North Korea Pushes The Threshold Of War In Cyberspace

North Korea Pushes The Threshold Of War In Cyberspace

Excerpts:
An open question is whether North Korea can find an even better cyber means for coercion. One thing to look out for is the possibility North Korea may use ransomware or doxing, rather than destructive malware, to back up threats. Others have rightly argued that because a cyber operation using destructive malware relies on stealth and surprise, it is difficult to communicate a credible threat before an attack, because doing so alerts the target and triggers preventative measures.
 
Ransomware and doxing, however, aim to impose increasing costs precisely to get something in return. They are analogous to throwing the victim in the water, and offering to save him if he pays, rather than threatening to drown him unless he pays. These tools are therefore more suitable for compelling an action, although it is difficult to provide credible assurance that pain will stop once the target complies. North Korea has already allegedly tried using doxing and ransomware for criminal purposes, and it may not be long before it can find other applications for these tools.
 

North Korea Pushes the Threshold of War in Cyberspace

thecipherbrief.com · July 30, 2017

July 30, 2017 | Jenny Jun

Jenny Jun
Researcher, Department of Political Science, Columbia University

In December 2014, while many were still preoccupied with the aftermath of the North Korean cyber attack on Sony Pictures Entertainment, South Korea was in a crisis of its own.

An entity identifying itself as an “Anti-Nuclear Power Group” demanded that the country shut down three of its civilian nuclear reactors by Christmas Day, threatening to release 100,000 pages of sensitive documents and inflict “secondary destruction” if its demands were not met. It also demanded, rather vaguely, a payment of $10 billion. For a week after Dec. 15, the group raised the tension by releasing documents including the reactors’ blueprints and safety evaluations, and information regarding the power plant’s employees.

On Christmas Eve, South Korea’s government and the nuclear operator, Korea Hydro & Nuclear Power Co. (KHNP) conducted an emergency security check and went into lockdown. Media reported on the crisis around the clock. However, when the day came, no attack was attempted on the reactors, no additional documents were released, and no additional communication came from the group afterward. Months later, researchers attributed the attack to North Korea’s primary clandestine intelligence agency, the Reconnaissance General Bureau. More interestingly, investigations revealed that the documents released were from compromised subcontractors, while the main malware deployed was not capable of extracting data. The malware also only targeted KHNP headquarters, not the reactors. It was a well-staged bluff.

The KHNP incident is a good illustration of how North Korea continues to advance ways to use cyber operations for strategic ends. While North Korea has certainly been diversifying the application of its cyber capabilities to many areas, one particular area of interest is its attempts to use cyber means for coercion.

North Korea, even before the advent of networks and digital technologies, had a long tradition of launching limited attacks in an attempt to undermine and destabilize South Korean society, without crossing the threshold of war. As early as 2009, Pyongyang was increasingly including disruptive cyber operations in its limited provocation toolkit.

However, the chief dilemma when planning these operations is that while such a limited attack lowers the risk of retaliation or escalation, it also fails to sow enough chaos. North Korea’s goal has therefore been to find a happy medium between the two tradeoffs. Until the KHNP incident, disruptive cyber operations had proven to be useful for avoiding escalation, but not necessarily able to inspire enough chaos. Even the DarkSeoul campaign that launched a series of coordinated wiper and denial of service attacks on banks and newspapers arguably failed to cause fear once systems were recovered for routine operations.

KHNP was different because it played on the fear caused by uncertainty, rather than through the damage or destruction of a vital element of society. It aimed to cause fear by making the South Korean government and the public entertain the possibility of an attack on a nuclear power plant, not by actually disrupting the supply of electricity. This was more like the usual North Korean threats to engulf Seoul in a “sea of fire” using its long-range artillery, than the actual shelling of Yeonpyong Island. Here, the focus of the operation is an unraveling crisis rather than the real destruction of the target. Real physical effects become secondary, to the extent that the attacker cares about guarding its reputation for the threat of future attacks to hold similar sway. If staged well, this kind of operation could be that happy medium – avoiding war by not carrying out the attack threatened but causing fear by picking a relatively valuable target.

However, a plan that relies on the manipulation of risk solves one problem but creates another. For the threat to have any impact, North Korea must convince its target it has the intent and capability to inflict harm. In the KHNP case it relied on “doxing,” or the hack and release of sensitive stolen information, to try to establish it could carry out the threat. It is possible they would demonstrate this more disruptively – such as by taking administrative control of, or actually damaging, a portion of the target. If North Korea is trying to rely on manipulation of risk to inspire fear, there may be greater room for misperception and miscommunication between them and their targets, especially when mutual expectations regarding red lines and related consequences have not been sufficiently set.

Another related, but important departure from previous North Korean cyber operations is an apparent desire to use cyber tools to force targets to take specific actions. An offensive cyber operation that simply infiltrates and executes a destructive payload on a nuclear power plant on Christmas is different from an operation that threatens, but does not actually inflict, damage; makes a demand and sets a deadline while increasing pressure up until the deadline. While forcing such action is generally difficult, and even more so using destructive malware or distributed denial of service as the main tool of threat, it is notable that North Korea has nonetheless tried to use cyber coercion in both the Sony and KHNP cases. While in other situations, trying to force a target to take specific actions through cyber means may not work well because both sides are vulnerable. It is more understandable that North Korea would attempt these threats through cyberspace, because even if success is not likely, the dangers of failed attempts are also low because most conventional retaliation or punishment risks escalation, and symmetric retaliation through cyber means will be difficult as North Korea is less dependent on cyberspace for its daily activities than other countries.

An open question is whether North Korea can find an even better cyber means for coercion. One thing to look out for is the possibility North Korea may use ransomware or doxing, rather than destructive malware, to back up threats. Others have rightly argued that because a cyber operation using destructive malware relies on stealth and surprise, it is difficult to communicate a credible threat before an attack, because doing so alerts the target and triggers preventative measures.

Ransomware and doxing, however, aim to impose increasing costs precisely to get something in return. They are analogous to throwing the victim in the water, and offering to save him if he pays, rather than threatening to drown him unless he pays. These tools are therefore more suitable for compelling an action, although it is difficult to provide credible assurance that pain will stop once the target complies. North Korea has already allegedly tried using doxing and ransomware for criminal purposes, and it may not be long before it can find other applications for these tools.

The Author is Jenny Jun

Jenny Jun is a researcher the Department of Political Science at Columbia University. Her current interests include the bargaining model of war, strategic dynamics of cyber conflict, and security issues in East Asia. Jun is a co-author of the 2015 Center for Strategic and International Studies report North Korea’s Cyber Operations: Strategy and Responses. She was formerly a cybersecurity consultant at Delta Risk, and served as president of Sejong Society.

Leave a Reply

Your email address will not be published. Required fields are marked *