The Daily NK notes North Korea’s unusual silence following accusations of the July 4th cyberattacks:

Generally, whenever the South Korean government so much as mentions the word “North,” North Korea instantly produces a volley of aggressive claims about the possibility of military catastrophe. Pyongyang’s silence in the face of the NIS designation is somewhat unprecedented.

While certainly not ‘unprecedented,’ there is something to the notion that in such a case, the alleged attacker has more to gain from staying mum than claiming credit, and certainly more than outright denial (the North’s typical PR approach.)

The strategic ambiguity’s value in the cyber realm far transcends any North/South finger-pointing.  If almost any scenario where this kind of attack can form part of a deterrence posture, silence truly is golden:

• Absent a diplomatic imperative to deny, where it would defuse a real threat of war or alliance loss;
• And provided that the attack’s success generally exceeds previous expectations of that state’s capabilities;
• A state will seek to encourage or accept accusations of guilt for a successful attack, to ‘bluff’ its way into enhanced perceptions of its military deterrent.

Therefore, whether they did it or not, the North—and indeed any state short on friends and long on fear—has more to gain by saying nothing than engaging in its typical litany of denials.  If recent threat-hyping on both sides of the Pacific are any indication, they’ve exploited that echo chamber perfectly.

1. It appears that machines involved in the DDoS attacks from July 4th onward are beginning to self-destruct.  Brian Krebs at WaPo has some good coverage.
2. Some more detailed reports (aka digital forensics) are beginning to trickle out from the machines involved in the botnet (at least before they go kaput).  ROK security firm Hauri has released a report for perusal, if you’re feeling technical.
3. Accounts now suggest that attacks relented for most if not all U.S. targets last Tuesday, and have since then been focusing on South Korean sites.

(*) This post is designed to stimulate debate, not make a definitive claim.  The lost side of this debate, I contend this: absent any technical data, a North Korean cyberattack is actually less likely than most mainstream media and defense establishment presume.

The press loves a good villain, and so the story seems to make intuitive sense: the nuke-testing, IBCM-firing, SCUD-launching North Koreans launch a cyberattack in yet another moment of classic brinksmanship to protest the United Nations, US imperialism, ROK aggression, and prove their own might.  The progression is obvious.  Right?  Not really:

1. A cyberattack doesn’t score points with North Koreans. Nuclear tests, ICBM launches — both have tremendous symbolic value to the North, helping to demonstrate to the elite and rank-and-file alike that under Kim Jong-il’s leadership, the DPRK has ushered in a socialist paradise and breeds the world’s finest technology. (Please, restrain your laughter.)  Largescale military hardware is easy to demonstrate for the masses and, most critically, the regime elites that could threaten the Kim dynasty as it prepares for the dangerous business of transferring leadership to a new heir.  Yet note this now-famous satellite photo above: the DPRK is not a terribly well-lit country, let alone a wired one.  The “victory” of taking down websites for a few days would probably elicit blank stares from all but the most favored regime members—probably few to none of which even have internet access.  Kim can parade ICBMs down the streets of Pyongyang and make a point; with a cyberattack, not so much.
2. No responsibility claim. When the DPRK detonates a nuke, they want everyone—domestically and abroad—to know about it.  It’s a dysfunctional, if effective, way of demanding international attention.  But Pyongyang hasn’t owned up to these attacks, and without that claim, it’s hard to see how it seeks to posture against an international audience.  Is there some three-star general in the Korean People’s Army taking credit for this attack?  Quite possibly.  But that doesn’t mean he orchestrated them any more than your high school’s IT guy did.  And on some level, Kim would be in a difficult position in accepting responsibility, lest he force his ‘ally’ China into the awkward position of joining in a public condemnation, despite numerous high-profile reports of the PRC’s own cyber-meddling. If they can’t own it, and major questions persist about the origin (see #5), it is hardly a foregone conclusion that the North has much to gain by waging the attack in the first place.
3. Cyberattacks don’t keep the Kim family in power. In a state with no productive economy, it’s probably safe to assume that he who controls the nukes controls the country.  That’s why many are arguing (convincingly) that the North’s recent bellicosity is largely a function of domestic concerns.  Controlling a botnet of several thousand computers, however, does not provide much in the way of a regime’s power consolidation.
4. Little experimental value for the military. Every time the North fires an ICBM, or tests a nuclear weapon, the military gains data about how to achieve systems with a slightly-less-embarrassing failure rate than before.  With military toys, the value here is nontrivial–especially when your deterrence posture largely relies on the hardware’s ability to, well, work.  Test-firing a DDoS attack, however, is like test-firing artillery–the artillery is proven, and the mechanics are not rocket science (as it were).  Pyongyang may not know how many gigabytes-per-second of data inflow is required to take down the ROK President’s website…but we’re getting ahead of ourselves.  Do we really believe that Pyongyang is losing sleep over having not tested that one out?  And moreover, that they’d spend their (very) precious resources on figuring it out?  Seems like a stretch.
5. Anyone could do it; but could the North Koreans? The paradox of this kind of attack is that it is at once quite easy to orchestrate, yet quite hard from a place as insular and poorly-connected as Pyongyang appears to be.  On the one hand, a precocious, basement-dwelling eighteen-year-old can build a botnet capable of such an attack.  On the other, spreading that malicious code—especially incognito—is a lot easier in a wired country than one with few network connections to the outside world.  Yes, one can envision a scenario whereby the North sends agents abroad to conduct this attack, but the question recurs: why go to all the effort, in light of #1-4?  The perpetrator could at once be anyone and, ceteris paribus, Pyongyang would have a tougher time launching the attack than might a disgruntled South Korean spammer.
6. When it comes to targeting, they’re not idiots.  Insular, impulsive, yes, but if you paint the North Koreans as irrational fools, you end up with a North Korea policy much like that of the last decade’s.  A quick look at the target list (as I’ve already discussed) suggests that the U.S. targets were chosen perfunctorily at best.  The North Korean elite knows the agencies of the U.S. government; they have, after all, been negotiating with them in one format or another for fifteen years.  If they were looking to disable vital servers, they got it wrong.  If they were looking simply to send a message, they got it wrong, too.

(Some alternatives, after the jump.)

“But,” I can already anticipate the emails, “who else would target just the ROK and US, and stand to gain?  Clearly this was Pyongyang.”  Perhaps, and as of now, we have no way of knowing.  But for my money, equally likely would be:

• North Korean sympathizers in the ROK or Japan, acting on their own (without direction from Pyongyang).  Any fringe group or individual with some tech savvy, and a mediocre knowledge of the US, might be more plausible than Pyongyang itself.  After all, many of the more prominent cyberattacks have been the work of isolated, passionate, ideological but random people.  Or,
• Enemies of one or more of the agencies targeted (like the FTC, which recently shut down one of the larger spam and illegal porn havens on the internet), seeking to deflect broader attention while still achieving their retributive objective.

Add to it the current political climate in South Korea, with an imminent vote on a new anti-terrorism statute, a president that seems to derive much of his sense of purpose from hostility towards the North, and the chance to prop up his own flagging popularity with such an external threat, and you have a perfect storm of finger-pointing from Seoul, parroted by the less critical here in Washington.  The irrationality, it seems, might be a bit farther South of the 38th parallel than many assume.

Tracing the history of this story, despite the lack of much technical grounding, an echo chamber seems to have emerged:

• The American media is blaming Pyongyang, (which seems to make sense in light of recent nuclear test, ICBM launches, etc.)…
• …largely because the Korean media is blaming Pyongyang…
• …which is in turn doing so because Korean politicians are going on record blaming the North…
• …citing the Korean military and intelligence services, which have been leaking the news.

An oft-cited Yonhap piece sums it up nicely, while hopefully raising some analytical red flags:

North Korea appears to have orchestrated the recent cyber attack that disrupted dozens of South Korean Web sites, including that of the presidential office, parliamentary sources said Wednesday, citing informal reports by the top spy agency. (My emphasis.)

Why the skepticism?  Perhaps it’s because in a previous life I spent 8 years working on East Asia, and this kind of hype seems all too typical of the Korean media, and of the occasionally paranoid, hawkish Lee Myung-bak administration in South Korea.

There’s something to the fact that the South Koreans blamed the North a little too quickly after the first round of attacks. Remember, unraveling who’s behind a DDoS attack is a tedious and slow process, and if the success of the attack are any judge, the South is less-than-perfectly equipped to do lightning-fast attribution.

Clearly, I’m not suggesting that the North had nothing to do with it, or (more likely), that those who actually staged the attack didn’t have the DPRK’s best interests in mind.  But the policy takeaway here is to apply a little common sense. A cyberattack is not an ICBM; you can’t track its set-up for days before launch, then record the telemetry as it rises from a discrete geographic location.  Tracking down its origins take time.  Generally, a lot more time than the South took in blaming the North.

In a word, the targeting choice in the American and Korean case seems schizophrenic, and at best poorly planned.  In Korea, the targets represent a rather well-informed and comprehensive attempt to disrupt three major sectors of Korean society: political (Blue House, Defense and Foreign Ministries); economic (major banks); and social (news outlets and, critically, Naver.)  The Korean targets represent a neat, disruptive bundle: they are well-selected for symbolic value and volume of usage.

The American targets, by contrast, look like they were chosen by a fifth-grader fresh out of Civics.  One can see how thematically, they roughly parallel the Korean sites; political, defense, banking and social sites are all represented–but poorly.

Some anomalies: in banking, why target USBank, and not the far more significant Bank of America?  Why usauctionslive, not eBay?  And why the Department of Transportation, or the US Postal Service?  It seems an awful lot of digital firepower is directed at somewhat haphazardly-selected sites.  After all, DDoS attacks, like anything else, have finite resources–in the form of bandwidth and phony data it attacker can send.

The July 4th attacks might at first glance seem to be targeting many more American sites, but they’re poorly selected, and thus achieve much less than did the attack on Korean servers. Whoever is behind them either had something very specific in mind, or needs far better practice in the art of targeting, at least when it comes to American sites.  More to follow.

(For the interested: full target list after the jump.)

Korean Targets:

Financial & Commercial:
- Banking.nonghyup.com (bank, internet banking)
- Ebank.keb.co.kr (Korea Exchange Bank Internet Banking)
- Ezbank.shinhan.com (Shinhan Bank, Internet Banking)
- Www.auction.co.kr (Auction site)

Government & Defense:
- Www.president.go.kr (Blue House)
- Www.mnd.go.kr (Defense)
- Www.mofat.go.kr (Foreign Minister)
- Www.usfk.mil (U.S. Forces, Korea [Deployed across the 38th parallel])
- Www.hannara.or.kr (Grand National Party, the current ruling party)

Social & News:
- Blog.naver.com (Blogs on Naver, Korea’s largest internet ‘portal’)
- Mail.naver.com (Naver Mail)
- Www.chosun.com (Chosun Ilbo)
- Www.assembly.go.kr (Republic of Korea National Assembly)

U.S. Targets:

Financial & Commercial:
- Finance.yahoo.com
- Www.nasdaq.com
- Www.nyse.com
- Www.usbank.com (but not Bank of America, far larger)
- Www.usauctionslive.com (?…and not eBay?)
- Www.marketwatch.com
- Www.amazon.com

Government: Defense/Security Agencies:
- www.dhs.gov
- www.nsa.gov
- Travel.state.gov
- Www.state.gov
- Www.defenselink.mil

Government: Other Agencies:
- Www.whitehouse.gov
- Www.usps.gov (?!)
- Www.ustreas.gov
- Www.dot.gov (?)
- Www.faa.gov (?)
- Www.ftc.gov

“Social” (rough analogy) & News:
- Www.voa.gov
- Www.voanews.com
- Www.yahoo.com
- Www.washingtonpost.com
- Www.site-by-site.com

All this is a major story, (or at least Google News and 1,569 2055 stories on the topic seem to think so).  But why?  After all, DDoS attacks against government servers, like the one currently afflicting the ROK and US, are not new (thousands allegedly take place daily on the White House alone, and even more interesting cases like last week’s ‘grassroots’ attack on Iranian election and government sites only get a day or two’s press).  As it turns out, the early July attacks provide an interesting window into why the mainstream media follows some cyber incidents and not others.

Some theories, including villains and more, after the jump:

• Everyone loves a good villain (and cyber stories rarely have them, with any certainty).  Is this, at is core, a political story? Much of the early analysis linking the two attacks seemed to be riding the tidal wave of coverage on North Korea’s recent bellicosity. (A quick Google News analysis reports that 1400+ of 1500 stories covering the South Korean attack point to the the North as responsible.)
• Transnationalism: two countries suffer major DDoS attacks in one weekend, one of them the world’s most wired (that would be Korea, for those of you who rush to laud America’s somewhat lagging broadband service).
• Notable in size, or scope: this particular DDoS seems to be unsophisticated, but quite massive, leading to all sorts of speculation about the attack.  More interestingly, however, are the lessons the policy community can draw, namely just how cheap and easy it can be to stifle internet traffic.
• Symbolism: While many note that the White House was a target of these attacks, the US felt (comparatively) few effects; the South Koreans saw many major government agencies’ sites taken offline and, far more critically, their beloved internet ‘portal’ Naver.  (Ask any Korean under the age of 35: this is a big deal.)

And thus, as with all notable events in the under-explored world of cyber, we’re left with more policy-relevant questions than answers:

• How do we explain the haphazard selection of US targets (pity the Federal Trade Commission) versus the much more significant ROK ones?
• ‘If it could take out major ROK sites, could [something on this scale] happen in the US?‘  A deeper question might be, ‘if they did, would it matter?’
• Just how easy is it to take out a dozen or so major public websites? The answer might be: easier than most hawks–notably those that immediately blame the NORKs–think.

Lots of good (albeit tentative) coverage exists across the web on the story, so I’ll avoid full summary; it’s the above questions that will probably stimulate the most discussion.  Next stop: unifying the events, and the North Korea theory.