The cyber attacks on Sony have given rise to much commentary on the sophistication of the North Korean state's cybersecurity program. The hermit kingdom is far from alone in its offensive and defensive cyber build up with numerous nations around the world seeking to join the list of the cyber powers. But just how much damage could North Korea do? To help answer that question, let's go to Dr. Charlie Miller, who says that he can crash the Internet and take control of some of the most protected computer systems in the world.
Miller, now a cybersecurity analyst at Twitter, was the first person to break into Apple's iPhone; he discovered a software flaw that would have allowed him to take control of every iPhone on the planet. He has won the prestigious Black Hat cybersecurity competition, among numerous other awards, and worked for the NSA for five years. In 2010, while presenting at a NATO Committee of Excellence conference on cyber conflict in Tallinn, Estonia, Miller conducted a thought experiment -- if he was forced to, how would he go about crashing the Internet and taking control of well-defended computer systems? In the scenario that he imagined, former North Korean leader Kim Jong-Il had kidnapped and induced him to "hack the planet" -- to control as many protected systems and Internet hosts as possible so as to dominate cyberspace. Miller then cataloged all of the steps that would be required to meet this audacious and dastardly goal.
He would need people -- roughly 600 working throughout the world, and a way to communicate with them. The trick would be identifying them -- a task made easier if Miller or another expert in the field was a willing co-conspirator with a North Korean intelligence agency like the Cabinet General Intelligence Bureau.
Miller's army would need funding and "weapons" like botnets, distributed denial of service attacks, bots, and -- above all -- zero-day exploits that take advantage of fundamental flaws in programs. These weapons would often use the Internet, but to complete his hack, Miller would also need to compromise hard, protected targets that are often "air gapped," or not connected to the Internet. High-profile attacks like Stuxnet, the exfiltrated documents published by WikiLeaks, and the 2008 breach of classified U.S. government systems are examples of these types of attacks on supposedly isolated targets. Attackers look for entry points that are poorly defended with the goal of using one host to infect others on the closed network. This could be accomplished by low-tech means, such as through a simple flash drive.
Lastly, Miller would need time. For the first three months, his cyber army would search for vulnerabilities. From three to nine months, zero-day exploits would be identified and used to take over routers. After one year, some hard, protected targets would be compromised. At eighteen months, sufficient zero-day exploits would be found and air-gapped systems compromised to begin final planning. Finally, after two years, the attack could start manifesting itself assuming that no law enforcement agency or other group identified the attackers in the meantime, which is a rather large assumption.
The bottom line, according to Miller, is that the Internet and even air-gapped computer systems may be controlled or crashed for roughly $50 million, which is reportedly less than what North Korea spends on cybersecurity annually. Richard Clarke, among others, has warned that North Korea will not shy away from using its cyber warfare capabilities in a conflict. This danger is posed by other isolated regimes as well, and there is "anecdotal evidence that unknown parties have explored the possibility of disrupting the global network."
Sound ripe for a spy thriller? What is good for genre-writing enthusiasts is rarely an ideal starting point for policymakers. According to some commentators, such narratives merely serve to inflate fears and undermine constructive efforts to enhance cybersecurity, and it is true that such a scenario is highly unlikely. But there is some value to be extracted from this tale. The vulnerabilities that Miller points to are real and require our attention if we are to ensure that fiction does not become reality, and that the most recent cyber attacks on Sony are the end and not the beginning of a new era in state-sponsored cyber attacks.
This post is an excerpt of Scott Shackelford, Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace (Cambridge University Press, 2014), available here.