UPDATE (28 MAY 2015): New report (and here), from a distinctly biased Iranian opposition group with a mixed record of reporting on events inside Iran, says a North Korean Defense Ministry team visited Iran the last week of April to share information on nuclear warhead and ballistic missile development. The technology sharing, if true, would be a repeat of previous violations of UN sanctions prohibiting the countries from exchanging ballistic missile technology.
UPDATE (22 FEB 2015): New story from longtime Korea-watcher Donald Kirk on how Iran’s ties to North Korea may hamper any DC-Tehran nuclear deal.
UPDATE (18 DEC): The U.S. has reportedly concluded that North Korea was responsible for the cyber attack on Sony. The report goes on to mention an Iranian – North Korean connection, based on similar techniques used in the Sony attack and previous attacks in South Korea and Saudi Arabia. No word yet on a decision regarding response measures, if any.
Since the signing of a 2012 pact on IT research cooperation between Iran and North Korea, there have been a series of reports on cyber activities and attacks conducted by the two nations. This year alone we have a cyber attack on the Sands Casino in Las Vegas (widely attributed to Iran), an attack on Sony that’s still making headlines (widely attributed to North Korea), and a report last week from a leading cyber security firm highlighting Iranian advances in cyber capabilities likely developed in conjunction with North Korea.
Prior to Sony (if indeed that attack was carried out by the North), Pyongyang had been blamed for a series of attacks on South Korean banking, media, and other websites. In one attack, targeting Nonghyup, the agricultural bank, 30 million customers spent days locked out of their accounts.
In 2012, Iran was blamed for a series of attacks targeting U.S. banks and financial institutions. While damage was limited, the banks involved did eventually turn to the NSA for help. Much of the reporting on Iran has highlighted Iranian attention to the cyber domain in the wake of the successful/disastrous (depending on your point of view) Stuxnet attack on Iran’s nuclear program. This attack awakened the regime to both the dangers and opportunities of the cyber domain, and Iran has been rapidly working to expand its capabilities ever since – including the 2012 agreement with North Korea mentioned above.
Given the increased capabilities of Iran and North Korea, plus their apparent willingness to use cyber means as a tool of security and foreign policy, what can be done? How can such attacks be prevented or deterred? What’s the appropriate response when attacks occur on private (i.e. non-governmental) organizations like banks and other corporations? If a response is deemed necessary, who conducts it? As poor as North Korea is (Iran is comparatively well-off), these are both well-armed, technically-capable nation states, with all of the associated powers that entails. Are Sony and the Sands Casino now supposed to raise private cyber armies and wage wars? That hardly seems an appropriate use of company and shareholder resources for a moviemaker and a casino.
All of this raises the point – when is it appropriate for a government, be it the U.S., Japan, South Korea, or another, to step in and respond? Not just gather intel and provide advice, but actively seek to deter or engage nation state and other actors carrying out these types of attacks? Is it even possible to deter these attacks, and if so, how? Governments, after all, already have armies, when is it appropriate to use their capabilities, cyber or otherwise?
These questions are not going away; to the contrary, their importance is only going to grow. It’s time the public, business community, and government come up with tools, policies, and a framework for addressing these issues, before the oft-quoted ‘cyber Pearl Harbor’ comes along and forces a response.