Could a determined foreign government – North Korea, say – bring the U.S. to its knees by attacking it in cyberspace?

That was the premise behind an intellectual exercise security consultant Charlie Miller used as the basis for a talk delivered first at a NATO conference in Estonia and then again at the DefCon 18 IT security (read: hacker) convention in Las Vegas last month.

Miller’s conclusion: you bet.

His DefCon talk was wittily titled, “Kim Jong-Il And Me: How To Build A Cyber Army To Defeat The U.S.” (The slides are here.)

Miller, principal analyst at Independent Security Evaluators, where he runs a team that stress tests software security for developer clients, can even tell you how long it would take to build Kim’s cyber army and how much it would cost.

Two years. $100 million.

The exercise was no hacker’s mind game. NATO contacted Miller “out of the blue,” he says, and asked him to speak about something “cyberwar-related” at an upcoming conference on cybersecurity in Estonia.

“I’m not an expert in cyberwar,” Miller says. “But what I am good at is attacking systems. It’s what I do as a consultant.”

So he came up with the idea of a hypothetical consulting contract to plan the development of a cyber army that could defeat the U.S. His fictional client: North Korea.

Miller doesn’t describe himself as an “ethical hacker,” but concedes that some would. It’s his job to assume the role of bad guys. So pretending to carry out a development project for a rogue foreign government wasn’t a huge stretch.

NATO – the North Atlantic Treaty Organization, the cold war military buttress against the Red Menace – no doubt also knew about Miller’s background at the U.S. National Security Agency (NSA), where he was a global network exploitation analyst from 2000 to 2005.

“I can’t say too much about what I did there,” he says. (But we can maybe guess.)

Making the hypothetical client North Korea was not random. Besides being an implacable foe of the U.S., choosing the Dear Leader’s fiefdom gave him free rein to plausibly flout international law and damn the torpedoes when it came to deliberate or collateral damage to the larger Internet.

“North Korea doesn’t care about any of that,” Miller notes. “That’s why it was convenient to make it them.”

The plan called for hiring “some very smart people” to work out the details of how to achieve the objective. The $100 million bought some equipment, but mostly paid salaries for up to 600 cyber warriors.

Miller laid plans for a variety of different kinds of attacks that in concert could defeat the U.S. Some would target key servers and Internet routers with denial of service exploits to bring them down.

Others would involve infiltrating, and taking control, of key systems, including the power grid, stock exchanges and “military targets, of course.”

He also outlined plans for infiltrating military systems that are not on the Internet. And showed how to maintain communications with systems targeted for take-over when the public Internet started to crash.

Why two years?

“That’s how long I said it would take to get ready,” Miller says. “When you’re talking about secret military networks – you can’t do that in a day. It takes a long time to research it and lay out what you’re going to do in detail.”

But after two years, he says, America’s fate would be sealed. By then systems would be infiltrated, you’d have lost control of them. “At that point, there’s nothing you can do. You’re basically screwed.”

Which is a big part of why Miller developed the plan: to show that it would be possible for a determined adversary, given time and resources, to infiltrate and take control of critical parts of the U.S.’s cyber infrastructure.

“If you detect what they’re doing in those two years, you might be able to stop them,” Miller says.

“But you can’t wait for cyberwar to break out, because by then it’s too late. That’s really the major take-away from this. You have to be constantly vigilant. If you are, you might be okay.”

What about the contention from Richard A. Clarke and Robert Kanake in their book Cyber War: The Next Threat to National Security and What to Do About It that many of the threats in the cyberwar-cyber espionage arena cannot be defended against? (We wrote about the book last month.)

Defense is “really hard,” Miller concedes. “The reason is that you have to defend against every possible kind of attack. So defense is inherently harder than offense. Which is why I like offense.”

One of the lessons learned from the Google hacking episode of a few months ago is that even “fully patched,” supposedly secure infrastructure can be breached.

That doesn’t mean defense is impossible, though, Miller says. Part of the trick for enterprise IT professionals is to not fall into a false sense of security.

To guard against the kind of attacks his hypothetical North Korean cyber army planned, you need to assume the worst, he says. “Assume that your security could be compromised and expend effort trying to detect that it has been.”

That may say sound slightly defeatist, but think of it rather as the jujitsu approach to cyber security: learning to accept your weakness as a starting point to defeating a stronger enemy.

Gerry Blackwell is a veteran technology journalist based in Canada.

Follow eSecurityPlanet on Twitter @eSecurityP.