Chris Blattman

Search
Close this search box.

Computer viruses don’t come with a return address

nk-hacker-wired

Is a renegade American responsible for shutting down much of North Korea’s internet?

Just over a year ago, an independent hacker who goes by the handle P4x was himself hacked by North Korean spies. P4x was just one victim of a hacking campaign that targeted Western security researchers with the apparent aim of stealing their hacking tools and details about software vulnerabilities. He says he managed to prevent those hackers from swiping anything of value from him. But he nonetheless felt deeply unnerved by state-sponsored hackers targeting him personally—and by the lack of any visible response from the US government.

So after a year of letting his resentment simmer, P4x has taken matters into his own hands. “It felt like the right thing to do here. If they don’t see we have teeth, it’s just going to keep coming,” says the hacker. (P4x spoke to WIRED and shared screen recordings to verify his responsibility for the attacks but declined to use his real name for fear of prosecution or retaliation.) “I want them to understand that if you come at us, it means some of your infrastructure is going down for a while.”

…On several different days, practically all of its websites—the notoriously isolated nation only has a few dozen—intermittently dropped offline en masse, from the booking site for its Air Koryo airline to Naenara, a page that serves as the official portal for dictator Kim Jong-un’s government. At least one of the central routers that allow access to the country’s networks appeared at one point to be paralyzed, crippling the Hermit Kingdom’s digital connections to the outside world.

That’s Andy Greenberg writing about a vigilante hacker in Wired.

There’s a temptation to look at this and, like the audience in a Batman movie, cheer the vigilante on. This is the “America Fuck yeah” foreign policy, and it has its adherents.

On the other hand, this is terrifying. Three of the best formal theorists of conflict (Baliga, Bueno de Mesquita, and Wolitsky) have a paper on Deterrence with Imperfect Attribution. Here’s one of them presenting a short non-technical version:

In a deterrence strategy, you build up retaliatory capability and commit to use it if attacked. This was the US and Soviet approach to nuclear warfare. It seems wrong to call it the best strategy, but in many situations it is just that, if only because so few options preserve peace and your security at the same time.

The thing is, you could usually count on knowing where a nuclear attack came from. Not so cyber attacks. It’s hard to attribute the attack to any one country. Even now there’s deep uncertainty about who is behind the attacks on North Korea, and it is possible that the North Koreans still place a high probability on the US military. You can imagine them thinking this Wired article is just disinformation.

What this uncertainty does to the strategic environment is deep, complicated, and unresolved. But the game theorists above worked out a few implications.

One is not surprising: Attribution problems have to weaken deterrence as an effective strategy. It inhibits you from committing to a policy of aggressive and certain attack. This makes it more tempting for your enemies to strike. It raises their chances of attack undetected, of pretending they are another power, and otherwise forment trouble. The existence and proliferation of vigilantes presumably makes cyberattacks and retaliations more likely.

I see some parallels to splinter factions. Suppose you the Israeli government and their Palestinian counterparts are negotiating peace when a supposedly renegade force (on either side) attacks the other. Are they really renegades, or is this a bad faith move by one side, striving for advantage in the bargaining? It’s difficult to say. A few weeks ago I reviewed Wendy Pearlman’s book on Israel-Palestine and this was one of the chief obstacles to peace.

Here is Ethan Bueno de Mesquita on how this plays out in US-Iran relations.

A summation might be that bargaining remains the best way to think through conflict (and why it usually doesn’t happen) but bargaining gets very hard when you cannot tell who you are dealing with.