On September 30, 2017, The Washington Post reported that President Trump signed a presidential directive against North Korea.
According to the article, the directive authorized a DDoSing campaign against “hackers in North Korea’s Reconnaissance General Bureau, DPRK’s military spy agency, by barraging their computer servers with traffic that choked off Internet access.” The article goes on to stress that the actions “were temporary and not destructive.” Finally, there was a note of self-congratulations with “North Korean hackers griped that lack of access to the Internet was interfering with their work.”
These three statements provide significant insight into the dysfunction that is the U.S. Cyber Command and the enormous loss of intelligence capabilities that the administration is willing to sacrifice for the appearance of action.
When your operations are decided by committee and the goal is simply to do something rather than achieve a legitimate outcome, you’re left with floundering in 1990’s capabilities, needlessly burning intelligence capabilities, while declaring a victory without first auditing what the enemy has to say about the action.
This operation, if conducted in the manner portrayed by The Washington Post’s sources is tantamount to burning down intelligence for the sake of action. If they targeted actors and not the headquarters that means that U.S. Cyber Command (USCC) did five remarkably foolish things:
DDoSing your enemy on this scale is the equivalent of a petulant child throwing an extended temper tantrum. Unless you’re using it to keep a target offline for a very specific and temporary purpose, all you are doing is wasting packets. Going forward, the U.S. government should focus on two distinct areas. If the goal is to interrupt the DPRK cyber operations then they should go after the code repositories and staging servers for the malicious tools. If the goal is some form of obfuscated deterrence, then the government should go after the regimes’ Cryptocurrency wallets. In both cases, all operations from USCC should cease and be moved under a covert action finding, unless we’re going to implant a giant waving American flag in each piece of malware used to ensure that the actors know that it is the U.S. and we are using these actions to demonstrate escalation dominance.
If the goal is to take the DPRK cyber program out of the game for a significant period of time, opportunistically neutering tools will sow discord in the program and for a structural adjustment to how they conduct their operations. This type of attack does not require a 100 percent success rate, but rather has to interfere with enough operations that have high value to the regime that questions become unavoidable. If the program is forced to stand down and audit all of their code and repair or rebuild tools that greatly degrade their operating capacity and also has the potential to decapitate leadership if Kim Jong Un gets personally involved in the mounting failures.
One of the main advantages that the North Korean regime sees in Bitcoin is that no institution can cut off their supply to the money. After North Korea’s third nuclear test, China took the unprecedented step of actually freezing DPRK bank accounts. This taught them not to rely on traditional institutions that were beyond their control. With Bitcoin, the money is almost impossible to freeze or sanction with the traditional powers afforded to the United States or the United Nations. If the government cannot use the Treasury Department to sanction this source of capital, perhaps it is time to make some incredibly generous donations to aid organizations on behalf of the regime. The DPRK itself has demonstrated how easy it is to hijack Cryptocurrency wallets. A systematic campaign to take control and transfer these assets to a controllable space would not only further enforce legitimate sanctions, but it would also send a stark message to the regime that no money held outside of the country is truly safe.