While U.S. military experts state that cyber warfare will never become its own domain—rather, cyber is a complement the existing ground, sea, or air capabilities of any nation—there is the potential for developing nations to use cyber force as an equalizer. A developing nation, one that lacks the resources of a powerful army, could mount a very credible yet comparably inexpensive cyber attack against just about anyone in the world. Consider North Korea.
This week the Washington Post reported that 30 million customers of the Nonghyup agricultural bank in South Korea were unable to use ATMs or online services for several days after half of the servers for the bank crashed one day last April. Digital forensics pointed to servers in China known to be associated with North Korea.
If such a sophisticated plot seems beyond North Korea’s capabilities, in recent years an alleged North Korean spy tried to obtain confidential records of the Seoul railway system. The railway uses the same PLC industrial software that was targeted by Stuxnet, a worm that damaged nuclear centrifuges in Iran in 2010. And in 2009, someone from North Korea penetrated the South Korean military network in an attempt to obtain the locations of toxic chemical manufacturers, according to the Washington Post.
The two Koreas provide a classic study. South Korea has high-speed Internet access reaching ninety-five percent of its citizenry — the highest rate of any nation today. With this national emphasis on connectivity, South Koreans typical store their medical records digitally as well as bank and shop online. This makes there networks more vulnerable to attacks: there are personal assets associated with those networks.
By contrast North Korea has very little Internet connectivity, and is therefore not as vulnerable to outside online attacks. Who would attack North Korea’s Internet? By strongly restricting who has access to the Internet, North Korea can focus its limited resources on a few universities that may be the launch point for the recent cyber attacks, currently focused on their neighbor and rival South Korea but someday could be used on countries in the West. Generically, these are called asymmetric threats, in which David is virtually equal to Goliath.
Something similar is happening with Iran. This week F-Secure and other sites reported that someone in Iran created a digital certificate through the Dutch certificate authority Diginotar for *.google.com properties. This would include mail.google.com (Gmail), docs.google.com (Google Docs), and plus.google.com (Google Plus). As the F-Secure blog points out, a nation or very large ISP would have to direct all its Google traffic through this particular certificate authority. While this would affect only users within Iran, it nonetheless is much simpler solution than creating a vast spy network to eavesdrop on the email of millions of people. The work of a few criminal hackers could equal the resources of a vast agency.
But shutting down bank services or forging a certificate authority is just the beginning. The United States and other nations have traditionally focused on threats from land, sea, and air—countries without those resources were considered less of a threat. But with cyber resources increasingly making all things virtually equal, the threat to our infrastructure could now come from anywhere. Are we thinking outside the box yet?
With the active implementation of IPv6, just about every gadget in the universe will have its own IP address. This will increase our dependence on these new gadgets many fold. Except device manufacturers aren’t yet thinking defensively. They’re not thinking about North Korea or Iran attacking their specific gadget—they’re only thinking about next generation’s new product features.
The PC-based security industry is pretty-well equipped to deflect Denial of Service (DoS) attacks, to detect malware, and to keep networks open by distributing loads and diversifying the location of data (think the Cloud). But the device manufacturers who are increasingly linking to the Internet, and who will soon have no excuse not to connect once all the addresses in IPv6 becomes widely available, aren’t really prepared. Instead of just stopping our ATM or online payment services for a few days or reading our Gmail, or even shutting down parts of the electrical grid, someone could just as easily remotely tinker with a medical device, crash our digital TVs, or even muck around with the antilock brake system on our new cars. A DoS on a medical device or a speeding car could cost lives.
Protecting these devices from the start and protecting them at the chip level needs to be a priority. But do we really need a full-scale cyber attack to make that so?