Tag Archives: United States

South Korean Cybersecurity: Three Questions

By Brett Young, Research Assistant, American University, DC
Center for Technology and National Security Policy

 

The mid-April paralysis of the National Agricultural Cooperatives Federation (Nonghyup), South Korea’s fourth-largest retail bank, seemed to be another routine cyber incident in the same vein as recent, high-profile intrusions carried out against Sony (where attacks resulted in the breach of 100 million customers’ personal information) and Hyundai Capital (where hackers demanded a ransom for not releasing stolen information.) Preliminary investigations, however, showed that this was not the work of ordinary hackers. In early May, the Seoul Central District Prosecutor’s Office announced that the culprit was North Korea.

A network breach of the financial systems that underpin a vibrant modern economy, particularly one conducted not by a group of profit-seeking hacker-criminals, but by a sovereign nation-state with hostile intentions, raises a number of questions.

How should this alleged incident impact diplomatic relations with North Korea? After a bloody 2010, this year has seen a North Korean “charm offensive” with an emphasis on improving relations between the two Koreas. The North may be seeking food aid to stave off famine conditions, or may want a more stable situation for the 100th anniversary of Kim Il-Sung’s birthday in 2012. At the negotiating table, President Lee Myung-bak’s default position has been to seek apologies for the deaths of 50 citizens at the hands of the North in 2010. Yet any discussion of the Cheonan corvette sinking or the shelling of Yeonpyeong Island is met with vigorous denials and can lead to immediate termination of any talks by the North.

Nonghyup’s security breach was considerably more than a nuisance; since April 12, the bank has spent over $400 million on measures to prevent the loss of customer confidence. When the South sits down at the table with the North, should Nonghyup be on the agenda? Or is silence (or covert retaliation) best?

The North has shown the ability to change their diplomatic posture overnight; their “charm offensive” posture may not last. When dealing with a regime that specializes in provocation, South Korea needs to define what manner of cyber incidents will be permitted to derail ongoing negotiations.

At the national level, how should South Korea pursue cybersecurity down the road? The security team at Nonghyup ignored financial sector regulations regarding strength of passwords, and internally permitted use of passwords that were deemed too weak to be used by their own customers.

Previous cyber intrusions in the ROK were enabled by the malware spread through popular peer-to-peer (P2P) file-sharing websites. In the past, South Korea has tried to combat cyber intrusions by increasing public awareness through mass and social media. But the economic motivation to use P2P websites—and get goods for free—will remain, despite government campaigns. South Korea can create more vigorous laws regarding network protection, but must do so in a fashion that will not create a counterproductive environment where reluctance to cooperate is the preferred corporate response to a network breach.

Internationally, the Nonghyup case will never end up before the United Nations. Last year’s sinking of the Cheonan resulted in a UN Presidential Statement condemning the attack. But in cyberspace, attribution—being able to directly attribute an intrusion to a source—remains the thorniest in a thicket of issues. North Korea’s involvement has been alleged, not proven—as with two other previous cyber incidents in the South. Some experts and media outlets disagreed, noting that technical evidence cited by the National Police Agency can be manipulated by competent hackers. As a state with one of the highest broadband connectivity rates in the world, South Korea is better off continuing to bolster its defenses: it has both a Cyber Warfare Command and Cyber Terror Response Center, and roughly doubled funding for the former in April. 

Finally, there is the broader question of the gradual increase in cyber intrusions against states, and what states are to do about them. Recent years have seen increasingly brazen network intrusions, threatening state secrets, which costs time and money. Intelligence agencies, military planners, and policymakers are grappling with the question of how exactly to respond to certain types of intrusions—and what, if any, level of a cyber incident would require the answer of a real-world, kinetic response.

An event which broke as this went to press will certainly have the attention of Seoul. The Wall Street Journal reported that the U.S. Department of Defense is soon to release its cybersecurity strategy, possibly containing precedent-setting answers to the question posed above.

All three questions bear close scrutiny not only by South Korean policymakers, but by those interested in shaping policy for effective cybersecurity around the world.

Brett Young is a graduate student at American University’s School of International Service, where he focuses on security studies in East Asia. He is currently researching aspects of cybersecurity for NDU’s Center for Technology and National Security Policy. He previously interned at the Korea Economic Institute in Washington, DC.

Advertisements

Leave a comment

Filed under Regional Studies, Strategic Studies

What Drives Iran?

By Judith Yaphe, PhD

 

For the United States, any consideration of Persian Gulf security must begin with Iran: its ambitions, perceptions, and behavior. For many in the West, Winston Churchill’s famous quip about the Soviet Union—being a riddle wrapped in a mystery inside an enigma—could apply equally well to Iran given its complex, opaque, and often turbulent politics. And yet the key to understanding Iran is to figure out what it sees when it looks in the mirror. What are the fundamental influences that shape Iran’s view of its role in the world?

The first, clearly, is Iranian nationalism. It is a means of unifying society while assuring territorial integrity and political power. The second is Islam, which is the country’s source of faith and ethical code. The third is Persia as the basis of its historical identity and cultural pride. Taken together, these factors and the aspirations they embody—to secure Iran’s territorial and political integrity while gaining acceptance of the regime’s legitimacy and the country’s status in international relationships more generally—are deeply rooted in Iranian society. But there is also a fourth, latter-day imperative that wields great influence over Iranian attitudes: the quest for strategic self-sufficiency.

Everywhere they look, Iran’s leaders see their country encircled by real and potential enemies—by Iraq, which used chemical weapons and missiles against Iran in their 8-year war; by the Gulf Arab states, which financed the Iraq War, host the U.S. military presence, and are seen as repressing their Shia communities; by Pakistan, which is occasionally involved in hostile skirmishes with Iran on their common border and has encouraged anti-Iranian activity in Afghanistan; and by Central Asia, once pro-Soviet, now a source of economic opportunity, sectarian risk, and host to U.S. military forces. Above all, the United States, a virtual neighbor since the occupation of Iraq in April 2003, and Israel are viewed as enemies: both threaten Iran’s nuclear achievements and deplore its efforts to derail any peace process between Israel and the Palestinians or Israel and Syria. Washington, in particular, is seen as keen to keep the Persian Gulf as its militarized zone, maintain pro-U.S. regimes in Baghdad and Kabul, and marginalize Iran.

Iran’s leaders—whether moderate Persian nationalists or conservative Islamists—view the world with a mix of confidence and trepidation. Regardless of where they stand on the political spectrum, they most likely share a common view of the threats to the homeland and the measures necessary to protect Iranian interests. This consensus also includes a strong, underlying sense that they may well have to fight alone, again—just as they did from 1980 to 1988—and that Iran must be able absolutely to defend itself without assistance. Thus, Tehran aspires to independence and self-sufficiency in both strategic and operational terms. It believes that it must build its own military industries, reconstitute a modern military force, and have minimal reliance upon foreign suppliers. It also seeks to acquire nuclear technology and, eventually, the wherewithal to produce nuclear weapons, probably as a cost-effective way to compensate for military weakness and relative strategic isolation.

The predicament that all this poses for Iran’s neighbors and the larger international community is not only how military self-sufficiency is defined by Tehran, but also how this self-sufficiency impulse plays into an already strong sense of Iranian exceptionalism—specifically, that the country is endowed with the natural right and historic destiny to dominate the greater Middle East as well as to lead the world’s Muslims.

Iran’s ambitions to be the preeminent power in its neighborhood are longstanding. The quest for regional hegemony began under the shahs and has been continued by the clerics of the Islamic Republic. Iranian foreign policy has always been designed to protect a nation and an empire that were long coveted by more powerful neighbors—Ottoman Turkey and tsarist Russia—and divided into spheres of influence by the great powers of the 20th century—the Soviet Union, Great Britain, and the United States. Viewed through this historical prism, these ambitions have little to do with exporting its Islamic revolution or expanding its borders, although occasional reminders to the Gulf Arabs of the Shia and Persian-origin communities within their borders prompt those Sunni Arab–led states to recall their vulnerability.

Iran assumes it is by right the preeminent power in the Persian Gulf and the greater Middle East region. It has the largest population, largest land mass, largest military, and oldest culture and civilization. It believes it is the economic engine of the region and the most innovative in application of science and technology. In the Iranian worldview, that “region” is more than the Gulf or Central Asia. It extends from Afghanistan through the Gulf, Iraq, Turkey, and the greater Middle East (especially anything affecting Syria, Lebanon, Palestinians, and Israel). As the preeminent power, Tehran expects to be consulted on all issues affecting the region, in much the same sense that Syrian President Hafiz al-Assad interpreted his and Syria’s role. Iran believes that all the roads to a U.S. exit strategy from Iraq, to a peace settlement in the Arab-Israeli context, and to stability in the Gulf run through Tehran. Without Iran, according to this view, the country’s leaders believe, there can be no peace, no resolution of conflict, and no “justice.”

Iran wants to expand its influence and authority in the region, but it is not interested in territorial expansion. Rather, it seeks to build its clout through a policy of aggressive outreach short of war—by building and backing support networks throughout the region; providing political support and economic assistance to key actors; bolstering trade and commercial ties with neighboring countries; and signing security and defense agreements. In implementing its policies, Iran operates on two intertwined principles that underwrite its ability to build networks of surrogates, intimidate opponents and critics, influence governments, and make foreign policy: the first of these is plausible deniability, and the second is deliberate ambiguity.

This post is an excerpt from Strategic Forum No. 237, “Challenges to Persian Gulf Security: How Should the United States Respond?”

The document in its entirety may be found here.

Leave a comment

Filed under Middle East, Regional Studies, South Asia, Strategic Studies, Uncategorized

A Weapon of Biblical Proportions?

By Micah J. Loudermilk, Center for Strategic Research

abstract small blue technology imageThe past several weeks have witnessed an explosion of reports on the recently-discovered Stuxnet malware, referred to as the world’s first cyber super-weapon. Suspicions that the worm was custom-designed to target a nuclear facility in Iran – perhaps Bushehr or Natanz – have grown with the passage of time since Stuxnet infections appear heavily concentrated in Iran, perhaps reaching a breaking point since a text string was found deep inside Stuxnet’s code containing an allusion to the Biblical figure Esther, credited with saving the Jews from destruction by the Persians. As cyber experts worldwide race to decode and understand Stuxnet – numerous questions are arising regarding the incredible sophistication of the attacks, who is responsible for it, and what the end result will be when the worm finds its target. However, equally important and not yet analyzed are two important questions about the longer-term consequences of Stuxnet in the cyber sphere.

First, can cyber attacks be defended against? Troublingly, the short answer to that question appears to be “no” – at least not with any degree of consistency and reliability. Stuxnet opened the door on a whole new field of cyber warfare, previously considered impossible, and with it a slew of new possibilities for attacks. Operating without human guidance and capable of taking over industrial control systems, Stuxnet is a perfect example of how rapidly the cyber field is evolving, consistently leaving those seeking to defend against attacks playing catch-up.

On the surface, the superiority of offensive capabilities compared to their defensive counterparts is relatively simple: an offensive system is successful if it strikes once, but a defensive system has zero margin for error. This equation is magnified on the cyber front where new loopholes and critical vulnerabilities are found and exploited by attackers faster than they can be closed and protected. When coupled with the near-instantaneous speed at which networks operate, defense against attacks becomes infinitely more difficult.

Second, is the realm of cyber warfare officially open for business? Sure, for years the Chinese and other entities have been hacking DoD networks, the U.S. electrical grid, and other critical infrastructure, but the Stuxnet malware is potentially the first real-world case using a worm to destroy a physical target. While no mechanism exists by which to define at what point a cyber attack or infiltration becomes an act of war, it seems clear that there must be a line, but where should one draw it? Should Iran’s Bushehr or Natanz plant be destroyed by this cyber attack, is it necessarily any different from utilizing jet fighters or missiles to achieve the objective? These are all vital questions which must be addressed, not simply in the case of Stuxnet, but broadly speaking.

Notwithstanding of this episode’s outcome, the door into this terrifying world – where targets can be hit and critical infrastructure compromised without a nation or group taking any tangible action – is potentially open. The possibilities are immense, and the problems even greater – in large part due to the attribution problem. Regardless of whether or not the destruction of another nation’s nuclear plant crosses any arbitrary lines, absent knowledge of what country is responsible for unleashing it (without even addressing the possibility of rogue group actions), a concerted response is difficult. The danger here, and one already obvious from the cyber attacks directed daily at the U.S., is that countries can take actions against other states from the relative safety of anonymity, potentially giving rise to an increased use of cyber tactics as a means to asymmetrically attack one’s opponents.

Ultimately, it may never be known who perpetrated the Stuxnet worm or what, if any, the effects were on Iran’s nuclear program (assuming that is indeed the target). One can draw conclusions from delays to the launch of the Bushehr facility, but these delays have been persistent and Iran continues to deny that any of its nuclear facilities have been adversely affected (despite being infected). However, it is crucial to understand that cyber attacks of this type are now fully within the realm of possibility and, as ideas previously only imagined in science-fiction movies move ever closer to reality, the strategic calculus of U.S. policymakers must learn to adjust quickly and accordingly.

Leave a comment

Filed under Energy, National Security Reform, Regional Studies, Strategic Studies, Uncategorized

Can a Cyber Warfare Strategy be Defined?

By Eric Crownover, Center for Technology and National Security Policy

Binary Code

Cyber Warfare

Throughout history, those who have studied war have sought to understand the nature of warfare. Strategists have frequently written on the development of military strategy whether it focuses on the principles of warfare or on the influence technological advances (i.e. sea power, air power, and nuclear power) have had on the development of military strategy. The nature of warfare is constantly being revisited and cyber warfare is of great importance in the discussion of future warfare.

Military strategists must develop an understanding of how cyber capabilities can be used in military strategy. The United States Cyber Command (USCYBERCOM) will need to attempt to address this problem. After achieving Initial Operating Capability in May of 2010, USCYBERCOM is expected to achieve full operational capability this October.

USCYBERCOM’s focus is to centralize cyberspace operations, strengthen Department of Defense cyber capabilities, and bolster DOD’s cyber expertise utilizing components from all branches of the military. Securing cyberspace is a main objective of the United States. In order to achieve this objective, USCYBERCOM along with other components must be proactive and develop a comprehensive understanding of cyber warfare.

According to the United States National Strategy to Secure Cyberspace, the United States is “now fully dependent on cyberspace.” Thus, the unimpeded successful functioning of cyberspace is crucial for everyday activities.  The threat has been identified but what now? Can the lessons of history help inform the development of a cyber strategy?

Military strategists have suggested that deterrence can be utilized in cyber warfare. Deterrence seeks to prevent a specific action from happening. For deterrence to work, the policymaker must understand what action will deter a specific actor. Even though a specific action has not occurred does it imply that deterrence worked? In order to apply deterrence to cyber warfare, who are the actors facilitating these incursions? What drives these actors? What actions will deter these actors? Deterrence has had historical value, but how or can the theory adapt to the cyber domain?

What is the difference between cyber warfare and cyber attacks? Clausewitz stated that war is an expression of politics by other means. Thus, war is an action between states. However, inherent to the attribution problem, is a cyber attack an attack perpetrated by an individual or is it cyber war perpetrated by a state? Cyber attacks occur over cyber networks; cyber attacks are not geographically bound; the networks are geographically bound but cyber attacks are a global capability. Thus, in order to create a strategy one must reliably discern the difference between a cyber attack and cyber war.

If cyber attacks and cyber war are discernible, can lessons learned from Thucydides and Sun-Tzu to present day nuclear strategists be applicable to cyber warfare? Or does a 21st century threat require unique 21st century thought?

Leave a comment

Filed under Energy, National Security Reform, Strategic Studies