Expect North Korean hackers to go after critical infrastructure throughout Asia
The Japan Times | BY BRIAN MOORE
WASHINGTON – Several times last month North Korea launched a handful of short-range ballistic missiles in defiance of the international community. Each time was barely a blip in a news cycle dominated by the global pandemic, but it serves as a reminder that North Korean belligerence is alive and well, and that 2020 likely has not seen the extent of the bag of tricks meant to draw the attention of the global community and to earn cash for the endlessly destitute regime.
In 2017, I argued that Pyongyang was proving that cybercrime pays when you have nothing to lose, and outlined how Kim Jong Un, who rules over a country that still experiences rolling blackouts and chronic oil shortages, has utilized the country’s best and brightest and developed a world class hacker army. Their successes include the WannaCry ransomware attack in 2017 that crippled hundreds of thousands of computers in more than 150 countries, and the cyberheist of Bangladesh’s central bank that netted more than $80 million.
If trends continue — and nothing suggests that Kim would deviate from such lucrative methods — expect North Korean hackers to go after critical infrastructure throughout Asia, particularly as new and vulnerable technologies are introduced to the region.
Enter floating nuclear power plants (FNPP). Asia, and Southeast Asia in particular, is set to see the rollout of FNPPs over the next two decades. Small modular reactors (SMR) — reactors that are portable and much smaller than conventional units — in combination with growing demand for low-carbon power to battle climate change, are seen as a viable energy technology for many countries in the region.
At a recent conference on nuclear security in the Asia-Pacific region hosted by Pacific Forum, a Honolulu-based think tank, experts highlighted several reasons why a country would deploy SMRs on a barge or platform offshore; including their small size, their ability to be placed offshore in countries that lack necessary geography for conventional plants, their energy output scalability and reduced capital investment. Additionally, as the majority of Southeast Asian populations live within proximity of the ocean, FNPPs offer the ability to connect distant and remote populations to an energy grid. The U.S. Department of Energy echoes these advantages.
But with the potential rollout of FNPPs across the region, which will share the same cybersecurity vulnerabilities as conventional plants, comes the specter of computer intrusion; and unlike the physical security of nuclear materials and facilities, which has seen unprecedented progress over the last decade, cybersecurity remains insufficient.
The Nuclear Threat Initiative, a Washington-based think tank focused on nuclear security, warns that a cyberthreat risks endangering physical security gains, and that such an attack “could have consequences that reverberate around the world and undermine global confidence in civilian nuclear power as a safe and reliable energy source.”
Pacific Forum’s David Santoro, vice president and director for nuclear policy programs, has warned that nuclear and radioactive security against cyberattacks is a “growing problem that still remains largely ignored today.”
North Korea has shown that its hackers have the capability to compromise advanced computer systems around the world and in a variety of sectors, but the regime has also shown its willingness to attack and hold hostage critical infrastructure, including nuclear facilities.
After a string of attacks aimed at financial institutions, diplomatic cables and the whereabouts and doings of defectors, last year North Korean malware was found on the computers at the Kudankulam Nuclear Power Plant in India. The malware was not identified immediately, and an Indian cybersecurity expert stated that “extremely mission-critical targets” at the plant were affected, and that the intrusions, which could have compromised the reactors themselves, “weren’t destructive because the actor decided against it. We were at its mercy.”
Such an attack could have disastrous consequences that result in radiological release, and in the context of FNPPs, radiological release into a marine environment of global importance; radiation levels in the sea off Fukushima after the 2011 disaster were millions of times higher than the government’s limit.
The question regarding North Korean cyberattacks against FNPPs isn’t whether there is capability or intent, but rather what measures can be proactively taken to deter and defend against such an attack.
The first is deterrence. North Korea operates its cyberarmy and launches attacks with complete impunity. A United Nations panel of experts report found that North Korea netted approximately $670 million from hacks between 2015 and 2018. Far from being punished, Kim was granted summits with the presidents of the United States and South Korea — massive propaganda wins for North Korea both domestically and internationally.
North Korea relies heavily on overseas locations to launch cyberattacks, generally in China but throughout South and Southeast Asia as well. Both the United States and the U.N. should be aggressively sanctioning individuals and entities associated with these operations, and the U.S. should grant victims the right to sue and seek damages. Such actions against third-party actors would considerably raise the risk of enabling North Korea’s cyber operations.
The second is defense. Cybersecurity surrounding FNPPs, and nuclear facilities more broadly, needs to be normalized and institutionalized. Regional and international dialogue, benchmarks and inspections can lend itself to a more prepared and fortified industry. As FNPPs deployed in Southeast Asia will involve the security equities of each member of the Association of Southeast Asian Nations, nuclear cybersecurity should be given a permanent place on the agenda of ASEAN summits, and should include robust engagement with the International Atomic Energy Agency to develop inspection and approval mechanisms that include each member nation and its cybersecurity experts.
Additionally, nations that supply FNPPs should both (1) be required to provide necessary cybersecurity training and capacity to the acquirer; and (2) be partially accountable for inherent flaws in the equipment or systems that cause cybersecurity vulnerabilities. If a company wants to sell and provide FNPPs to the region, then it needs to share the burden of protecting against nuclear blackmail.
The combination of increasing North Korean cyber belligerence and the deployment of vulnerable technologies in the region gives North Korea an opportunity to hold nuclear systems hostage that could have disastrous consequences for an entire region’s waterways.
With the appropriate steps, however, the international community can shut the door on Kim’s cyberarmy and make clear that attacks on FNPPs will not be tolerated nor will systems be left vulnerable.
Brian Moore is a Pacific Forum young leader and former resident fellow. He previously served as a policy adviser for the U.S. Department of the Treasury, where he specialized in economic sanctions, illicit finance and foreign investment screening related to national security.