Much has been said in the past month about Guam’s military readiness in the event of a missile attack, with most of the rhetoric spurred on by media fervor surrounding direct threats to Guam from North Korea.
Adelup officials, facing the international spotlight for days, essentially repeated the same statement: America and its allies are ready to intercept any threat to Guam, and the likelihood of a successful missile strike remains incredibly low.
But conventional warfare is hardly the only arsenal in North Korea’s repertoire, nor is it the favored option for any country seeking to threaten or disrupt the United States. In the face of more stringent sanctions and increasing isolation, the hermit kingdom has made strides in its cyber capabilities.
Guam Homeland Security and the Office of Civil Defense held a proclamation signing on Sept. 29 marking October as National Cyber Security Awareness Month. The governor’s Homeland Security adviser, George Charfauros, attended the signing.
Charfauros has been a key spokesman in diluting fears of a potential missile attack on Guam. He has stated that the chance of a successful attack is 0.0000051 percent.
Meanwhile, the chances of a successful cyberattack – while still unlikely – is much higher, at 0.1 percent risk. Strengthening Guam’s cybersecurity infrastructure is Charfauros’ second highest priority.
“Cyber threats are a bigger threat to the island than North Korea’s missiles. We already have defenses in place for the missiles. … Defending against (cyber threats) is much more difficult than defending against a ballistic missile,” Charfauros told The Guam Daily Post.
The advantage of cyber warfare over conventional means is the low cost to the attacker and high impact disruption to the target.
Perhaps the most well-known example of North Korean cyber capabilities is the 2014 attack on Sony Pictures, reportedly instigated by “The Interview,” a film about a fictional plot to assassinate the country’s leader, Kim Jong Un.
North Korea is also believed to be behind the attacks on Bangladesh’s central bank and a global ransomware attack using “WannaCry,” according to a Sept. 25 report from CNN.
Ransomware encrypts a user’s data until a payment is made, usually through the cryptocurrency Bitcoin. Much of North Korean-backed cyberattacks appear to be made with the intent of funneling money into the impoverished nation.
“They are definitely in the B team, but they have capabilities nonetheless,” said John Dickson, a cybersecurity expert and principal at Denim Group Ltd., a company in the business of software security.
Dickson had been tracking North Korean cyber activity for years.
“I characterize (North Korea) as having increasing capability – they are nowhere near the level of the Chinese or Russians, but the thing about nation states is they are able to concentrate a handful of smart people and put a lot of resources at something, and also have a sustained focus,” Dickson added.
North Korea also has the ability to outsource its cyber expertise, and cyber warfare does come with another advantage: It is more difficult to say with certainty where a cyberattack originated.
Assuming Pyongyang is unwilling to initiate the mutual destruction that may come with an attack using conventional weaponry on U.S. soil, the threat of cyberattack can’t be discounted, Dickson said.
And in the event North Korea does decide to attack Guam or anywhere else in the U.S., the operation will most likely focus on weakening key elements of infrastructure, such as utilities.
In late December 2015, Ukrainian power companies experienced an unprecedented breach of their systems, resulting in unscheduled outages affecting about 225,000 customers.
An interagency investigation discovered that the power outages were caused by remote cyber intrusions at three regional power companies, according to an alert from the Industrial Control Systems Cyber Emergency Response Team of the U.S. Department of Homeland Security.
The cyberattacks at each company occurred within 30 minutes of each other. The perpetrators remotely operated the system using either existing administrative tools or a virtual private network. Some systems were corrupted or wiped using the “KillDisk” malware at the conclusion of the cyberattack.
Ukraine quickly pinned the blame on Russia, with which it has had increasing contention over the annex of Crimea.
“The problem with utilities is this: Guess who would ever care about attacking the utilities? It’s the nation states … Russia, China, North Korea and whoever else,” Dickson said.
“Our fear on the U.S. side is that these nation states are quietly getting into these places and capturing systems and holding onto them for future use … whenever things get crazy on the international stage.”
The desire to hold onto utility vulnerabilities as a trump card in the event of major international unrest may mitigate the disruption to power companies today, but it also means the industry has less experience with catastrophic breaches than industries that are under constant attack, such as the financial industry, according to Dickson.
“So if you go to these utilities’ board of directors, they’re still a little skeptical. I worry that they view this as something that happens to other people,” he added.
Guam’s utility agencies also have made cybersecurity a top priority, although specific details of these initiatives remain confidential.
GPA General Manager John Benavente said the utilities are in communication with federal, local and private sector experts as they work to strengthen their cybersecurity.
In 2016, GPA began a $1.6 million project to install a supervisory control and automated data acquisition system, or SCADA, which essentially acts as a central operating system for the power grid. The project is slated for completion in summer 2018.
While Benavente spoke about safeguards within current SCADA software, the vulnerability of the system is documented. A 2015 threat report from DELL found that attacks on SCADA-backed infrastructure doubled between 2013 and 2014.
SCADA breaches often go unreported because companies are required to report only breaches involving payment or personal information, according to the report.
“As a result, other industrial companies within the space might not even know a SCADA threat exists until they are targeted themselves,” the report stated.
All utility agencies share issues with SCADA or industrial control systems, according to Dickson.
“They are just a problem to manage. … They are not designed to be updated. They’re usually remote. They’re like a single-purpose device. … They’re not designed to be remotely monitored in certain instances. They’re not designed to be security scanned,” Dickson said.
Benavente said GPA may operate the power system manually in the event the SCADA is breached.
Meanwhile, Dickson said generally there is much more cooperation between utilities and the Department of Homeland Security to mitigate and develop counter measures against cyberattacks.
“I would just say that the world is changing and we hope these things don’t happen,” he added.