The Daily NK notes North Korea’s unusual silence following accusations of the July 4th cyberattacks:

Generally, whenever the South Korean government so much as mentions the word “North,” North Korea instantly produces a volley of aggressive claims about the possibility of military catastrophe. Pyongyang’s silence in the face of the NIS designation is somewhat unprecedented.

While certainly not ‘unprecedented,’ there is something to the notion that in such a case, the alleged attacker has more to gain from staying mum than claiming credit, and certainly more than outright denial (the North’s typical PR approach.)

The strategic ambiguity’s value in the cyber realm far transcends any North/South finger-pointing.  If almost any scenario where this kind of attack can form part of a deterrence posture, silence truly is golden:

• Absent a diplomatic imperative to deny, where it would defuse a real threat of war or alliance loss;
• And provided that the attack’s success generally exceeds previous expectations of that state’s capabilities;
• A state will seek to encourage or accept accusations of guilt for a successful attack, to ‘bluff’ its way into enhanced perceptions of its military deterrent.

Therefore, whether they did it or not, the North—and indeed any state short on friends and long on fear—has more to gain by saying nothing than engaging in its typical litany of denials.  If recent threat-hyping on both sides of the Pacific are any indication, they’ve exploited that echo chamber perfectly.

Three quick ROK/US updates from the weekend:

1. It appears that machines involved in the DDoS attacks from July 4th onward are beginning to self-destruct.  Brian Krebs at WaPo has some good coverage.
2. Some more detailed reports (aka digital forensics) are beginning to trickle out from the machines involved in the botnet (at least before they go kaput).  ROK security firm Hauri has released a report for perusal, if you’re feeling technical.
3. Accounts now suggest that attacks relented for most if not all U.S. targets last Tuesday, and have since then been focusing on South Korean sites.

(*) This post is designed to stimulate debate, not make a definitive claim.  The lost side of this debate, I contend this: absent any technical data, a North Korean cyberattack is actually less likely than most mainstream media and defense establishment presume.

The press loves a good villain, and so the story seems to make intuitive sense: the nuke-testing, IBCM-firing, SCUD-launching North Koreans launch a cyberattack in yet another moment of classic brinksmanship to protest the United Nations, US imperialism, ROK aggression, and prove their own might.  The progression is obvious.  Right?  Not really:

1. A cyberattack doesn’t score points with North Koreans. Nuclear tests, ICBM launches — both have tremendous symbolic value to the North, helping to demonstrate to the elite and rank-and-file alike that under Kim Jong-il’s leadership, the DPRK has ushered in a socialist paradise and breeds the world’s finest technology. (Please, restrain your laughter.)  Largescale military hardware is easy to demonstrate for the masses and, most critically, the regime elites that could threaten the Kim dynasty as it prepares for the dangerous business of transferring leadership to a new heir.  Yet note this now-famous satellite photo above: the DPRK is not a terribly well-lit country, let alone a wired one.  The “victory” of taking down websites for a few days would probably elicit blank stares from all but the most favored regime members—probably few to none of which even have internet access.  Kim can parade ICBMs down the streets of Pyongyang and make a point; with a cyberattack, not so much.
2. No responsibility claim. When the DPRK detonates a nuke, they want everyone—domestically and abroad—to know about it.  It’s a dysfunctional, if effective, way of demanding international attention.  But Pyongyang hasn’t owned up to these attacks, and without that claim, it’s hard to see how it seeks to posture against an international audience.  Is there some three-star general in the Korean People’s Army taking credit for this attack?  Quite possibly.  But that doesn’t mean he orchestrated them any more than your high school’s IT guy did.  And on some level, Kim would be in a difficult position in accepting responsibility, lest he force his ‘ally’ China into the awkward position of joining in a public condemnation, despite numerous high-profile reports of the PRC’s own cyber-meddling. If they can’t own it, and major questions persist about the origin (see #5), it is hardly a foregone conclusion that the North has much to gain by waging the attack in the first place.
3. Cyberattacks don’t keep the Kim family in power. In a state with no productive economy, it’s probably safe to assume that he who controls the nukes controls the country.  That’s why many are arguing (convincingly) that the North’s recent bellicosity is largely a function of domestic concerns.  Controlling a botnet of several thousand computers, however, does not provide much in the way of a regime’s power consolidation.
4. Little experimental value for the military. Every time the North fires an ICBM, or tests a nuclear weapon, the military gains data about how to achieve systems with a slightly-less-embarrassing failure rate than before.  With military toys, the value here is nontrivial–especially when your deterrence posture largely relies on the hardware’s ability to, well, work.  Test-firing a DDoS attack, however, is like test-firing artillery–the artillery is proven, and the mechanics are not rocket science (as it were).  Pyongyang may not know how many gigabytes-per-second of data inflow is required to take down the ROK President’s website…but we’re getting ahead of ourselves.  Do we really believe that Pyongyang is losing sleep over having not tested that one out?  And moreover, that they’d spend their (very) precious resources on figuring it out?  Seems like a stretch.
5. Anyone could do it; but could the North Koreans? The paradox of this kind of attack is that it is at once quite easy to orchestrate, yet quite hard from a place as insular and poorly-connected as Pyongyang appears to be.  On the one hand, a precocious, basement-dwelling eighteen-year-old can build a botnet capable of such an attack.  On the other, spreading that malicious code—especially incognito—is a lot easier in a wired country than one with few network connections to the outside world.  Yes, one can envision a scenario whereby the North sends agents abroad to conduct this attack, but the question recurs: why go to all the effort, in light of #1-4?  The perpetrator could at once be anyone and, ceteris paribus, Pyongyang would have a tougher time launching the attack than might a disgruntled South Korean spammer.
6. When it comes to targeting, they’re not idiots.  Insular, impulsive, yes, but if you paint the North Koreans as irrational fools, you end up with a North Korea policy much like that of the last decade’s.  A quick look at the target list (as I’ve already discussed) suggests that the U.S. targets were chosen perfunctorily at best.  The North Korean elite knows the agencies of the U.S. government; they have, after all, been negotiating with them in one format or another for fifteen years.  If they were looking to disable vital servers, they got it wrong.  If they were looking simply to send a message, they got it wrong, too.

(Some alternatives, after the jump.) Keep reading →

Google News points to 1400+ of 1500 July 4th Outage stories blaming the North as having planned and orchestrated the attack. Why?  There’s no smoking gun…yet, if at all.

Tracing the history of this story, despite the lack of much technical grounding, an echo chamber seems to have emerged:

• The American media is blaming Pyongyang, (which seems to make sense in light of recent nuclear test, ICBM launches, etc.)…
• …largely because the Korean media is blaming Pyongyang…
• …which is in turn doing so because Korean politicians are going on record blaming the North…
• …citing the Korean military and intelligence services, which have been leaking the news.

An oft-cited Yonhap piece sums it up nicely, while hopefully raising some analytical red flags:

North Korea appears to have orchestrated the recent cyber attack that disrupted dozens of South Korean Web sites, including that of the presidential office, parliamentary sources said Wednesday, citing informal reports by the top spy agency. (My emphasis.)

Why the skepticism?  Perhaps it’s because in a previous life I spent 8 years working on East Asia, and this kind of hype seems all too typical of the Korean media, and of the occasionally paranoid, hawkish Lee Myung-bak administration in South Korea.

There’s something to the fact that the South Koreans blamed the North a little too quickly after the first round of attacks. Remember, unraveling who’s behind a DDoS attack is a tedious and slow process, and if the success of the attack are any judge, the South is less-than-perfectly equipped to do lightning-fast attribution.

Clearly, I’m not suggesting that the North had nothing to do with it, or (more likely), that those who actually staged the attack didn’t have the DPRK’s best interests in mind.  But the policy takeaway here is to apply a little common sense. A cyberattack is not an ICBM; you can’t track its set-up for days before launch, then record the telemetry as it rises from a discrete geographic location.  Tracking down its origins take time.  Generally, a lot more time than the South took in blaming the North.

More insights [translated] are coming out from the Korean side on the virus behind the ongoing July 4th DDoS attacks, including a full target list, and partial dissection of the tools being used.  There’s a lot more to that target list than meets the eye.

In a word, the targeting choice in the American and Korean case seems schizophrenic, and at best poorly planned.  In Korea, the targets represent a rather well-informed and comprehensive attempt to disrupt three major sectors of Korean society: political (Blue House, Defense and Foreign Ministries); economic (major banks); and social (news outlets and, critically, Naver.)  The Korean targets represent a neat, disruptive bundle: they are well-selected for symbolic value and volume of usage.

The American targets, by contrast, look like they were chosen by a fifth-grader fresh out of Civics.  One can see how thematically, they roughly parallel the Korean sites; political, defense, banking and social sites are all represented–but poorly.

Some anomalies: in banking, why target USBank, and not the far more significant Bank of America?  Why usauctionslive, not eBay?  And why the Department of Transportation, or the US Postal Service?  It seems an awful lot of digital firepower is directed at somewhat haphazardly-selected sites.  After all, DDoS attacks, like anything else, have finite resources–in the form of bandwidth and phony data it attacker can send.

The July 4th attacks might at first glance seem to be targeting many more American sites, but they’re poorly selected, and thus achieve much less than did the attack on Korean servers. Whoever is behind them either had something very specific in mind, or needs far better practice in the art of targeting, at least when it comes to American sites.  More to follow.

(For the interested: full target list after the jump.)

Keep reading →

Today’s AP Wire, New York Times, and Washington Post (itself a target) are carrying major stories about the high-profile website outages that began last weekend in Korea, and linking them to similar attacks that persist, among a number of US Government websites.

All this is a major story, (or at least Google News and 1,569 2055 stories on the topic seem to think so).  But why?  After all, DDoS attacks against government servers, like the one currently afflicting the ROK and US, are not new (thousands allegedly take place daily on the White House alone, and even more interesting cases like last week’s ‘grassroots’ attack on Iranian election and government sites only get a day or two’s press).  As it turns out, the early July attacks provide an interesting window into why the mainstream media follows some cyber incidents and not others.

Some theories, including villains and more, after the jump: Keep reading →

Quick read-in on what we’ll now be calling, for want of a more concise name, the ‘July 4th cyberattacks’:

The sites of 11 South Korean organizations, including the presidential Blue House and the Defense Ministry, went down or had access problems since late Tuesday, according to the state-run Korea Information Security Agency. Agency spokeswoman Ahn Jeong-eun said 11 U.S. sites suffered similar problems. She said the agency is investigating the case with police and prosecutors.

In the U.S., the Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the July 4 holiday weekend and into this week, according to American officials inside and outside the government.

Analysis to follow, but you’ve got the gist of it here.

First blog posts are supposed to tell a founding story, give exhaustive reasons for being, entertain with some colorful anecdotes, ramble a bit, and conclude with exhortations of grand designs.  This week’s events seem to be conspiring against an introduction quite so splashy.

Yesterday (7 July) concluded with a score of high-profile site outages and higher-profile accusations that have forced my hand. What was initially envisioned as a month-long period of pre-press design and content development, (a timeframe befitting of the 3+ years I have been pursuing this domain) has been shortened to just over 24 hours. The new DNS information may not have even reached the outer limits of the internet.

But with all the mainstream media ink being spilled over the events of the last few days, it’s clearly time to start unraveling all this ‘cyber’ news, and delve into the myriad issues at the intersection of national security and networked technology.

And so, in its hurried debut, is CyberWonk v0.5.

Cyber experts might see yesterday as nothing new; after all in the cyber-security world, like that of Kundera’s novel, all of this has happened before, and all of this will happen again.  Cyberattacks are not new, and yesterday’s was no ‘digital Pearl Harbor.’  Yet while opportunities to put pen to paper with good purpose may be common in this field, chances to do so with the world’s attention thereupon are disappointingly few.  It would be naïve not to blame ourselves, the policy and national security communities, for that lack of awareness.  It’s time we examined the issues from the standpoint of broader national security policy, made them less terrifying to the non-technical audience, and most importantly brought together the presently disparate elements of debate.  In a word, this blog seeks to demonstrate the truth: that cyber is no backwater, that it must permeate our thinking about national security strategy and, perhaps, that Cyber can be sexy.

So the hurried history of this blog mirrors my own hopes for cyber-policy debate at large: it’s time to stop fussing over the atmospherics, and get writing.

Welcome to the conversation.