Could a determined foreign government North Korea, say bring the U.S. to its knees by attacking it in cyberspace?
That was the premise behind an intellectual exercise security consultant Charlie Miller used as the basis for a talk delivered first at a NATO conference in Estonia and then again at the DefCon 18 IT security (read: hacker) convention in Las Vegas last month.
Millers conclusion: you bet.
His DefCon talk was wittily titled, Kim Jong-Il And Me: How To Build A Cyber Army To Defeat The U.S. (The slides are here.)
Miller, principal analyst at Independent Security Evaluators, where he runs a team that stress tests software security for developer clients, can even tell you how long it would take to build Kims cyber army and how much it would cost.
Two years. $100 million.
The exercise was no hackers mind game. NATO contacted Miller out of the blue, he says, and asked him to speak about something cyberwar-related at an upcoming conference on cybersecurity in Estonia.
Im not an expert in cyberwar, Miller says. But what I am good at is attacking systems. Its what I do as a consultant.
So he came up with the idea of a hypothetical consulting contract to plan the development of a cyber army that could defeat the U.S. His fictional client: North Korea.
Miller doesnt describe himself as an ethical hacker, but concedes that some would. Its his job to assume the role of bad guys. So pretending to carry out a development project for a rogue foreign government wasnt a huge stretch.
NATO the North Atlantic Treaty Organization, the cold war military buttress against the Red Menace no doubt also knew about Millers background at the U.S. National Security Agency (NSA), where he was a global network exploitation analyst from 2000 to 2005.
I cant say too much about what I did there, he says. (But we can maybe guess.)
Making the hypothetical client North Korea was not random. Besides being an implacable foe of the U.S., choosing the Dear Leaders fiefdom gave him free rein to plausibly flout international law and damn the torpedoes when it came to deliberate or collateral damage to the larger Internet.
North Korea doesnt care about any of that, Miller notes. Thats why it was convenient to make it them.
The plan called for hiring some very smart people to work out the details of how to achieve the objective. The $100 million bought some equipment, but mostly paid salaries for up to 600 cyber warriors.
Miller laid plans for a variety of different kinds of attacks that in concert could defeat the U.S. Some would target key servers and Internet routers with denial of service exploits to bring them down.
Others would involve infiltrating, and taking control, of key systems, including the power grid, stock exchanges and military targets, of course.
He also outlined plans for infiltrating military systems that are not on the Internet. And showed how to maintain communications with systems targeted for take-over when the public Internet started to crash.
Why two years?
Thats how long I said it would take to get ready, Miller says. When youre talking about secret military networks you cant do that in a day. It takes a long time to research it and lay out what youre going to do in detail.
But after two years, he says, Americas fate would be sealed. By then systems would be infiltrated, youd have lost control of them. At that point, theres nothing you can do. Youre basically screwed.
Which is a big part of why Miller developed the plan: to show that it would be possible for a determined adversary, given time and resources, to infiltrate and take control of critical parts of the U.S.s cyber infrastructure.
If you detect what theyre doing in those two years, you might be able to stop them, Miller says.
But you cant wait for cyberwar to break out, because by then its too late. Thats really the major take-away from this. You have to be constantly vigilant. If you are, you might be okay.
What about the contention from Richard A. Clarke and Robert Kanake in their book Cyber War: The Next Threat to National Security and What to Do About It that many of the threats in the cyberwar-cyber espionage arena cannot be defended against? (We wrote about the book last month.)
Defense is really hard, Miller concedes. The reason is that you have to defend against every possible kind of attack. So defense is inherently harder than offense. Which is why I like offense.
One of the lessons learned from the Google hacking episode of a few months ago is that even fully patched, supposedly secure infrastructure can be breached.
That doesnt mean defense is impossible, though, Miller says. Part of the trick for enterprise IT professionals is to not fall into a false sense of security.
To guard against the kind of attacks his hypothetical North Korean cyber army planned, you need to assume the worst, he says. Assume that your security could be compromised and expend effort trying to detect that it has been.
That may say sound slightly defeatist, but think of it rather as the jujitsu approach to cyber security: learning to accept your weakness as a starting point to defeating a stronger enemy.
Gerry Blackwell is a veteran technology journalist based in Canada.
Follow eSecurityPlanet on Twitter @eSecurityP.