Monday, July 13, 2009

Cyber-Security and North Korea: Worth Worrying About?

Beginning on July 4, numerous government and private websites in both South Korea and the U. S. succumbed temporarily to attacks by a shadowy entity suspected of connections with North Korea. Although the damage and disruption were temporary, this sort of thing may be a small wave of a big future for web-based warfare. But unlike conventional warfare, which has at least the restrictions of the Geneva Convention, cyber-warfare is so new that there are few international agreements about it, and even less agreement among those responsible in the U. S. as to what should be done to defend against it.

First, the attacks. According to the Wall Street Journal, they were "relatively unsophisticated," but that doesn't mean they weren't effective. The distributed denial-of-service attacks were carried out by large numbers of computers which harbored a virus that ordered them to flood the targeted websites with requests for service. It takes time for website operators to notice what's going on, get a fix on where it's coming from, computationally speaking, and devise work-arounds to restore service to legitimate users. In the case of these attacks, the time involved was as long as three to four days during which service was interrupted or degraded to some degree. Besides several government-operated websites in North Korea, U. S. websites operated by the Defense Department, the Federal Aviation Administration, and private entities such as the New York Stock Exchange and Amazon.com were attacked.

Although positive identification in these types of attacks is difficult, the timing and other characteristics of the attacks makes it likely that North Korea is responsible. North Korean dictator Kim Jong Il is in poor health and has not made public his plans for a transfer of power. That makes the normally volatile country even more unstable and likely to pull malicious pranks such as nuclear-weapons tests and missile firings, which have also occurred in recent months. But when should we quit calling these web attacks pranks and take them more seriously?

Cyber-warfare is the ultimate in modern conflicts. It resembles conventional terrorist actions such as suicide bombings in that its effects are large in proportion to the resources required, its perpetrators wear no uniforms and can blend into the civilian populace easily, and identifying even so broad a category as the country of origin for a cyber-attack is difficult, let alone finding the people responsible. As far as I know, no one has died as a direct consequence of a cyber-attack, although as more and more life-critical systems from medical care to power grids depend on the Internet, this may soon change. Websites accessible to the general public are the easiest targets, but the harm caused by disabling them is generally limited to loss of revenue or public access, which is inconvenient but not life-threatening.

We can expect that attackers will grow in sophistication and focus as time goes on. There is already some concern that critical infrastructure systems that use the Internet are more vulnerable to attack than they should be. But if history is any guide, we will coast along in blissful ignorance until someone wreaks real harm—death or destruction of large amounts of real property—before steps are taken to remedy these vulnerabilities.

Conventional wars were fought over physical objectives such as territory, natural resources, or lives. As much as many terrorists would like to, no one has yet figured out a way to kill you by means of your own computer, unless you count grabbing your laptop and lamming you over the head with it. There is a cautionary lesson here for those who would like to integrate their own bodies with the web by direct implants of nerve-stimulating devices in the brain and so on. If a computer does something I don't like, I can always walk away. But if it's wired permanently to my brain and some hacker gets his hands on it, I won't have that option. There's a sci-fi movie for you, but one I wouldn't want to watch.

President Obama, to his credit, appears to be the most web-savvy occupant of the White House so far. But his plans to name a cyber-czar in charge of government internet security have hung in limbo as he searches for a suitable candidate. It's not like the President has nothing else to do, but this may be one of those cases where we will wish he'd paid a little more attention to a low-profile matter at the expense of one more town-hall meeting on health care, for example.

All the same, I hope that such a czar will wear his or her authority lightly. One of the strengths of the Internet, and the cyberworld as a whole, is the way that highly distributed expertise works very effectively most of the time to remedy problems as they occur. It is an example of engineering ethics at work that is quiet, not flashy, but worthy of our attention nonetheless. The great majority of computer and networking experts have a vision of the way things ought to be that is both moral and efficient, and tend to work most of the time in cooperation with each other to keep things running well. But the strength of such distributed expertise is also its weakness, in that it takes only a few malicious people who grab the controls to mess things up. Let's hope that we can mount organized defenses against such attacks in time to thwart them before they cause the kind of headlines that 9/11 received.

Sources: I used information from the following articles on the recent cyber-attacks: a piece by Donald Kirk of the Christian Science Monitor at http://www.csmonitor.com/2009/0708/p06s24-woap.html, and an article in the online edition of the Wall Street Journal by Siobhan Gorman and Evan Ramstad at http://online.wsj.com/article/SB124701806176209691.html.

No comments:

Post a Comment