North Korean Cyberattacks

To hear the media tell it, the United States suffered a major cyberattack last week. Stories were everywhere. "Cyber Blitz hits U.S., Korea" was the headline in Thursday's Wall Street Journal. North Korea was blamed.

Where were you when North Korea attacked America? Did you feel the fury of North Korea's armies? Were you fearful for your country? Or did your resolve strengthen, knowing that we would defend our homeland bravely and valiantly?

My guess is that you didn't even notice, that -- if you didn't open a newspaper or read a news website -- you had no idea anything was happening. Sure, a few government websites were knocked out, but that's not alarming or even uncommon. Other government websites were attacked but defended themselves, the sort of thing that happens all the time. If this is what an international cyberattack looks like, it hardly seems worth worrying about at all.

Politically motivated cyber attacks are nothing new. We've seen UK vs. Ireland. Israel vs. the Arab states. Russia vs. several former Soviet Republics. India vs. Pakistan, especially after the nuclear bomb tests in 1998. China vs. the United States, especially in 2001 when a U.S. spy plane collided with a Chinese fighter jet. And so on and so on.

The big one happened in 2007, when the government of Estonia was attacked in cyberspace following a diplomatic incident with Russia about the relocation of a Soviet World War II memorial. The networks of many Estonian organizations, including the Estonian parliament, banks, ministries, newspapers and broadcasters, were attacked and -- in many cases -- shut down. Estonia was quick to blame Russia, which was equally quick to deny any involvement.

It was hyped as the first cyberwar, but after two years there is still no evidence that the Russian government was involved. Though Russian hackers were indisputably the major instigators of the attack, the only individuals positively identified have been young ethnic Russians living inside Estonia, who were angry over the statue incident.

Poke at any of these international incidents, and what you find are kids playing politics. Last Wednesday, South Korea's National Intelligence Service admitted that it didn't actually know that North Korea was behind the attacks: "North Korea or North Korean sympathizers in the South" was what it said. Once again, it'll be kids playing politics.

This isn't to say that cyberattacks by governments aren't an issue, or that cyberwar is something to be ignored. The constant attacks by Chinese nationals against U.S. networks may not be government-sponsored, but it's pretty clear that they're tacitly government-approved. Criminals, from lone hackers to organized crime syndicates, attack networks all the time. And war expands to fill every possible theater: land, sea, air, space, and now cyberspace. But cyberterrorism is nothing more than a media invention designed to scare people. And for there to be a cyberwar, there first needs to be a war.

Israel is currently considering attacking Iran in cyberspace, for example. If it tries, it'll discover that attacking computer networks is an inconvenience to the nuclear facilities it's targeting, but doesn't begin to substitute for bombing them.

In May, President Obama gave a major speech on cybersecurity. He was right when he said that cybersecurity is a national security issue, and that the government needs to step up and do more to prevent cyberattacks. But he couldn't resist hyping the threat with scare stories: "In one of the most serious cyber incidents to date against our military networks, several thousand computers were infected last year by malicious software -- malware," he said. What he didn't add was that those infections occurred because the Air Force couldn't be bothered to keep its patches up to date.

This is the face of cyberwar: easily preventable attacks that, even when they succeed, only a few people notice. Even this current incident is turning out to be a sloppily modified five-year-old worm that no modern network should still be vulnerable to.

Securing our networks doesn't require some secret advanced NSA technology. It's the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks. And while some government and corporate networks do a pretty good job at this, others fail again and again.

Enough of the hype and the bluster. The news isn't the attacks, but that some networks had security lousy enough to be vulnerable to them.

This essay originally appeared on the Minnesota Public Radio website.

Posted on July 13, 2009 at 11:45 AM • 41 Comments

Comments

ShaneJuly 13, 2009 12:03 PM

@Bruce

"Enough of the hype and the bluster. The news isn't the attacks, but that some networks had security lousy enough to be vulnerable to them."

It's great to hear you say that, and mean it, but sadly, Big Media™ needs a paycheck. They buttered their own bread though... we're all getting fairly well calloused after the last decade's worth of FUD stories, so they kind of have to up the dosage.

It's funny though, that even the Media knows that the government being incompetent isn't even 'news' anymore, haha, hence the other take.

bobJuly 13, 2009 12:11 PM

Loads of North Korean boxes are owned by non-Koreans because cracking them is effectively not illegal, and no one hates America more than pissy middle class 14 year olds. Do the math.

FrankJuly 13, 2009 12:23 PM

Bruce,
Great comments as always - particularly the: "Securing our networks doesn't require some secret advanced NSA technology. It's the boring network security administration stuff we already know how to do....."

Diligence is more often than not the answer as opposed to glitzy and glamorous hardware and software. All too often there are those that want "set it and forget it" weaponry for security prevention and that simply doesn't work in a primarily defensive security arena.

MikeJuly 13, 2009 12:31 PM

I've worked in the financial sector for many years now.

I agree, the attack on websites is just kinda funny...a nuisance.

However, over the last several years a disturbing number of critical data lines have been moved to VPN (internet) in the interest of cost.

Most are not redundant and on small, easily DOS'able lines. It wouldn't take to many of these to cripple large chunks that are kinda vital to even larger chunks of our economy. ATM networks...core processing for hundreds of FI's...etc.

Of course, these would not be devastating like a bomb or military attack. But they would cause a crisis in confidence and could have some substantial financial damage if they went on for awhile. Something like this, to me, is a real terrorism attack.

The l33tspeak on a website is just kinda funny.

Elliot RossJuly 13, 2009 12:49 PM

Hmm,

An obvious, childish attack...

Or

A feint with a left hook, while the right jab went somewhere else that no one has found yet?

Trichinosis USAJuly 13, 2009 12:56 PM

So Bruce, is it still cyberwarfare when we do it? To date no one seems to have come up with a viable, official explanation for those 6 Transatlantic undersea cables that all mysteriously got snipped within a few weeks of each other.

Of course, it's a tossup as to whether that was cyberwarfare, or simply the creation of an opportunity to install the appropriate data vaccuums.

Martial Arts ManiacJuly 13, 2009 1:20 PM

This is only the start, the more we depend on worldwide communication and the internet the more vulnerable we become to such attacks, and the more attractive such attacks become to our enemies.

EmptyspaceadsJuly 13, 2009 2:21 PM

Great post.

Have you heard of this new service that helps make money on your website?
Its http://www.emptyspaceads.com/c/r?id=1

I found it searching for a way to help pay for the time I spend blogging. It allows you to run ads on the edges of your website without having to change or obscure the current layout you have. I have used it for my blog for the last few months, and the money I have made from it has been outstanding. I just thought I should share some of my tips

sooth sayerJuly 13, 2009 2:41 PM

I am not sure I agree with article .. or the idea behind it.

How's this writeup different than blaming a rape victim for saying "she looked hot enough to rape and .. there was no cop in sight", surely Bruce will scoff at the idea.

N. Korea or anyone attacking US doesn't need explanation or clarification.

N. Korea is a rouge state - it does bad things, what international law can stop them - I guess none.

A Daisy cutter or a nuke might help - but the arguments of victims are so diluted by equivocation like this that few will consider such response justified, most will just shrug their shoulders and hope they aren't affected.

bobJuly 13, 2009 3:35 PM

"N. Korea is a rouge state"

Tres rouge. In fact, it's the primary color of their flag.

Caleb JonesJuly 13, 2009 3:36 PM

While I agree that cyber-attacks have been, to date, underwhelming for the most part, part of that could be because the importance of the endpoints being targeted aren't very high. Just because nobody noticed now, doesn't mean it will remain that way forever.

If a government/society comes to rely on a limited number of online resources that are vulnerable to attack, then all attackers have to do is bring down those resources to cause major damage to that government/society. This is what needs to be kept in mind as things like "smart grids" and "online voting" are considered.

For "smart grids" there should be a physical limitation in the system where the "online" portion of it is both non-crucial as well as read-only such that a full-scale attack merely makes the information temporarily unavailable.

To me the idea of online voting (or even electronic voting for that matter) scares me. For online voting, if attackers can break into the system or even flood it with "noise" they could invalidate or at least cast doubt on the validity of an election which could be coordinated with a coop or other internal or external attack.

Jonathan D. AbolinsJuly 13, 2009 4:16 PM

Thanks for the good commentary. I especially like the "kids playing politics" reference. Spending the past week tracking the DDOS and the reactions to it, I am seeing a lot of that.

Attribution is critical. I have been pointing people to Justin Hornberger's good video on social/linguistic aspects of cyber-attribution: http://justinhornberger.com/Attribution/

For a helpful technical overview, take a look at ShadowServer's write-up: http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090710

Again, thank you.

sooth sayerJuly 13, 2009 4:49 PM

@Bob ..
>> "N. Korea is a rouge state"

>>Tres rouge. In fact, it's the primary color of their flag.

Sometimes freudian slips work !

Ian AllenJuly 13, 2009 6:58 PM

I just want to point out that almost a year ago the Russians suggested that the UN come up with a cubersecyrity protocol to govern relations between nations, and perhaps define cyberwar and cyberterrorism in the international relations arena. Guess who voted it down? The US delegation. Hmmmm. Somebody said earlier that it is"cyberwarfare when we do it", which implies it's cyberterrorism when others do it. A great point.

DUI attorneyJuly 13, 2009 11:29 PM

Bruce, AGREED.

This is the face of cyberwar: easily preventable attacks that, even when they succeed, only a few people notice. Even this current incident is turning out to be a sloppily modified five-year-old worm that no modern network should still be vulnerable to.

Securing our networks doesn't require some secret advanced NSA technology. It's the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks. And while some government and corporate networks do a pretty good job at this, others fail again and again.

Thanks for keeping the debate fresh and flowing. Keep up the great work.

A nonny bunnyJuly 14, 2009 1:36 AM

>Israel is currently considering attacking
>Iran in cyberspace, for example. If it
>tries, it'll discover that attacking
>computer networks is an inconvenience
>to the nuclear facilities it's targeting,
>but doesn't begin to substitute for
>bombing them.

Unless you can trigger a melt-down.
;)

Ian EiloartJuly 14, 2009 4:08 AM

"attacking computer networks is an inconvenience to the nuclear facilities it's targeting "

Presumably, the control systems aren't actually Internet connected? It'll just be the payroll, and email and stuff that can be targetted. Nothing that can actually interfere with operations....

Fingers crossed, anyway.

YosiJuly 14, 2009 4:29 AM

>> Unless you can trigger a melt-down.

You can't melt-down storage building.

A Nonny BunnyJuly 14, 2009 5:27 AM

> You can't melt-down storage building.

Is that a challenge ;)

I was of course assuming "nuclear facilities" included at least some nuclear reactors, and not (just) storage buildings. Don't get your realism all over my movie-plots, damnit.

GordonSJuly 14, 2009 6:14 AM

@Bruce
"The constant attacks by Chinese nationals against U.S. networks may not be government-sponsored, but it's pretty clear that they're tacitly government-approved"

On the one hand you are dispelling hype, and then creating more on the other!

How is it clear these attacks are government approved or sanctioned in any way? What makes China so different from the rest of your analysis? (that the vast majority of attacks are just kids playing politics; which, BTW, I agree with).

What is it with the weird anti-Chinese sentiment that seems to be growing in the USA? Is China the the new 'red threat' or something?!

RTJuly 14, 2009 6:23 AM

"especially in 2001 when a U.S. spy plane collided with a Chinese fighter jet."

Ahem. You mean "especially in 2001 when a U.S. spy plane was deliberately rammed by a chinese fighter jet".

And yes, china is the real enemy.

HeheheJuly 14, 2009 10:29 AM

Would be kind of ironic if Massad had installed a tripwire that if their nuclear plant can't reach Twitter, the cooling system goes permanently offline...

mcbJuly 14, 2009 10:36 AM

@ RT

"'especially in 2001 when a U.S. spy plane collided with a Chinese fighter jet.'

Ahem. You mean 'especially in 2001 when a U.S. spy plane was deliberately rammed by a chinese fighter jet'."

The US EP-3 was struck by the Chinese fighter but as the collision resulted in the destruction of the fighter and the death of the pilot while only disabling the spy plane it sounds a lot more like an accident to me. After all, fighters can carry all sorts of tools for destroying other aircraft if that is the intended mission.

That said, I still wonder why the our naval aviator didn't turn his plane toward the nearest friendly base or allied naval vessel instead of landing at Hainan Island...Detachment 2702 at work?

Matt from CTJuly 14, 2009 11:14 AM

>What is it with the weird anti-Chinese
>sentiment that seems to be growing in
>the USA? Is China the the new 'red
>threat' or something?!

I don't think it's growing at all.

It may have become more visible with the fall of the Soviet Union. FWIW, I am more concerned about the potential for conflicts with Russia then China.

The clarity of the sanctioning of the attacks in China's case is pretty simple -- a nation famous for it's "Great Firewall" that can block incoming connections at will somehow can't stop outbound?

It doesn't make me scared or respect them less or whatever -- it is what it is. I've worked at an R&D Center that had it's site director (S. Korean national) taken away in cuffs by the FBI for industrial espionage. He was later released to Korean custody in a deal worked out diplomatically. We can assume most people are honest but there are some who want to steal our secrets for their own benefit -- whether it's a Polish truck driver walking unescorted through a factory in France, or it's a Russian mole deeply planted in the IT department of a corporation in the U.S.

EamJuly 14, 2009 11:39 AM

@mcb: "After all, fighters can carry all sorts of tools for destroying other aircraft if that is the intended mission."

Surely you can appreciate the political difference between "Chinese fighter jet collides with American spy plane" and "Chinese fighter jet shoots down American spy plane".

Whatever the goal was in this case, the latter headline would be much more troublesome for both sides.

mcbJuly 14, 2009 1:53 PM

@ Eam

"Whatever the goal was in this case, the latter headline would be much more troublesome for both sides."

If an accidental yet survivable collision resulting in the destruction of the US plane was the plan then the Chinese picked the wrong pilot. If a suicide ramming mission was the Chinese pilot's mission he certainly could have hit the EP-3 harder and both would have gone into the water moments after impact.

More to my "paranoid-movie-plot-threat" point, what if the goal was to provide a plausible explanation for the transfer to the PRC of restricted technology or classified information with having to admit to some other security breach?

mcbJuly 14, 2009 1:56 PM

Aack! Thpt! The last line should read:

...classified information without having to admit to some other security breach?

TraceyJuly 14, 2009 1:57 PM

Federal Trade Commission site was down for at least 4 days. Interesting that their motto is "protecting america's consumers" and their systems weren't strong enough to protect themselves. Does everyone see the irony? Think any network admin/security admin heads are rolling this week? Imagine the interminable meetings!!!

Paul DixonJuly 14, 2009 5:06 PM

"This is the face of cyberwar: easily preventable attacks that, even when they succeed, only a few people notice. Even this current incident is turning out to be a sloppily modified five-year-old worm that no modern network should still be vulnerable to."

While as a corporate Security professional I totally agree with this assertion, I am finding that there is a very significant footprint of vulnerability at people's homes. It is very important that as we progress in our efforts as a country to secure our infrastructure that we address this threat and get some cheap but effective tools to the home computer users. I wrote about this in a recent posting: http://bit.ly/x5y9S

Paul

What 75th anniversary was it again?July 15, 2009 12:34 AM

Gee, I hope sooth sayer likes Britain, and sees fit to belay that strike order, given the latest rumors about the attack.

Meanwhile, back in Honduras...

NargunJuly 15, 2009 4:05 AM

One interesting aspect of the entire cyberwar/cyberterrorism/cyberfrenchtourism (think Rainbow Warrior) debate/argument/war-sans-bloodshed, is that both China and the US have made compacts with a mercenary monopolist which has a bad habit of writing software with bad security habits. Both are as vulnerable as the other, due to exactly the same stupidity in supply and procurement.

That is why I think that the Chinese Government isn't behind these cyberattacks to even fifty percent - permitting any other government an excuse to DDOS over a prolonged period of time is far too great a risk.

Now isn't that an excellent reason for tolerating a predatory monopoly? Mutually Assured Destruction by cybercrims in the pay of some government or other and beholden only to themselves?

JohnJuly 15, 2009 4:08 AM

"Politically motivated cyber attacks are nothing new. We've seen UK vs.
Ireland."

I didn't know about any cyber attacks between the UK and Ireland. Does anyone know anything about that? Is it possible this claim is false?

James PannozziJuly 16, 2009 1:32 AM


Bruce makes some good observations in this and in numerous other security postings but in general he seems to consistently overlook deeper aspects at the root of the "vulnerability" problem.
1. The powers accorded to corporations, both political and economic, have grown out of control. The "free trade" movement was the ultimate culmination of that trend, allowing corporations to wreck the economy and the future job prospects of millions of Americans for reasons of expediency and narrowly defined profit motivations to the exclusion of all other criteria.
2. There are enemy infiltration centers sitting right out in the open in every major city. They are called the "Chambers of Commerce (sic)".
3. Software development became fundamentally crippled and engendered the software "crisis" when individually empowering languages were pushed aside in favour of groupware tools and excessive reliance on databases. A single programmer using APL2 could run the IT of a moderate sized company. If he or she spoke English and had reasonably expected communication skills, the software could be documented. But, corporate expediency dictated that it wanted large numbers of unthinking zombies building software, disempowering the skilled individual software programmer in favour of outsiders no one of which would become powerful enough to threaten the sanctity of management. To this day, it has become a matter of pride for upper managment to NOT have a computer in their inner office. The new director of the FBI had a desktop computer removed from his office when he first assumed office some months prior to 9-11.
4.Last but not least, Bruce somehow consistently fails to mention a fundamental flaw in our networks - the use of Microsoft software and operating systems. By design, Microsoft corporation has placed marketing and vaporware, designed to use its near monopoly status to pre-emptively disable competition on a priority level, far above priorities for bug fixing and software design (protestations from them to the contrary notwithstanding).
Microsoft recently got a taste of its own medicine when Google launched a vaporware threat of its own. Very satisfying! Just the simple step of converting to Linux, along with fairly simple protection measures and settings, would make the job of the cyber attackers far more difficult and would conform to one of Bruce's own criteria - the Linux software is open and viewable by all - its vulnerabilities can be discovered and protected against. But... again our pals the corporations have vested interest in protecting their "investments". That Microsoft is still used in our government computing is astounding, entire foreign governments have already switched over to Linux. And we have already seen Microsoft heavily lobbying its proprietary file formats in state legislatures fall flat on its face as open formats gradually become adopted, and very reluctantly, near forcibly, supported by Microsoft Office.

guvn'rJuly 17, 2009 8:32 AM

@Bruce: "Securing our networks doesn't require some secret advanced NSA technology. It's the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks. And while some government and corporate networks do a pretty good job at this, others fail again and again."

It's not as easy to counter a good DDoS attack as it is to criticize after the fact.

Patches and antimalware software do nothing to stop a mob of zombies exhausting server resources with half-built TCP connections or spurious GET requests. Controlling net ingress and egress will help but at the cost of affecting legitimate users, in other words DOSing the site in a different fashion.

And you gotta love the slams directed at government admins, without any specifics. @Bruce: "The news isn't the attacks, but that some networks had security lousy enough to be vulnerable to them." I was disappointed in you Bruce, I followed the link looking for specifics and found none. What specifically was the lousy security, which domain and what features did they do poorly on?

So here's a problem: we can implement a robust solution that will have enough resources to withstand a concerted DDoS attack from 250,000 zombies, but most of the time will be running at 30% to 40% of capacity. In other words, most of the time roughly two thirds of the money spent on hardware and bandwidth will be wasted. Is this a good use of public funds? Will there be criticism for such wasteful spending? Or for not spending? (Hint: the answer to both is "YES" depending on whether there was a headline grabbing DDoS attack yesterday or not.)

Walk a mile in their moccasins!

Davi OttenheimerJuly 21, 2009 11:00 AM

@ guvn'r

Good observations, but we're talking about infrastructure. If you ask the question with regard to a bridge, or a dam, or similar public works project then the answer to both would be "NO, please use whatever resources necessary to prevent an outage/disaster".

@ sooth sayer

The difference between this an a rape victim case is simple. A person should have the right to move about without fear of attack; who they are (e.g. an attractive woman) or how they dress should not be seen as faults or a loss of right. IT infrastructure is quite different from a person in terms of rights; an un-patched system is by definition in a faulty state.

@ Bruce

Some here have mentioned you are taking on the gov't, but I can think of a far more controversial angle you did not mention. The power-struggle on the hill right now over who will run CyberSecurity for the President...I suspect the more fear and bad news pedaling we see the more likely there are spooks trying to muscle away control of the situation. A less shocking conclusion would be that they're just trying to increase awareness and help admins gets funding, but that seems far too rosy and collaborative a picture for Washington.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.