Tuesday, July 21, 2009

Cyber War Against North Korea

I’ve heard people calling for retaliation against North Korea for the latest cyber attacks on the US and South Korean Internet sites. That idea is worse than bad, it’s nearly insane. The best that could be hoped for in such a move would be to saturate the attacker’s bandwidth and thus cancel out the attacks. The worst that could happen would be a virtual Armageddon of factions fighting each other on the Internet, with most of the damage being done to innocent bystanders.

The first mistake that proponents of retaliation make is that they assume that North Korea’s government was behind the attack. But they don’t ask for any evidence of this other than one of the possible beneficiaries of the attacks would be the Kim Jong Il’s regime. In fact, conflicting evidence has been pointing toward the UK as one major source of the attack, and the botnet controller may reside in Florida – yet no calls have been made to attack the British or US governments.

In fact, it's unlikely that there is a North Korea-UK-US connection in these cyber attacks. It’s very difficult to determine accurately and quickly who may be behind an attack. It is too easy to hide the real source behind several layers of obfuscation and the perpetrator may only be discovered after the attack has ended, if at all. The bottom line is that we just don't know who executed the attacks.

Even if you have the right country as the source of attacks, that doesn’t guarantee that the government had any involvement. Looking at a different cyber-conflict, there’s no doubt that Russians were behind the Estonian cyber attacks. But much of this activity was likely individuals within the country acting on nationalist sympathy, not a government-sponsored network of attackers. As Marcus Ranum has pointed out, cyber war is unlikely (PDF link).

Even if you assume that you have the right target, retaliating against them will simply escalate the level of hostilities, not calm it. The attackers will raise their level of attack and may practice asymmetric warfare, taking out not just government sites but commercial ones, as well. One of the best ways to change a government’s behavior is to hurt them financially or to turn the people against them.

Now consider a different scenario: someone tries to get two other countries to fight each other. One individual can buy access to 10,000 infected computers inside one of the countries. He then uses these to launch an attack against another country’s Internet sites. The second country then retaliates against the first. Voila! Cyber-war has erupted. In the current botnet economy, this would cost $500-$1000 (according to a presentation by Lenny Zeltser I can no longer find online).

Some people have questioned why North Korea has Internet connectivity at all. It would seem to be easy to find the choke points – ISPs providing service – and get them to disconnect Pyongyang. With the McColo situation, the bad guys just jumped on other ISPs and diversified. With North Korea, the people themselves are isolated from the rest of the world. But I would suspect that the benefits from a connected country outweigh the potential bad sides. It is much easier to get information out of the country via the Internet than physically. So there is a vested interest in us having an Internet connection out of North Korea – we can find out what goes on inside.

So the next time one of these cyber attacks happens and is hailed as the next step in cyber warfare, take a step back and really look at the players and the landscape. Consider what would be the best course of action. And remember that it is very difficult to determine who the attackers are, where they are located and what their motives are. Hopefully our policy makers will do the same.