The Perfect Weapon
Page 16
“The Chinese are already doing it,” he remembered one of the experts saying.
The North Korean military began training computer “warriors” in earnest in 1996, he recalled, and two years later opened Bureau 121, now the primary cyberattack unit. Members were dispatched for two years of training in China and Russia. Jang Sae-yul, a former North Korean army programmer who defected in 2007, said these prototypical hackers were envied, in part because of their freedom to travel.
“They used to come back with exotic foreign clothes and expensive electronics like rice cookers and cameras,” he said. His friends told him that Bureau 121 was divided into different groups, each targeting a specific country or region, with a special focus on the United States, South Korea, and the North’s lone ally, China.
“They spend those two years not attacking, but just learning about their target country’s Internet,” said Jang, who was a first lieutenant in a different army unit that wrote software for war-game simulations. As time went on, Jang said, the North began diverting high school students with the best math skills into a handful of top universities, including a military school that specialized in computer-based warfare called Mirim University, which he attended as a young army officer. Others were deployed to an “attack base” in the northeastern Chinese city of Shenyang, where there are many North Korean–run hotels and restaurants.
Before long Kim Jong-il himself started sounding like a cable-television pundit on the subject of cyberattacks: “If warfare was about bullets and oil until now,” Kim allegedly told top commanders in 2003, according to Kim Heung-kwang, “warfare in the twenty-first century is about information.”
It’s unclear whether Kim Jong-il ever really believed his own bromides about information warfare—or had much of an idea how to turn the slogan into a strategy. At the end of the day, he relied on his nuclear arsenal to keep his regime in power and his family alive. But he was convinced that it was worth identifying promising students at an early age for special training in the hacking arts. Their first step was China’s top computer science programs.
Then the FBI’s counterintelligence division noticed that North Koreans assigned to work at the United Nations were also quietly enrolling in university computer programming courses in New York. James Lewis recalled that as the enrollment numbers for the North Koreans rose, “the FBI called me and said, ‘What should we do?’ ”
“I told them, ‘Don’t do anything. Follow them and see what they are up to.’ ”
What they were up to didn’t seem very scary at the time. But North Korean engineers learn fast—ask any missile scientist—and they got good quickly. “There was an enormous growth in capability from 2009 or so, when they were a joke,” said Ben Buchanan, a researcher at the Cyber Security Project at Harvard who has written extensively on the dilemmas of protecting networks in a world of cyber conflict. “They would execute a very basic attack against a minor web page put up by the White House or an American intelligence agency, and then their sympathizers would claim they’d hacked the US government. But since then, their hackers have gotten a lot better.”
No one in Washington seemed especially alarmed. A National Intelligence Estimate in 2009 wrote off the North’s hacking prowess, much as it underestimated the speed at which the country’s long-range missile program would come to fruition. It would be years before the North Koreans could mount a meaningful cyber threat, it concluded.
The assessment might have been accurate—had Kim Jong-il lived. When Kim Jong-un succeeded his father in 2011, few expected that an inexperienced, narcissistic twenty-seven-year-old who had not been groomed for the job could establish his authority with the North Korean military and the country’s elite. He surprised everyone. His first task, he knew, would be to make North Korea’s nuclear threat a credible one. His second was to eliminate potential rivals, which he sometimes did with an antiaircraft gun. His third was to build a cyber force, and he brought to this task a sense of urgency.
By the time Kim Jong-un came to power, Bureau 121 had been up and running for more than a decade. And while Kim is often caricatured as a buffoon in American pop culture, he deftly seized on an asymmetric capability that his father and grandfather—the Dear Leader and the Great Leader, respectively—had never exploited. At Kim’s direction, the North built up an army of upward of six thousand hackers, mostly based outside the country. (They eventually spread from China to the Philippines, Malaysia, and Thailand, all countries that advertise something in short supply in North Korea: beach resorts.)
The idea was to make cyber offense more than just a potential wartime weapon; like the Russians, Kim saw the opportunity for theft, harassment, and political score-settling. “Cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly,” he reportedly declared, in comments that were later relayed by a South Korean intelligence chief.*1
By 2012, Kim had begun dispersing his hacking teams abroad. China was the first stop, the closest country with an Internet infrastructure that could sustain substantial malicious activity while giving the North’s hacking teams plausible deniability. But over time the hackers spread to India, Malaysia, Nepal, Kenya, Poland, Mozambique, and Indonesia—places that often took North Korean laborers. In some countries, like New Zealand, North Korean hackers were simply routing their attacks through the country’s computers from abroad. In others, like India, where nearly one-fifth of Pyongyang’s cyberattacks now originate, the hackers were physically stationed in the country.
Success seemed easy and cheap. “You could argue that they have one of the most successful cyber programs on the planet, not because it’s technically sophisticated, but because it has achieved all of their aims at very low cost,” said Chris Inglis, a former deputy director at the National Security Agency.
To some degree the North Koreans learned from the Iranians, with whom they have long shared both missile technology and a belief that the United States is the source of their problems. In the cyber realm, the Iranians taught the North Koreans something important: When confronting an enemy that has Internet-connected banks, trading systems, oil and water pipelines, dams, hospitals, and entire cities, the opportunities to cause trouble are endless.
North Korea’s first big strike came in March 2013, seven months after Iran’s attack on Saudi Aramco. During joint military exercises between American and South Korean forces, North Korean hackers, operating from computers inside China, deployed a cyberweapon very similar to Iran’s against computer networks at three major South Korean banks and South Korea’s two largest broadcasters. Like the Saudi attacks, the North Korean attacks on South Korean targets—an operation quickly dubbed “Dark Seoul”—used wiping malware to eradicate data and paralyze business operations. It may have been a copycat operation, but it was an impressive one. Robert Hannigan, who later tracked the North Koreans as the head of GCHQ, the British equivalent of the NSA, saw a parallel that was too dramatic to ignore.
“We have to assume they are getting help from the Iranians,” Hannigan concluded.*2
“It crept up on us,” he said of the North Korean threat. “Because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously. How can such an isolated, backward country have this capability? Well, how can such an isolated, backward country have this nuclear ability?”
* * *
—
Fortunately, there were chinks in North Korea’s system. And at Fort Meade, where the NSA and Cyber Command worked side by side, the urgency was building to exploit them with the same gusto that had motivated Operation Olympic Games. The US sought to throw a wrench into North Korea’s development of a nuclear capability that could be demonstrated to reach the United States.
But in the case of North Korea, the problem was far more complex than anything the Tailored A
ccess Operations unit, or the early iterations of US Cyber Command, had faced in Iran. By mid-2013, it became clear to the Obama administration that it was simply too late to stop North Korea’s bomb production. The Kim family was way, way ahead of the mullahs. While the Iranians were still struggling to make centrifuges spin to produce uranium, the North Koreans were churning out atomic bombs. Though intelligence estimates differed, the North Koreans already possessed upward of a dozen nuclear weapons—and production was speeding up.
So the focus of America’s cyber warriors, as former secretary of defense William Perry put it, “had to be on the missiles that could get to the United States, because that’s the only thing left for the North Koreans to complete.”
For Kim Jong-un, the ability to reach an American city with a nuclear warhead was all about survival—but it was also about future power. He accelerated the effort drastically, turning it into the North Korean version of the Manhattan Project. That meant putting equal effort into a missile program that could get the weapons to the other side of the Pacific. And by 2013, for the first time, the missile program looked genuinely threatening.
“I heard Obama say more than once that he would have no problem decapitating Kim Jong-un’s leadership circle if he had the chance—and thought it wouldn’t start a war,” one of Obama’s aides later recounted. No one could provide that assurance, and because Obama was cautious to a fault even some of his own aides wonder whether he would have pulled the trigger. But he was certainly willing to do what he could to slow the North’s nuclear program.
Which is why the president who had seen the power of America’s newest weapon during Olympic Games, suddenly began demanding a way to down North Korea’s missiles without firing a shot.
“By the end of 2013 we knew we had to do something,” one senior aide said. The defense secretary, Ashton Carter, began calling meetings focused on one question: Could a crash program slow the North’s march to obtaining an intercontinental ballistic missile?
Early in 2014, Obama presided over a series of meetings to explore a range of options. The Pentagon and American intelligence agencies, he decided, should step up a series of cyber- and electronic-warfare strikes on Kim’s missiles, starting with an intermediate-range missile called the Musudan. The hope was to sabotage them before they got into the air, or to send them off-course moments after launch. The further hope was that the North Koreans, like the Iranians before them, would blame themselves for manufacturing errors.
It would take a year or two, Obama was warned, before anyone would know if the accelerated program could work. Only in retrospect is it clear that in 2014 Obama and Kim were using cyberweapons to go after each other. Obama’s target was North Korea’s missiles; Kim’s was a movie studio intent on humiliating him. Eventually, each would begin to discover what the other was plotting.
* * *
—
By mid-2014, North Korea had picked its next target for a cyberattack—and it was in London.
As the North Korean protests over The Interview were escalating in the summer, one of Britain’s commercial television networks, Channel 4, announced plans to broadcast a juicy series about an American president and a British prime minister who joined forces to free a nuclear scientist kidnapped in Pyongyang.
Just as it had done with the United Nations, the North sent a letter to 10 Downing Street and demanded that the British prime minister shut down production and punish the producers. The series would be “a scandalous farce,” they said. Naturally, the British responded the same way the UN did—with silence.
Within weeks, things started going wrong at Channel 4. It became clear that someone had hacked into the channel’s computer systems, though the attack was stopped before it inflicted any damage. The chief executive of Channel 4 said he would not be deterred, and the production would go forward. (It didn’t: months later the project was canceled, largely because the financing dried up. Fears of North Korea’s reaction appeared to be among the many reasons.)
It wasn’t until years later that anyone noticed the similarities between the attacks on Channel 4 and what was happening more than five thousand miles away, on Sony’s storied back lot.
By the end of the summer, the hackers were boring into Sony’s systems and preparing their attack. But the Obama administration was focused on another North Korea drama, one that seemed a lot more familiar. For more than a year, the White House had tried to negotiate the release of two Americans who had been imprisoned by North Korean authorities. Obama decided to send James Clapper, the director of national intelligence. Clapper was a complete anomaly in the Obama administration: He was old enough to be the father of many administration officials—the president included—and the grandfather of many of the staff. He was bald, gruff, taciturn, and the product of years in the air force—where he had served as a lieutenant general, living all over the world, including in South Korea for a stint in the late ’80s. Clapper had been in North Korean territory only once before—illegally, in 1985, when he was in a military helicopter that veered into North Korean airspace.
This time, he had been invited. So in early November 2014 he landed in Pyongyang in a US government aircraft and was whisked to a state guesthouse on the edges of the capital. In the car along the way the minister of state security began peppering Clapper with questions about whether he had arrived with a major diplomatic offer in hand. “They were expecting some big breakthrough,” Clapper later recalled with some wonderment. “I was going to offer some big deal, I don’t know, a recognition, a peace treaty, whatever. Of course, I wasn’t there to do that, so they were disappointed.”
On his first evening, Clapper found himself having dinner with his North Korean counterpart, the chief of the Reconnaissance General Bureau, Kim Yong-chol.
The traditional Korean meal was spectacularly delicious, Clapper later said, basing his culinary assessment on his years in the South. But that turned out to be the best part of what became a highly unpleasant evening. General Kim, a member of the leadership’s inner circle, “spent most of the meal berating me about American aggression and what terrible people we were.” He told Clapper that Washington was constantly plotting to overthrow the North Korean regime, a charge that is not entirely without merit.
Clapper shot back that it was time for the North to stop starving its people, building gulags, and threatening nuclear holocaust. From there, the discussion went downhill.
“These were the real hardliners,” Clapper concluded.
But at no point in their hours of conversation did The Interview, or the North Korean threats against Sony, much less the North’s breach of the company’s systems, come up.
“I had no idea what was happening back at Sony,” he told me later. “Why would I?”
He was right: that was not how US surveillance systems were set up. The United States had spent more than six decades deploying a vast surveillance capability against North Korea—the NSA was created in the midst of the Korean War—but was almost entirely focused on traditional threats. Hackers working from laptops somewhere in Asia were not the kind of security threat this apparatus was established to detect. And movie studios weren’t the targets the American intelligence community was focused on protecting. In fact, because the law prevents the NSA from conducting surveillance on American soil, it could not look into Sony’s networks.
The day after the dinner, Clapper won the release of the Americans and loaded them onto his plane. But before he left, he had one more encounter with the North Koreans. Along with the newly released Americans, North Korean officials handed Clapper a bill—for his share of dinner with the head of the Reconnaissance General Bureau, along with his room in the state guesthouse and the parking of his aircraft.
“I had to pay in greenbacks,” Clapper later told me. “And it wasn’t a small amount.”
* * *
—
Clapper’s host,
General Kim, likely knew a lot about the Sony hack well before he invited his American visitor to dinner: American intelligence officials now believe that the hackers were working, directly or indirectly, for the Reconnaissance General Bureau. But at the time, the North seemed like America’s least likely concern in cyberspace. After all, who frets about cyberattacks from a country with fewer IP addresses than most city blocks of New York or Boston?
In retrospect, there was a lot that American officials should have been worrying about. Kim might be broke, and living in his own bubble of national adoration, but in 2014 he clearly understood the new contours of national power. He had correctly calculated that a cyber arsenal was the great leveler: It was dirt-cheap. He could launch it from outside the country. And unlike his nuclear arsenal, cyberweapons could be used against his greatest enemy—the United States—without fearing that fifty minutes later his country would be a smoking, radioactive cinder just north of Seoul. Kim recognized that the inevitable US threats of imposing additional economic sanctions against the North for malicious cyber activity were largely empty.*3 In short, cyberweapons were tailor-made for North Korea’s situation in the world: so isolated it had little to lose, so short of fuel it had no other way to sustain a conflict with greater powers, and so backward that its infrastructure was largely invulnerable to crippling counterattacks.
Even Kim’s growing cyber army was a recognition that the United States and its allies would probably spend the next few years debating how to strike back for an attack that doesn’t leave visible, smoldering ruins.
And even if the United States was willing to retaliate, Kim calculated, doing so would not be easy. To most of the world, the absence of computer networks, of a wired society, is a sign of backwardness and weakness. But to Kim, this absence created a home-field advantage. A country cut off from the world, with few computer networks, is a lousy target: there are simply not enough “attack surfaces,” the entry-points for inserting malicious code, to make a retaliatory cyberattack on North Korea viable.