Powered By

Shutting the door on North Korea’s cyber army in Southeast Asia

With North Korea's cyber army of hackers a vital source of income for the country's repressive regime, US policy adviser Brian Moore argues that Southeast Asia's adoption of nuclear power over the next two decades will leave states vulnerable to attack

Brian Moore
July 22, 2020
Shutting the door on North Korea’s cyber army in Southeast Asia
A woman is reflected in a window as she sits at a computer at the Pyongyang Bag Factory in the North Korean capital. Photo: Ed Jones/ AFP

This opinion piece has been written on behalf of Pacific Forum by members of their Young Leaders Program, and published in partnership with Southeast Asia Globe as part of a weekly series looking at geopolitical issues impacting the Asia-Pacific.

Several times this year North Korea has launched a handful of short-range ballistic missiles in defiance of the international community.

Each time was barely a blip in a news cycle dominated by a global pandemic, but it serves as a reminder that North Korean belligerence is alive and well, and that 2020 likely has not seen the extent of the bag of tricks meant to draw the attention of the global community and to earn cash for the endlessly destitute regime.

In 2017, I argued that Pyongyang was proving that cybercrime pays when you have nothing to lose, and outlined how Kim Jong Un, who rules over a country that still experiences rolling blackouts and chronic oil shortages, has utilised the country’s best and brightest and developed a world class hacker army. Their successes include the WannaCry ransomware attack in 2017 that crippled hundreds of thousands of computers in more than 150 countries, and the 2016 cyber heist of Bangladesh’s central bank that netted more than $80 million.

If trends continue, and nothing suggests that Kim would deviate from such lucrative methods, expect North Korean hackers to go after critical infrastructure throughout Asia, particularly as new and vulnerable technologies are introduced to the region.

Enter floating nuclear power plants (FNPP).

Asia – and Southeast Asia in particular – is set to see the rollout of FNPPs over the next two decades. Small modular reactors (SMR)­­ – reactors that are portable and much smaller than conventional reactors – in combination with growing demand for low-carbon power to battle climate change, are seen as a viable energy technology for many countries in the region.

At a conference earlier this year on nuclear security in Asia Pacific hosted by Pacific Forum, a Honolulu-based think tank, experts highlighted several reasons why a country would deploy SMRs on a barge or platform offshore. These included their small size, their ability to be placed offshore in countries that lack necessary geography for conventional plants, their energy output scalability, and reduced capital investment.

Additionally, as the majority of Southeast Asian populations live within proximity to the ocean, FNPPs offer the ability to connect distant and remote populations to the grid. The US Department of Energy echoes these advantages.

But with the potential rollout of FNPPs across the region, which will share the same cybersecurity vulnerabilities as conventional plants, comes the spectre of cyber intrusion; and unlike the physical security of nuclear materials and facilities, which has seen unprecedented progress over the last decade, cybersecurity remains insufficient.

The Nuclear Threat Initiative, a Washington-based think tank focused on nuclear security, warns that a cyber threat risks endangering physical security gains, and that such an attack “could have consequences that reverberate around the world and undermine global confidence in civilian nuclear power as a safe and reliable energy source”.

Pacific Forum’s David Santoro, Vice President and Director for Nuclear Policy Programs, has warned that nuclear and radioactive security against cyber-attacks is a “growing problem that still remains largely ignored today”.

North Korea has shown that its hackers have the capability to compromise advanced computer systems around the world and in a variety of sectors, but the regime has also shown its willingness to attack and hold hostage critical infrastructure, including nuclear facilities.

A UN panel of experts report found that North Korea netted approximately $670 million from hacks between 2015 and 2018

After a string of attacks aimed at financial institutions, diplomatic cables, and the whereabouts and doings of defectors, last year North Korean malware was found on the computers at the Kudankulam Nuclear Power Plant in India. The malware was not identified immediately, and an Indian cyber-security expert stated that “extremely mission-critical targets” at the plant were affected, and that the intrusions, which could’ve compromised the reactors themselves, “weren’t destructive because the actor decided against it. We were at its mercy.”

Such an attack could have disastrous consequences that result in radiological release, and in the context of FNPPs, radiological release into a marine environment of global importance; radiation levels in the sea off Fukushima after the 2011 disaster were millions of times higher than the government’s limit.

The question regarding North Korean cyber-attacks against FNPPs isn’t whether there’s capability or intent, but rather what measures can be proactively taken to deter and defend against such an attack.

Floating Nuclear Power Plant the Akademik Lomonosov is towed to Atomflot moorage at the Russian northern port city of Murmansk on May 19, 2018. Photo: Alexander Nemenov/AFP

The first is deterrence. North Korea operates its cyber army and launches attacks with complete impunity. A UN panel of experts report found that North Korea netted approximately $670 million from hacks between 2015 and 2018. Far from being punished, Kim was granted summits with the presidents of the United States and South Korea – massive propaganda wins for North Korea both domestically and internationally.

North Korea heavily relies on overseas locations to launch cyberattacks, generally in China but throughout South and Southeast Asia as well. Both the US and the UN should be aggressively sanctioning individuals and entities associated with these operations, and the US should grant victims the right to sue and seek damages. Such actions would considerably raise the risk of enabling North Korea’s cyber operations.

The second is defence. Cybersecurity surrounding FNPPs, and nuclear facilities more broadly, needs to be normalised and institutionalised. Regional and international dialogue, benchmarks, and inspections can lend to a more prepared industry. As FNPPs deployed in Southeast Asia will involve the security equities of each ASEAN member, nuclear cybersecurity should be given a permanent place in the dialogue of ASEAN summits, and should include robust engagement with the International Atomic Energy Agency to develop inspection and approval mechanisms that include each member nation and its cybersecurity experts.

Additionally, nations that supply FNPPs should both firstly be required to provide necessary cybersecurity training and capacity to the acquirer, and secondly be partially accountable for inherent flaws in the equipment or systems that cause cybersecurity vulnerabilities.

The combination of increasing North Korean cyber belligerence and the deployment of vulnerable technologies in the region gives North Korea an opportunity to hold nuclear systems hostage that could have disastrous consequences for an entire region’s waterways.

But with the appropriate steps, the international community can shut the door on Kim’s cyber army and make clear that attacks on FNPPs will not be tolerated nor will systems be left vulnerable.  

Brian Moore is a Pacific Forum young leader and former resident fellow. He previously served as a policy adviser for the US Department of the Treasury, where he specialised in economic sanctions, illicit finance and foreign investment screening related to national security. This article was originally published in the Japan Times.

Read more articles