But nothing is predictable when you’re dealing with a erratic despot who killed his own uncle with an anti-aircraft gun.
Realistically though, few nations have the resources and political will, to launch a war, half-way across the world. And neither Malaysia nor North Korea are one of those ‘few’ nations. But what if, instead of moving armies we just moved malicious code? What if we fought a cyberwar with the North Koreans, how would it look like, and could we win? Let’s find out.
Cyber is new domain of war
Cyber is a new domain of warfare, and this domains involves new ways of thinking and paradigm shifts. In the 18th and 19th century, the most powerful nation on earth, Great Britain had the worlds greatest Navy, and that allowed the empire to control the trade that flowed through the seas, and protect the island nation. Strategically Britain’s Navy was essential to the protection of Britain, and the projection of its power around the world.
As we move from trading over the seas to trading over network cables, the parallels of having a Cyber-Navy become more apparent by the day. After all, the data that pass through our networks have an inherent value above and beyond the physical goods they may represent.
Let’s say you’re buying a new laptop online, you enter your password into the online shopping portal, and then inevitably your credit card details. Your password and card information has value, inherent to itself, regardless of the laptop the transaction represents. We still ship physical goods via sea-lanes and air-freight, but the data transversing the internet has tradeable value.
More apparent when you consider that the vast majority of ‘money’ is traded in digital form, over the internet. Just ask the Bangladesh Central Bank, that lost millions of dollars (which could have been Billions) to hackers who infiltrated their network, and issued electronic instructions to wire money.
But there are things far more important than money.
In today’s world of ‘fake news’ and election tampering, it could be argued that having a Cyber Army is a necessity not just to protect trade and finance, but the very core of a country’s democracy.
And there we see the first issue with Cyber defense of critical infrastructure–is it a civil or military function?
Private companies in any country run their own security guards, banks hire private firms to protect the cash in the safe. If a bank gets robbed, the manager calls the police, and the entire apparatus is a civilian function. But a private company in Malaysia (or anywhere else) isn’t worried about military attack. After all, armies don’t attack banks or companies don’t they?
On the internet, everyone is fair game.
Strong evidence suggest that state sponsored actors have attacked banks, stolen secrets from chemical companies, even attacked Facebook. In a non-cyber world, having an army attack civilian infrastructure in peace-time would be insane! But that is the norm on the internet.
So whose job is it to protect civilian infrastructure from military attack during peace time?
The Americans have drawn clear delineation, that the Department of Homeland Security (DHS) protects civilian government infrastructure (and helps private companies when called upon), while US Cyber Command protects the Military infrastructure. Malaysia (and most other countries) have no such delineation–and the problem is that governments get hacked all the time, even ours, and it’s unclear to me which Malaysian government agency is actually responsible for the security of our infra.
But before we evaluate our defensive capabilities, let’s evaluate the North Korean defense.
The North Korean Defense
From a defender’s perspective, the less internet you have in your country, the easier it is to defend. Syria was famous for frequently cutting internet conectivity to the entire country because there were only 2 cables connecting it to the internet, that’s a small attack surface to defend. It’s like playing football with a 6ft goalie, and 3ft goal.
On the other hand, well connected nations like the US, and even countries like Singapore, Japan and South Korea and more susceptible to attacks because there’s so much to defend. And trying to defend very nook and crany of internet access in your country is a insurmountable task–much easier to defend you infrastructure if all you all internet connectivity is delivered by just 2 land cables.
North Korea is Rocky Balboa of Cyber-Warfare, they can throw mean punches, but their true strength lies in their ability to take on everything. There really is nothing you can do, cyber-wise to North Korea that would impact them. They have so little infrastructure–taking out that tiny slither does nothing to them. On the other hand if, the North Koreans attack our banking systems, or national power grid, or even just the industrial control systems of the MRT lines, those are massive hits we could not afford to take.
This asymmetry has a ‘some’ remedy though, the US has always reserved the right to respond to cyberattacks with kinetic weapons. In other words, you drop a virus on them, they drop a bomb on you!!Using their traditional strength in the physical domains (land,sea,air) to deter attacks in the cyber domain.
Sadly, Malaysia doesn’t have such deterrence.
But what can North Korea really do? What’s their offense look like?
The North Korean Offense
There is a well-documented group called Lazarus, that has attacked banks, infrastructure and most famously Sony Pictures, and most experts believe that they’re North Korean. In other words North Korea already has a cyber strike-force, while Malaysia …well at the very least we can say is that we haven’t had any reports of Malaysia Cyber attackers.
Zilch! Zero! Nada! — well not unless you count the crap we bought from Hacking Team and Gamma.
Maybe it’s because we’re so good we never got caught, or maybe we don’t have an attack force. I leave it to you to decide. But back to North Korea, and good ol’ Kim Jong Un.
You remember the Bangladesh central bank hack–most likely Lazarus.
Complete decimation of Sony Pictures— most probably Lazarus.
DDOS attacks on South Korean Banks — definitely Lazarus.
Attack on Polish Banks — you’ve guessed it…Lazarus.
Seems like the North Koreans are busy bees when it comes to cyber offense, and coupled with their defensive invulnerability, it’s definitely not a team you want to meet online.
But enough about them–let’s look at Malaysia. How’s our defense stack up against the North Koreans.
Back in April 2016, Microsoft published a report that should have been widely covered by Malaysian media–but wasn’t.
Don’t get me started on the media and tech…DON’T!
Anyway, the report detailed a group called Platinum, that hacked South East Asian countries, but mostly Malaysia. 51% of reported victims were in Malaysia, and most of those would have been Government institutions. But that’s not the best part…
The attackers used a hack on the ‘hot-patching’ feature of Microsoft Windows. A feature that required admin level access, which meant that the primary attack vector was spear-phishing. In other words, admins on government computers were spear-phished, and were then owned, which then led to Platinum getting access.
The real-issue that this wasn’t a one-off thing, in July 2016, Kaspersky reported that more than 2,000 servers in Malaysia were hacked and sold on black market forums for prices as low as RM29.
Regin, a sophisticated malware, attributed to the NSA, had Victims in Malaysia.
Fireeye reported on an APT, most likely from China, that spied on Malaysia for more than a Decade!
And the list goes on…
To be honest this isn’t very shocking, or very unique to Malaysia. But couple the North Korean attack capability with our flaky defense, their supreme defensive capability, and our undocumented (as yet unknown) offense, and you’re setting up for a losing game.
Fortunately, it’s unlikely we’d even go to cyber war for this.
One time weapons use
Zero Day exploits are critical vulnerabilites in code that are not (yet!) public knowledge. Which means that vulnerabilities will work on any version of the software. If you discovered an exploit in Windows, and didn’t tell Microsoft, you could use that exploit against against anyone running the Windows software.
The problem is, that if you use the exploit, and it gets in the ‘wild’, the chances of someone else finding out and telling Microsoft increase exponentially. And once Microsoft finds out, your exploit might be just one patch away from being useless.
And there in lies the problem, the economics zero-days means that countries aren’t going to be using their precious weapons unless absolutely necessary, lest they lose their capabilities forever. It’s the reason why intelligence agencies like the NSA and CIA horde zero-days, and also the reason why recent revelations of zero days are so vital–everytime a zero day gets exposed, somebody loses a weapon.
Imagine if you told President Truman he could use the Atom Bomb on Japan, but once he used it, America could never use it the Soviet Union. It’s very unlikely Truman would have still chosen to use that A-bomb.
This is really what separates Cyber from the other domains.
Of course, a lot of the zero day hype is overblown. There are perfectly simple attacks, that use far more conventional attack vectors that don’t involve zero-day exploits at all. Chances are pretty high, that a well targeted attack by the North Koreans on any one component of our infrastructure would yield results even without zero days.
But there are other resources to expend.
For instance, hackers. A finite pool of elite hackers in North Korea have a finite amount of time. They could spend their time stealing billions from Bangladesh, or attack Malaysia–I’ll let you decide which one is a more reasonable expenditure of their time.
The guys behind Lazarus are more effectively spent siphoning money from banks than they are attacking our infra.
Seems like the one thing that will save us is economics. And truthfully, we probably won’t be fighting the North Koreans head-on in a battle royale, there are other political and economical levers to use rather than fighting it out in cyberspace.
Cyber war is a brand new game, and it appears that the cowboys are running the town. But we’re inching slowly towards setting up some frameworks and policies to address this.
In the mean-time, it’ll be wise for us as country to beef up our security infrastructure, and develop some offensive capability that isn’t sourced from the likes of fuckers like Hacking Team and Gamma.