HONOLULU – Cyber-attacks paralyzed three major banks and three largest TV broadcasters in South Korea on March 20, shutting down the computer networks of Shinhan Bank, Nonghyup Bank, Jeju Bank, KBS, MBC and YTN. Seoul suspects North Korea’s involvement because the shutdown came five days after Pyongyang accused South Korea and the United States of cyber-attacks and threatened to retaliate.
The cyber-attacks on South Korea are more sophisticated and better coordinated in using malware to start destroying operating systems (OS) simultaneously regardless of OS types — Windows or Unix — than previous distributed denial-of-service (DDoS) attacks.
Fortunately disruptions to the banks’ operations were relatively short term, and the South Korean media outlets were able to continue broadcasting. Yet, the incident demonstrated that perpetrators can target critical infrastructure and cripple their functions at least partially and temporarily.
Cyber threats are a matter of national security. Theft of military intelligence or intellectual property can degrade the power of a nation, disrupt critical infrastructure and paralyze nationwide operations.
Since cyber-espionage against Mitsubishi Heavy Industries was revealed in 2011, the Japanese government has focused on the prevention or minimizing information thefts. Nevertheless, Tokyo does not seem to have prepared for massive, simultaneous and physical disruption to critical infrastructures like last week’s cyber-attacks on South Korea.
Chief Cabinet Secretary Yoshihide Suga’s statement showed that Tokyo lacks a sense of crisis. At a press conference March 21, he encouraged the government and infrastructure companies to keep collecting information without specific instructions on how to deal with cyber threats.
Unfortunately, Tokyo forgot a lesson learned from the series of DDoS attacks on the websites of American and South Korean governments and companies in July 2009.
That incident sent a wake-up call to the top Japanese leadership, prodding it to launch the first cybersecurity strategy, “Information Security Strategy for Protecting the Nation.” Then Chief Cabinet Secretary Hirofumi Hirano argued in December 2009 that similar types of cyber-attacks could target Japan in the future, and ordered the government to recognize cyber-attacks as national security threats.
Potential consequences of cyber-attacks on critical infrastructures include sharp declines in stock prices and a downturn in the economy. In a worst-case scenario, citizens could get injured or killed by malfunctioning transportation systems or contaminated water supplies.
As Stuxnet showed in the Iranian nuclear program a couple of years ago, even invisible cyber-attacks can lead to physical disruptions to control systems.
Furthermore, even if media computer networks don’t stop broadcasting immediately, long disruptions will erode their capability to search information and to enable communication with the outside world. Also, psychological uncertainty would spread through the media. Citizens could access online news, but only for as long as the Internet was accessible.
The Japanese government should take three actions immediately:
(1) Advise both the public and private sectors to check and ensure the security of servers that distribute patches to prevent fake updates. According to Lee Seung Won, manager of the Korea Communications Commission’s network information protection team, malware circulated through a patch management system, which allows software to get updated, partially destroyed hard drives so that the OS was unable to restart.
(2) Craft a crisis management plan to prepare for large-scale cyber-attacks on critical infrastructure by establishing an advisory council with infrastructure companies and cybersecurity and crisis management experts. The plan must cover the provision of resources including food, medical care and correct information to citizens, as well as instructions for identifying the cause of damages and recovering from them.
It would be better if the government limited distribution of the plan to avoid informing adversaries of Japan’s Achilles’ heel. The advisory council should include case studies on cyber-attacks on critical infrastructure worldwide.
It should also refer to lessons learned from previous cyber-attack simulations hosted by the government and a Japanese think tank, the Canon Institute for Global Studies.
(3) Craft a contingency plan for coordinated attacks, combining cyber and physical (kinetic) offensive means. Three response organizations are the Ministry of Defense (MOD), the Self-Defense Forces and the National Police Agency.
Current laws, including the SDF Law, do not specify responsibility for cyberspace. Exercises are critical for becoming familiar with a degraded information environment when communications methods are limited. Reponders must be able to arrange communications alternatives with the prime minister, other agencies and ministries, and parties overseas. Also, the MOD and SDF must prepare for the inaccessibility of GPS and command and control systems following cyber-attacks.
In January, Prime Minister Shinzo Abe declared that the Japanese government will work on crisis management including a 24/7 response to cyber-attacks.
The cyber-attacks on South Korea have become the first touchstone the Abe administration’s attention to cybersecurity.
Mihoko Matsubara is a cybersecurity analyst. She is also a nonresident research fellow at Pacific Forum CSIS, Honolulu.