapdoor into a shark tank, but it seemed likely that North Korea had placed trapdoors on computer networks on at least two continents.
Months after the July 2009 North Korean cyber activity, Pentagon analysts concluded that the purpose of the DDOS attacks may have been to determine what level of botnet activity from South Korea would be sufficient to jam the fiber-optic cables and routers leading out of the country. If North Korean agents in South Korea could flood the connection, they could effectively cut the country off from any Internet connection to the rest of the world. That would be valuable for the North to do in a crisis, because the U.S. employs those connections to coordinate the logistics of any U.S. military reinforcements. The North Korean preparation of the cyber battlefield continued. In October, three months after the DDOS attacks, South Korean media outlets reported that hackers had infiltrated the Chemicals Accident Response Information System and had withdrawn a significant amount of classified information on 1,350 hazardous chemicals. The hackers, believed to be North Koreans, obtained access to the system through malicious code implanted in the computer of a South Korean army officer. It took seven months for the South Koreans to discover the hack. North Korea now knows how and where South Korea stores its hazardous gases, including chlorine used for water purification. When chlorine is released into the atmosphere, it can cause death by asphyxiation, as demonstrated horribly on the battlefields of World War I.
The new “cyber warriors” and much of the media herald these incidents as the first public clashes of nation-states in cyberspace. There are other examples, including operations by China, Taiwan, Israel, and others. Some have called the Estonian case “WWI”, that is, Web War One.
Others look at these and other recent incidents and do not see a new kind of warfare. They see in the Israeli attack a new form of airborne electronic jamming, something that has been happening in other ways for almost half a century. The American actions in Iraq appear to these doubters to be marginal and mainly propaganda. In the Russian and North Korean activities the doubters see only harassment and nuisance-value disruption.
Of course, the Syrians, Iraqis, Estonians, Georgians, and South Koreans saw these events as far more than a nuisance. I tend to agree. I have walked through these recent, well-known cyber clashes mainly to demonstrate that nation-state conflict involving cyber attacks has begun. Beyond that incontestable observation, however, there are five “take-aways” from these incidents:
Cyber war is real. What we have seen so far is far from indicative of what can be done. Most of these well-known skirmishes in cyberspace used only primitive cyber weapons (with the notable exception of the Israeli operation). It is a reasonable guess that the attackers did not want to reveal their more sophisticated capabilities, yet. What the United States and other nations are capable of doing in a cyber war could devastate a modern nation.
Cyber war happens at the speed of light. As the photons of the attack packets stream down fiber-optic cable, the time between the launch of an attack and its effect is barely measurable, thus creating risks for crisis decision makers.
Cyber war is global. In any conflict, cyber attacks rapidly go global, as covertly acquired or hacked computers and servers throughout the world are kicked into service. Many nations are quickly drawn in.
Cyber war skips the battlefield. Systems that people rely upon, from banks to air defense radars, are accessible from cyberspace and can be quickly taken over or knocked out without first defeating a country’s traditional defenses.
Cyber war has begun. In anticipation of hostilities, nations are already “preparing the battlefield.” They are hacking into each other’s networks and infrastructures, laying in trapdoors and logic bombs—now, in peacetime. This ongoing nature of cyber war, the blurring of peace and war, adds a dangerous new dimension of instability.
As later chapters will discuss, there is every reason to believe that most future kinetic wars will be accompanied by cyber war, and that other cyber wars will be conducted as “stand-alone” activities, without explosions, infantry, airpower, and navies. There has not yet, however, been a full-scale cyber war in which the leading nations in this kind of combat employ their most sophisticated tools against each other. Thus, we really do not know who would win, nor what the results of such a cyber war would be. This book will lay out why the unpredictability associated with full-scale cyber war means that there is a credible possibility that such conflict may have the potential to change the world military balance and thereby fundamentally alter political and economic relations. And it will suggest ways to reduce that unpredictability.
CHAPTER TWO
CYBER WARRIORS
In a television ad, a crew-cut young man in a jumpsuit walks around a darkened command center, chatting with subordinates who are illuminated by the greenish light from their computer screens. We hear his voice over the video: “control of power systems…water systems…that is the new battlefield…in the future this is going to be the premier war-fighting domain…this is going to be where the major battles are fought.” He then looks right at the camera and says, “I am Captain Scott Hinck, and I am an Air Force Cyber Warrior.” The screen fades to black, and then three words appear: “Air, Space, Cyberspace.” Then, as the ad ends, we see a winged symbol and the name of the sponsor, “United States Air Force.”
So now we kn
ow what one cyber warrior looks like. At least in Scott’s case, he looks a lot like the bright, fit, earnest officers who populate the world’s most potent military. That is not quite our image of hackers, whom movies have portrayed as acned, disheveled guys with thick glasses. To attract more of those with the skills needed to understand how to fight cyber war, however, the Air Force seems to think it may have to bend the rules. “If they can’t run three miles with a pack on their back, but they can shut down a SCADA system,” mused Air Force Major General William Lord, “we need to have a culture where they can fit in.” (A SCADA system is the software that controls networks such as electric power grids.) That progressive attitude reflects the U.S. Air Force’s strong desire to play the leading role for the U.S. in cyber war. That service was the first to create an organization for the purpose of combat in the new domain: U.S. Air Force Cyber Command.
THE FIGHT FOR CYBER WAR
In October 2009, when the doors opened on the multiservice, joint U.S. Cyber Command, the Navy had already followed the Air Force in standing up its own cyberwarfare unit. All the new organizations and big pronouncements gave some the impression that the U.S. military was just getting interested in cyber warfare, coming rather late to the game. Not so. The Department of Defense invented the Internet, and the possibility of using it in warfare was not overlooked even in its early days. As highlighted above, in chapter 1, early cyber warriors had a plan back in the first Gulf War to use cyber weapons to take down Iraq’s air defense system. Shortly after that war, the Air Force set up its Info War Center. In 1995, National Defense University graduated its first class of officers trained to lead cyber war campaigns.
Some in the 1990s military did not fully understand what cyber war meant and thought of it as “info ops,” part of psychological warfare, or “psyops” (using propaganda to influence the outcome of wars). Others, particularly those in the intelligence branches, were seeing the ever expanding Internet as a bonanza for electronic espionage. It started to become pretty obvious that once you had penetrated a network to collect information, a few more keystrokes could take that network down.. As this realization grew among the electronic intelligence officers, they had a dilemma. The intelligence guys knew that if they told the “operators” (the fighting units) that the Internet was making a new kind of war possible, they would lose some control of cyberspace to the “warriors.” On the other hand, the warriors would still have to rely on the intelligence geeks to do anything in cyberspace. Moreover, the opportunities cyberspace offered to relatively easily do significant damage to an enemy were too good to pass up. Slowly, the warriors realized that the geeks were on to something.