Until last week very few beyond a handful of security titles, a few cybersecurity vendors and the middle pages of the New York Times paid much attention to the growing issue of small nations with big cyber-ambitions.
Suddenly, seemingly out of nowhere, one of these, the Democratic People’s Republic of North Korea (DPRK), is accused by the US Government of launching a destructive no-holds barred cyberattack on a major Hollywood firm and there is amazement and not a little scepticism.
Is this wariness justified or is there something else at work here?
When major cyberattacks or breaches occur it’s now normal for a dozen of more security firms to offer up spokespeople or quotes from in-house experts, but the moment of the major but under-reported 2013 attacks on South Korea was very different. Seemingly struck dumb, few firms said anything. This was a local issue and nobody could see an angle that interested them, a curious contrast to the attack on Sony which has taken over some newsfeeds to an almost hysterical level.
The odd thing is that major cyberattacks by small nations on US firms are not new, it’s just that nobody’s been particularly interested until the victims started being more famous names. In 2012, Iran was widely believed to have been behind a series of vast DDoS attacks directed at the US finance and banking sector, serious enough to make it impossible to customers to log on to online accounts, and yet coverage was muted. There was no argument about whether private US Government private briefings on Iran’s involvement were plausible because there was basically no debate at all.
More recently, came Operation Cleaver, an alarmingly complex cyber-campaign directed mainly at US energy firms, again also attributed to Iran by the FBI in a sort of reverse Stuxnet few would have once have thought possible from such a deprived state in the midst of economic sanctions.
Ditto, a series of increasingly serious nuisance attacks since 2011 claimed by the Syrian Electronic Army (SEA), that country’s centrally-directed but geographically dispersed (Turkey, Lebanon, Jordan) campaign to keep the country’s regime in the news. People downplay these attacks as little more buzzing insects but try telling that to the hundreds of major brands that only weeks ago noticed their pages redirecting to a landing page promoting the SEA after a cunning redirection attack.
Tell it indeed to the New York Times that in 2013 was humiliatingly locked out of its website for a day by the same attackers or Twitter and Google that rushed the introduction of two-factor authentication to their services fend off the growing number of account takeovers by this group.
Ponder that the next time you log on to the Twitter or Gmail using 2FA – without the SEA attacks that option might still not exist.
There is a basic issue of acceptance at work here. People joined up the dots for a while and then moved on, bored by ‘just another cyberattack’ (JAC). People have a habit of noticing these incidents when it can be fitted into a pre-exisiting narrative about how the world works. In the case of DPRK v Sony, it’s a movie studio versus a bizarre regime, an almost comic-book stand-off that has inevitably drawn in the US Government as the scale of the attack became clear.
But what matters is not simply whether North Korea had a connection to the attack but why people find it so hard to believe such a thing possible. North Korea is a primitive Stalinist hold-out, a joke regime that kills its own people but would it really bring a large US-based company to its knees?
Frankly, it is time for people to grasp that such a thing is possible, not only by the DPRK but, if they choose to do such a thing, by several other nations as well. This should not be that surprising. Unlike the military world of stealth $70 million-a-pop stealth fighters, remote-controlled drones and cruise missiles, cyberspace is a much more level ‘asymmetric’ battlefield. Even the smallest nation or group can cause trouble in cyberspace with a small team of skilled hackers and there’s no simple way of reliably attributing attacks let alone stopping them.
For now ‘it wasn’t us’ is a plausible defence against what few mechanisms of retaliation exist such as sanctions, arrest warrants, and the banging of fists on tables behind closed doors. Proving an attack’s point of origin beyond doubt is incredibly difficult, not helped by suspicion over the US’s motives in an era where the NSA is supposedly punching all the important buttons.
People need to acclimatise to the fact that the Sony attack is only the beginning and future attacks will surely take in other countries and organisations unless nations hurry up with some kind of code of behaviour and protocol for resolving disputes. This is already being discussed and eventually will arrive in some form because the alternative is a free-for-all.
Until then, buckle up because the list of victims could turn out to be as surprising as it will be dangerously de-stabilising.