Speak Loudly and Carry a Small Stick: The North Korean Cyber Menace

We often see reports of troubling and sophisticated North Korean capabilities to wage cyber warfare. Although cyber exploits, usually against South Korean targets, are routinely attributed to the North, there is much suspicion and concern, but little hard evidence. Estimates of the size of North Korea’s hacker force vary wildly—an indication of the poor quality of the data—and reports on its cyber capabilities are also complicated by an imprecise use of terms. Discussions of cyber conflicts—usually referred to as cyber attacks, cyber terror, or cyber warfare—often have a kind of breathless, apocalyptic quality about them. But in this case, they tend to disguise the fact that we have seen nothing from the North that could qualify as a cyber attack, cyber war, or as an act of cyber terrorism.

Pyongyang has been interested in computer technologies for almost two decades. In the mid-1990s, North Koreans assigned to the United Nations in New York enrolled in programming classes; despite sanctions in place, North Korea acquired American computers, (often buying them in consumer stores and transshipping them on Air Koryo flights); and North Korean technical institutes began work on microprocessors and technology. It is undeniable that interest and investment are there. 

The primary motives for nations to develop cyber capabilities are to prepare for conventional warfare and to conduct espionage. Like other military powers, North Korea will want the ability to accompany conventional military action with cyber strikes. For instance, cyber warfare is an important part of China’s military doctrine, particularly for use against the United States, and North Korea has likely studied and perhaps copied it. Absent armed conflict, however, North Korea will likely use cyber capabilities to penetrate the networks of potential opponents to conduct espionage. It is best not to think of cyber-espionage in isolation, however, and instead to consider how North Korea would use cyber techniques to reinforce its already extensive spying by human agents and signals intelligence program. 

North Korea compounds suspicions that it engages in cyber mischief with its erratic and unpredictable behavior. A nation that can sink a neighbor’s patrol craft is not likely to be deterred from launching a cyber attack, especially if there is a real chance it might never be caught. North Korea has also used the internet for propaganda and political purposes in the South, logging onto websites to read or post pro-North opinions, for example. And the South Korean press has not been shy in reporting claims of DPRK cyber-prowess.

Yet Pyongyang’s interest and lack of constraint is by no means conclusive. “Denial of service” attacks (essentially flooding the target computer with data, causing it to crash) against South Korean and American government sites in July 2009 were at first ascribed to North Korea. In fact, there has been no public confirmation that the North was involved and some suspect left-wing South Korean hackers were responsible. The difficulty of accurately attributing a cyber incident to a particular source is a major problem for law enforcement and internet security, and leaves the origin of the July attacks a mystery. The attack itself was primitive and caused no damage.

The North faces many difficulties if it seeks to become a cyber power. It does not have routine access to advanced technologies. It does not have reliable electricity. North Korea will not be able to use the proxy strategy followed by both China and Russia, where private hackers carry out state instructions, operating as irregular forces or mercenaries. Most importantly, North Koreans do not have the untrammeled access to the internet that sustains hacking communities and skills. While its telecommunications network is adequate (if limited), it has only three internet service providers and in 2009, ranked 227th in the world[1] in terms of internet access.  North Korea relies on China and Japan for internet hosting services, suggesting that these countries would have a degree of insight into some activities. North Korea has begun to take steps to move away from its reliance on these external service providers, buts its technological and political cultures remain obstacles to developing strong hacking capabilities.  

The counter argument is that North Korea has an elite program at a closed military school (sometimes identified as Mirim Academy) that cranks out skilled hackers.[2] These skilled hackers could use the cybercrime black market to acquire tools for exploitation, rent bot-nets (collections of third party computers that have been taken over by cybercriminals and used for criminal purposes, such as launching denial of service attacks), or learn of the latest vulnerabilities. An attacker could use computers in a third country as an unwitting host for launching cyber actions, making them even more difficult to track. With time, money and freedom of action for its agents, even a small country could assemble a reasonably effective cyber capability. This would be a “second best” capability, if it depended on external sources for its technologies, but it would be serviceable.

A more advanced opponent would develop its own cyber exploit tools and malware. It would combine these tools with other intelligence capabilities to provide a robust capacity for cyber warfare or espionage. However, while attribution can be difficult, it is not impossible. Hackers leave traces or clues to their identities. They write code in the same way; they use their native language; they exhibit patterns of behavior that point to location or identity. Of the many private companies, academic researchers, and government agencies that track such things, none has ever come forward to say they have found evidence of North Korean malware.

This is not a static situation, of course. Kim Jong Il made becoming a strong information technology (IT) industry a national goal, and leading Korean universities send their most talented students in mathematics and related disciplines into computer programming. North Korea, surprisingly, has even become a destination for some IT outsourcing. One leading outsourcer in the North, a company named Nosotek, has as its motto “Secrecy. Skills. Dedication,” and develops games and mobile phone applications for European firms. Nosotek says it offers its fifty or so Korean programmers access to the internet. The fifty or so Korean programmers at Nosotek who have internet access, along with the North Koreans at similar companies, are exposed to global norms in technology and programming, and could form the core of an effective cyber capability for the North. 

As intelligence operations are inherently covert in nature, North Korea may have a clandestine cyber collection effort, which it could use to launch attacks during a conflict. Indicators of an improving North Korean cyber capability would include a flow of skilled individuals from outsourcing companies back into the government, the discovery of North Korean “signatures” in malware, or the appearance and use of cyber techniques in military doctrine or exercises. Absent these developments, we should regard North Korean cyber capabilities in the same light we consider its other forays into advanced military systems—strong interest and ragged, self-made technologies, accompanied by bluster and exaggeration.

[2] Brian McWilliams, “North Korea’s School for Hackers,”  Wired News, June 02, 2003 ; Soo-jeong Lee, “North Korea has 600 computer hackers, South Korea claims,” Associated Press, October 5; Christopher Brown, “Developing a Reliable Methodology for Assessing the Computer Network Operations Threat of North Korea,” Naval Post Graduate School September 2004, http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA427292&Location=U2.