A South Korean legislator revealed this week that a report from the country's intelligence service suggested that the North Korean government might have been behind a hack of the Seoul Metro system last year that lasted several months. Moving upwards of five million passengers per day, the city's subway is one of the busiest in the world. A cyber attack of this nature not only highlights vulnerabilities in critical infrastructure but also raises questions about North Korea's cyber capabilities — and what it intends to do with them.
After Ha Tae-kyung, a representative of South Korea's ruling Saenuri party, stated that the attack took place between March and August 2014, Seoul Metro confirmed the news. Almost 60 computers belonging to subway employees were infected by malware similar to a type that North Korea has used in the past, but the company stressed that the hack consisted solely of data and information leaks and did not affect operations. Seoul Metro manages four of the subway system's major lines.
It might seem odd that a report about a year-old cyber attack in which no one was hurt or even seriously inconvenienced would be newsworthy. But the report's significance lies less with what did happen than what could have happened or what might potentially happen in the future. The population of Seoul's metropolitan area is larger than that of New York and roughly equal to North Korea's population. It also lies just 35 miles away from the North Korean border, which is well within artillery range. Should the relationship between North and South Korea ever reach full-on fisticuffs status, the Seoul subway system's huge size and key location make it a seemingly irresistible target.
Over the past few years, North Korea has been suspected of launching multiple cyber attacks on its southern neighbor's military institutions, banks, government agencies, TV broadcasters, and media websites. An attack in March 2013, for example, froze computer terminals in South Korean television stations and affected a bank's operations, including its ATMs and mobile payment systems. Malware associated with this and other attacks has come to be known by the catchy moniker "DarkSeoul."
North Korea's cyber capabilities do not rival those of the United States or China at this point, but Pyongyang has at a minimum demonstrated a capacity and enthusiasm for mischief in cyberspace. The most infamous example is the Sony Pictures hack from last November, in which North Korean hackers were suspected of releasing droves of confidential and personal information relating to Sony executives and business matters. The motive? Apparent pique at the depiction of a plot to assassinate North Korean leader Kim Jong-un in the feature comedy The Interview, which the studio was about to release.
So what, if anything, might North Korea be up to with these hijinks?
"Our take is that they are trying to build a capability that could eventually be integrated with a military strategy that would asymmetrically try to disable US and ROK defense capabilities with cyber," said Victor Cha, senior adviser and Korea Chair at the Center for Strategic and International Studies. "They are still a long way away from this, but the intent is there, so we cannot discount the threat. After all, they started a small nuclear program in the late 1980s, and now look at where they are."
North Korea's military strategy likely includes operations designed to spread chaos and confusion in the event of open war with South Korea. It's easy to see how cyber attacks on critical infrastructure would be a handy tool in such an event. The potential exists for everything from crashing subway coordination programs or creating massive gridlock by shutting down traffic lights to knocking out a power grid or causing damage to nuclear reactor. The ability to paralyze — or even just really, really annoy — one's adversary at the beginning of a conflict should never be underestimated.
Cyber attacks also insert additional rungs, so to speak, into the escalation ladder. North Korea is known not only for blunt, over-the-top rhetoric, but also for reckless operational moves that are heavily influenced by internal politics in Pyongyang. The government can be difficult to read, as outbursts describing US leaders as "nuclear maniacs" or warning its enemies that they'll be turned into a "sea of fire" are commonplace at this point. But it's hard to know when North Korea will decide to back up its rhetoric with aggressive actions, such as the 2010 sinking of the South Korean shipCheonanthat killed 46 sailors.
The North Korean cyber program offers Pyongyang an option that falls somewhere between "get off my lawn" posturing and flirting with Armageddon. Crashing a cellular network might not cause a war-worthy widespread loss of life and limb, but could nonetheless make a significant — and very public — dent in the day-to-day operations of South Korea.
Watch the VICE News documentary Launching Balloons into North Korea: Propaganda Over Pyongyang:
But we shouldn't expect to see a major cyber attack from the North just yet.
"As with China, the use of cyber serves many purposes — principally black market transactions and old school espionage in a new domain," cautions Van Jackson of the Daniel K. Inouye Asia-Pacific Center for Security Studies in Honolulu. "Depending on what they do once they've achieved illicit access, they may decide to use their access in a coercive way. So far though, the Sony hack is the only clear instance of them using digital intrusions in a threat-making way."
Pyongyang could also just be flexing their cyber muscles as another attention-grabbing stunt (should nuclear tests lose their thrill), or looking to build up their cultural capital a bit. There is, after all, prestige in developing a cyber capability, just as with a space program.
"The intent for now is to use these [cyber intrusions] as disruptive operations that allow them to test their capabilities, but also remind folks that they are a force to be contended with," Cha suggests. "The attacks are disruptive and not yet destructive, but one cannot rule that out in the future."
While rules of engagement are more developed in air, land, and sea operations, cyber is a relatively new realm to deal with, and even those countries with sophisticated cyber programs are struggling to feel their way forward. Proportionate responses to cyber attacks can be unclear, and often affect the broader population rather than just the leadership of the originating country. During Chinese President Xi Jinping's September visit to the US, he and President Barack Obama agreed not to target each other's critical infrastructure via cyber attack during peacetime, as per a July United Nations accord. (As to why such an accord should be necessary during peacetime — well, that's a separate question.)
We're unlikely to resolve the issue of North Korean cyber intrusions so politely for a few reasons, including the fact that North and South Korea are still, technically, in a state of war: the two countries signed an armistice in 1953, not a peace treaty. Nor is North Korea well known for its sincere commitment to international obligations.
So how should we view the subway attack in the context of North Korea's developing cyber capabilities? Jackson's hypothesis is that they were hunting for a more accurate map of the system for the purpose of eventual infiltration.
"Different people view cyber differently, but I wouldn't hold my breath anticipating a full-blown disruption that might put people in harm's way," he said. "It's possible of course, but it wouldn't serve a clear purpose unless North Korea could somehow claim credit for it."
North Korea has denied responsibility for the subway system hack, in keeping with its general tendency to claim complete innocence when charges of cyber-shenanigans are leveled against it. This returns to one of the central dilemmas of using cyber as an intermediate type of demonstration or provocation.
As Jackson put it, "If [North Korea] does claim credit for it, it becomes no different than a traditional attack by military or guerrilla forces. This is why there's been no cyber Pearl Harbor: governments have the ability, but not the incentive. If you're going to launch a big attack of some kind that wreaks real havoc, you may as well not go to the trouble of going through the digital back door."
Ultimately, intrusions like the Seoul Metro hack are a reminder that, as with many things, the rules of the game can be a bit different on the Korean peninsula. Not only could cyber represent a more powerful asset in wartime owing to Korean geography, but it also might serve as a more useful tool for harassment and, in turn, as a stepping stone toward reaching actual conflict.