How North Korea could build a cyber army to defeat the U.S.

It wouldn’t be that hard for North Korea to build a cyber army to take on the U.S. in a war fought only in cyberspace. North Korea has an estimated cyber war budget of $56 million, and the cheap way it could attack the U.S. is by herding a bunch of compromised computers to do its bidding.

That’s the assessment by Charlie Miller (above, photoshopped into a photo with North Korea’s leaders), a veteran computer security tester whose accomplishments include hacking Apple’s operating system and the iPhone. He spoke at the Defcon security conference in Las Vegas today. (See our roundup of all Black Hat and Defcon stories).

Miller gave his talk the humorous name: “Kim Jong-Il and Me: How to build a cyber army to defeat the U.S.” It drew a big crowd of hackers and security researchers. He imagined what would happen if he were kidnapped by Kim Jong-Il’s secret agents and forced to make war on the U.S. While he made a lot of jokes, the topic is a serious one. Miller gave a serious talk on the subject before a group of NATO officials a few months ago, and he has done computer penetration work for the National Security Agency in the past.

The substance of his talk was corroborated in part by Gen. Michael Hayden, the former director of national security, who said in a talk on Thursday at the Black Hat security conference that, “You built cyberspace like the north German plain, and then you bitch when you get invaded.” He meant that the advantage in cyberspace goes to the attacker.

During a war, the internet would be degraded. It would therefore be important to control lots of computers to carry out attacks. That’s why botnets, or millions of compromised computers that can be remotely controlled by an attacker, are a big force multiplayer in a cyber army. Perhaps 100 million compromised computers would be needed.

“I think I could marshal a lot of botnets to do the job pretty easily, and make sure they are all over the world,” Miller said. “That way, you can’t snip off the communications that control them. Make it 100 times better than anything we have seen before.”

“It’s good to be North Korea because they can get around laws that prevent you from taking other computers,” he said. On top of that, North Korea doesn’t have that much to attack.

The big problem in a cyber war is attribution: who started it? You couldn’t tell if it were Russia or China. If you have millions of computers throughout the world, you can choose where the attack appears to emanate from. That would help a country like North Korea hide.

The cyber army would include botnet collectors, penetration testers who comb the networks for vulnerabilities, spies, developers of malware, technical consultants who sell their knowledge to the highest bidder, and others. The total estimated budget to do the job with about 600 people would be more like $45 million, well within North Korea’s current budget. It might take two years to assemble such a force.

With all that, you get all the tools you need to wage war. Of course, many of these people are in the U.S. and would be hard to commandeer by North Korea.

The logical way to get the botnets to be useful is to exploit a Zero Day bug (or one for which there is no known solution). On average, each Zero Day bug remains unpatched for 348 days. These serious bugs, which can be used to take over computers, are plentiful and stick around for a while.

Other means: logic bombs to take down the internet, pay criminals to hijack computers for you, use insiders to create back doors into security systems. Miller doesn’t think those ideas would work very well, since you probably couldn’t rely on them. A distributed denial of service (DDOS) attack would flood certain sites with too much traffic.

To protect against these attacks, Miller says, you would have to have redundancy of critical networks. During a war, the U.S. could briefly try to segregate its networks from the rest of the world, by putting filters on the web so that nothing bad gets through. Of course, that effectively accomplishes the isolation that would be the object of an attacker. It would be hard to filter out all of the botnets that would be using different attack methods.

There are hardened targets like the National Security Agency that ordinary botnets would have trouble penetrating. To breach them, Miller would do penetration testing, get in somewhere, and then take control. That would take considerable time.

Miller would target places such as electric power grids, the air traffic control system, and military networks. The latter could be penetrated if someone plugged a compromised universal serial bus (USB) device into a computer on the network.

“In these cases, you have to get people inside these networks,” he said. “You pay them off, get them into the network and then allow me to remotely attack it. With enough money, patience and time, it’s really hard to stop a skilled attacker.”

The lesson, Miller said, is that you have to detect the buildup of botnets and other tools of cyber war early and deal with them before they are used. If you wait too long, there will be nothing you can do about it.

[Kim photo credit: Telegraph]