In May 2017, more than 230,000 computers in 150 countries running Microsoft Windows were infected by a particularly noxious strain of ransomware known as WannaCry. Seven months later, on December 19, the US government pointed the finger squarely at a somewhat surprising perpetrator: North Korea.
"The [WannaCry] attack was widespread and cost billions and North Korea is directly responsible,” White House Homeland Security Advisor Thomas Bossert wrote in an op-ed for The Wall Street Journal.
ossert’s declaration marked a turning point in the government’s public stance on the North Korean cyberthreat, putting the rogue state on par with other sophisticated nation-states that have previously been accused of conducting malicious cyber activity, including Russia and Iran.
The government’s reaction was noteworthy for another reason: It showed the US’s continued resolve to name and shame state actors. In a press conference on the 19th with Bossert and Jeanette Manfra, Assistant Secretary for Cybersecurity & Communications with the Department of Homeland Security (DHS), and in subsequent reports by the DHS, the government made clear its intention to identify foreign adversaries in future cyberattacks.
Perhaps most importantly, the government has made clear that combatting future cyberattacks cannot and will not be a job reserved solely for law enforcement or the military. Manfra called for more cooperation between the private and public sectors, describing the fight as a “shared responsibility between government, industry and the American people.”
Businesses and other private organizations must be willing to share their technical insights and experience with the government and take an active role in improving the health and security of the overall infrastructure. For its part, the government must continue providing actionable information to the private sector.
“Government and industry must work together now more than ever if we are serious about improving our collective defense,” Manfra said.
HIDDEN COBRA EMERGING
Though WannaCry is the most recent reminder of North Korea’s ability to wreak digital havoc, it isn’t the first. A major event occurred in 2014 with the Sony Pictures Entertainment hack, which has been widely attributed to North Korea in retaliation for production of a movie (“The Interview”) it deemed offensive to its leadership. The well-publicized breach showed that North Korea was willing to unleash cyber destruction against private businesses to support the regime. The resulting leaks not only embarrassed Sony officials, who pulled mainstream distribution of the film, but also destroyed 70 percent of the company’s laptops and computers.
In the interim, North Korea has become more aggressive. In June 2017, the Department of Homeland Security and the FBI launched a repository for all technical alerts and analysis of malicious cyber activity associated with North Korea, named “Hidden Cobra.” Manfra urged businesses and private organizations to look at the material carefully and help the government address vulnerabilities.
The WannaCry attack wasn’t quite as pointed as the Sony hack. The malicious actors exploited a vulnerability in Microsoft’s Windows software through remote code called EternalBlue, but the targeting was indiscriminate. It’s difficult to say whether the random nature of the attack makes it more disturbing or less.
PUBLIC-PRIVATE TO-DO LIST
What does a shared responsibility between the public and private sectors actually look like? Each group must bring its unique strengths and capabilities to the table:
- Ramp up diplomatic engagements to build stronger coalitions and engage countries that are unaware of how they are affected by malicious cyberactivity
- Establish cybersecurity agreements that foster cooperation with other countries, such as the 2015 US-China agreement that targets espionage for commercial gain
- Build cases against and sanction malicious entities or those that support them and freeze their assets
- Coordinate law enforcement efforts and pursue more indictments against malicious actors
- Enhance actionable information sharing with the private sector
- Establish and share best practices for countering cyberattacks and other malicious activity
- Ensure that systems are patched and updated
- Actively collaborate and share actionable information with other businesses and the government
- Participate in efforts to secure infrastructure and impede malicious cyberactivity
STARTING PLACE FOR BUSINESS
At the December 19 press conference, Manfra praised Facebook and Microsoft for taking actions on their own to disrupt North Korean hackers after the WannaCry attack.
Sharing information about attacks or attempted incursions by North Korea bad actors is an excellent jumping-off point for enhanced cooperation between the government and business. Because the US is not entwined with North Korea economically or diplomatically, there is almost no potential impact on business, the bottom line or foreign policy from comparing notes.
Beyond that, private companies must be aware of their vulnerabilities and have a proactive plan in place to both reduce the odds of suffering an attack and mitigate damage should an intrusion occur. Implementing cybersecurity best practices and mitigating idiosyncratic risks is no longer an option; it is a must. That’s because the question of whether North Korea or another bad actor will attempt another global cyberattack is not a question of if. It is a question of when.