The Cybersecurity 202: North Korea is even less likely to give up hacking than nukes

0
5

THE KEY

All eyes are on North Korea’s nuclear program as U.S. officials work to salvage a summit between President Trump and North Korean leader Kim Jong Un. But there’s another pernicious weapon in the North Korean arsenal that the regime is perhaps even less likely to give up.

North Korea’s ability to carry out highly disruptive cyberattacks against the United States and its allies is one of the hermit country's most powerful assets. Its digital army allows the country to project power on the world stage where its traditional military might fall short. And as the Trump administration tries to coax Kim toward nuclear disarmament, the regime’s cyberweapons could become even more valuable, experts said.

“What they provide is another tool for DPRK to show their displeasure if the talks are not going their way, and a way to refocus the world’s attention on their ability to disrupt regional stability if talks break down,” said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. 

Secretary of State Mike Pompeo told reporters in New York on Thursday that his sit-down with North Korean officials yielded some progress and that a summit with Trump would be a “once-in-a-lifetime opportunity,” as my colleagues Carol Morello and Anne Gearan report. It’s not clear whether Trump and Kim will agree to meet — or whether there’s any hope they could strike a deal to draw down North Korea’s nuclear program. 

Even if they do, North Korea's cyberwar is likely to continue. “If there are opportunities for them to keep the international community off balance, to do more to change the status quo in their favor, it’s easy to imagine them wanting to exploit their cyberweapons to do that, even if they’ve bargained away their nuclear capabilities,” said Rupal Mehta, an expert on international security and nuclear disarmament at the University of Nebraska at Lincoln.

“They’d consider how to use the cyberweapons they have to press their advantages — to bargain with the U.S., to bargain with other states they’re interested in like China, and to potentially even threaten Japan or South Korea,” she added.

North Korea has a robust government-backed hacking program, and its digital salvos tend to be geared toward disrupting commercial activity or interfering with civilian life in other countries. U.S. officials have publicly blamed the regime’s cyberwarriors for last year’s WannaCry computer worm, a massive attack that affected an estimated 230,000 computers in more than 150 countries and sowed chaos in hospitals throughout the United Kingdom. Officials also accused North Korea of exposing corporate information and destroying troves of data at Sony Pictures Entertainment in 2014. And cybersecurity researchers have implicated North Korean hackers in cryptocurrency heists and other attacks in South Korea, Japan and the Middle East. 

On top of that, North Korean cyberoperations appear to be expanding, as my colleague Anna Fifield reported this year. Citing U.S.-based cybersecurity researchers, Anna reported that the regime is “using previously unknown holes in the Internet to carry out cyberespionage” and “has funneled a huge amount of time and money into building a cyber-army capable of outsmarting more technologically advanced countries.”

The U.S. government and its allies have tried to contain some of North Korea’s malicious cyberactivities through sanctions and by “naming and shaming” them for the attacks in public statements from top officials. 

But those efforts haven’t deterred Pyongyang — and some members of Congress were hoping that the Trump administration would put hacking on the agenda for a potential summit with Trump and Kim. Sen. Cory Gardner (R-Colo.) told Politico recently that he hoped Trump wouldn’t “turn a blind eye to other malign activities of North Korea.” Sens. Jack Reed (D-R.I.) and Bob Corker (R-Tenn.) made similar comments.  

Experts said folding cyber issues into the nuclear talks would be a distraction in the fragile attempts to push North Korea to disable its nuclear program. “I think the nuclear talks alone will be hard enough,” Segal said. “The best that could be hoped for would be some broad generalizations about peaceful use of cyberspace, which might be sandwiched in a larger statement about good relations between the two sides.”

Chris Painter, who served in the Obama administration as the State Department’s first cyber diplomat, agreed that the current talks should concentrate on nuclear weapons -- but that the U.S. needs to do more stop North Korea's behavior in cyberspace. 

“Given the high-stakes nature of the nuclear summit, not raising cyberattacks doesn’t mean we don’t care,” Painter told me. But big picture, he said, "the most important thing is making clear that our posture is, ‘We’re not going to accept this in the future.’ ”

The U.S. has imposed some consequences on bad actors, including publicly attributing the attacks to North Korea, Painter noted. “We did attribute WannaCry and the Sony hack to North Korea. But that’s not enough. We have to find targeted ways of imposing costs so they know that when they do these things there will be real consequences.” These consequences could include more severe economic penalties that target specific leaders, or even measures such as travel restrictions, Painter said.

The State Department's current Office of the Coordinator for Cyber issues released a summary of its recommendations to the president on this very issue on Thursday. It pointed out that U.S. “strategies for deterring malicious cyber activities require a fundamental rethinking." State says the U.S. should develop a policy to determine the criteria for imposing costs on state-backed hackers, prepare a new “menu” of consequences, and build partnerships with other countries to respond as a unified front against malicious cyberactivities. (Read more on the report below.)

Yet Painter told me that the will simply doesn't exist to push the issue at the top rungs of government. Deterring cyberattacks versus a conventional military threat, he lamented, is often “seen as a boutique or technical issue” rather than a “core national security issue.” 

PINGED, PATCHED, PWNED

PINGED: Telegram is calling out Apple. Pavel Durov, the Russian founder of the secure-messaging app, said Thursday that Apple has prevented updates to the app since Russian authorities demanded that the American tech giant remove Telegram from its App Store, the New York Times's Adam Satariano and Ivan Nechepurenko report. “The allegation from Mr. Durov is significant because it undercuts the importance that Apple’s chief executive, Timothy D. Cook, has placed on privacy and encrypted communication, and adds to criticism that the company too easily acquiesces to the demands of governments in important foreign markets,” they write.

Durov said in a statement on his Telegram channel that “unfortunately, Apple didn’t side with us” when Russian authorities banned the app in the country. “While Russia makes up only 7% of Telegram’s userbase, Apple is restricting updates for all Telegram users around the world since mid-April,” Durov said. He added that Telegram has also been "unable to fully comply" with the European Union's new online privacy rules as a result of Apple's actions.

“The Russian authorities have repeatedly said Telegram is a threat, claiming that extremists use it to coordinate their efforts,” Satariano and Nechepurenko write. “Russian human rights activists and many otherwise apolitical users, however, saw the move as an attempt by the Kremlin to curtail freedoms and as only the first step in a broader plan to introduce online censorship.”

PATCHED: The State Department on Thursday released two summaries of reports that lay out the department's cybersecurity policy goals and its strategy to respond to cyberthreats. Secretary of State Mike Pompeo said in a statement that “as a highly connected nation, the United States depends on the open, interoperable, reliable, and secure global Internet.”

The United States will seek to reduce the risk of conflict in cyberspace, deter malicious cyber activity, keep non-governmental actors involved in Internet governance and promote international regulations, according to one of the summaries. "[T]he U.S. government pursues international cooperation in cyberspace to promote its vision of an open, interoperable, reliable, and secure Internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft."

A second summary lists ways the United States intends to deter cyberattacks -- and its hopes for the future. If its deterrence works, there will be "a continued absence of cyber attacks that constitute a use of force against the United States, its partners, and allies; and a significant, long-lasting reduction in destructive, disruptive, or otherwise destabilizing malicious cyber activities directed against U.S. interests that fall below the threshold of the use of force." The publication of the two documents is part of a series of reports that federal agencies drafted as directed by President Trump's May 2017 cybersecurity executive order.

PWNED: A hacker claimed responsibility for seizing control of Ticketfly's website and accessing files containing information about the company's employees and customers, Motherboard's Lorenzo Franceschi-Bicchierai reports. “In an email conversation with Motherboard, the hacker claimed to have warned Ticketfly of a vulnerability that allowed him to take control of 'all database' for Ticketfly and its website,” Franceschi-Bicchierai writes. “The hacker said they asked for 1 bitcoin to share the details of the vulnerability but did not get a reply. The hacker shared what appears to be two emails between him and a series of Ticketfly employees in which the hacker mentions the vulnerability.”

Ticketfly shut down its website and said it “has been the target of a cyber incident,” according to a statement on its homepage. “Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We are working to bring our systems back online as soon as possible,” the statement said. The websites of major concert venues for which Ticketfly sells tickets were also taken down, Franceschi-Bicchierai reports.

PUBLIC KEY

-- “A federal study found signs that surveillance devices for intercepting cellphone calls and texts were operating near the White House and other sensitive locations in the Washington area last year,” The Washington Post’s Craig Timberg reports.

The Department of Homeland Security told Sen. Ron Wyden (D-Ore.) in a letter that federal testing last year uncovered evidence of the surveillance tools, called IMSI catchers and sometimes referred to as Stingrays. But the letter from DHS also “left open the possibility that there could be alternative explanations for the suspicious cellular signals collected by the federal testing program last year,” Timberg writes.

"This admission from DHS bolsters my concern about stingrays and other spying devices being used to spy on Americans’ phones," Wyden said in a statement Thursday, as quoted by Timberg. "Given the reports of rogue spying devices being identified near the White House and other government facilities, I fear that foreign intelligence services could target the president and other senior officials."

— The Department of Homeland Security and the Energy Department on Wednesday said in a report that the “United States is, in general, well prepared to manage most electricity disruptions” but restoring power after “a significant cyber incident could be more challenging than previously experienced.” The agencies delivered the assessment as part of a flurry of reports released Wednesday as directed by Trump's May 2017 cybersecurity executive order.

A cyberattack could “cause any electricity disruption to be larger in terms of grid impacts and customers without power and longer in duration than seen from historical events,” according to the report. It also says that although there have been reports of cyberattacks against electric utilities in the United States, “no lasting damage — physical, cyber-physical, or otherwise — has been observed.”

“As the Sector Specific Agency for the energy sector, DOE will continue to work with the Department of Homeland Security, our National Laboratories, public, and private sector partners to improve cybersecurity practices and develop next-generation tools and capabilities that can be leveraged to better understand and mitigate cyber vulnerabilities in the energy sector,” Energy Secretary Rick Perry said in a statement.

— Randy Vickers, the chief information security officer for the House of Representatives, said Thursday that the House wants to improve the way it shares information about cyberthreats with the parliaments of Britain, Canada, Australia and New Zealand, CyberScoop's Sean Lyngaas writes. “We’re looking at ways to better share information on a more routine basis,” Vickers told Lyngaas. “It really is just about ensuring that we all have a common knowledge across our environments.” Vickers did not specify which kinds of cyber risks may threaten the House, according to Lyngaas. “We’re not really seeing anything more severe [in terms of threats] than a lot of other large government agencies,” Vickers said.

— Three states that get it right: Arizona, New Jersey and Washington have achieved "demonstrable successes" in their efforts to improve their cybersecurity policies, according to a report by the New America think tank's Natasha Cohen and Brian Nussbaum. Here is what those states do well, according to Cohen and Nussbaum:

  • “The State of Arizona and the Arizona Cyber Threat Response Alliance (ACTRA) have formed a successful partnership that has achieved notable success in facilitating, supporting, and encouraging the sharing of real, actionable information on cyber threats and vulnerabilities. This relationship has been built over time and is based on a foundation of trust, essential for facilitating information sharing efforts.”
     
  • “By standing up the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) and consolidating services through a shared model, New Jersey has been able to increase the breadth and quality of its monitoring services, expand its information sharing and educational initiatives to reach organizations and individuals across multiple sectors, and increase its efficiency across developing cybersecurity priorities. Especially important to this consolidation and coordination is offering state and external partners a single point of contact for cyber concerns.”
     
  • “The state of Washington has taken the shared services model to its full maturity, with IT services centralized through the Office of the Chief Information Officer (CIO) in the Washington Technology Solutions department (WaTech) and through the Office of the Chief Information Security Officer, who reports directly to the CIO. Washington is also notable for its multidisciplinary approach to cybersecurity, extending responsibility outside of the information technology community to the emergency management and military departments of the state bureaucracy.”

— More cybersecurity news from the public sector:

Pentagon's latest bug bounty program pays out $80,000

The Department of Defense’s latest bug bounty program exposed more than 100 security vulnerabilities worth $80,000 to the hackers who looked through the department’s travel booking system, officials said.

CyberScoop

PRIVATE KEY

THE NEW WILD WEST

— A social media tax in Uganda: Ugandans will have to pay a tax of about 5 cents every day they use social media or messaging apps such as WhatsApp under a new law that the country's parliament approved Wednesday, BuzzFeed News's Tamerra Griffin reports. “The bill also created a 1% tax for all mobile money transactions, a popular payment method for Ugandans, especially those who live in rural areas far away from banks,” Griffin writes.

Pru Nyamishana, an activist and blogger in Kampala, told Griffin that she suspects the move isn't just about raising money but instead aims to crack down on freedom of expression. “Many Ugandans that I know rely on social media are really feeling the pinch,” Nyamishana told BuzzFeed News. “But we also believe it is a deliberate move to censor Ugandans and cut down on dissenting voices."

From Ugandan journalist Grace Natabaalo:

ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

Trump's pattern of political pardons:

ZinedineZidane makes shock decision to leave Real Madrid as coach: