54.As with its nuclear programme, North Korea has also rapidly developed its cyber capability, enabling it to conduct numerous attacks across the world. It began its pursuit of cyber capabilities in the early 1990s, following the first Gulf War, and initial attacks were targeted against South Korea. However, it was its assault on Sony Pictures in November 2014 that first drew the world’s attention to its potential. This has since been further illustrated by increasingly sophisticated or widespread attacks, with examples as set out in the table below.
Table 3: Examples of cyber-attacks attributed to North Korea
Attacks on South Korean banks and media agencies, disrupting websites, shutting down computers and erasing hard drives.
Attack on Sony Pictures, stealing data and erasing hard drives. This was in response to the film, The Interview, as it was considered a slight on Kim Jong-un. The film was pulled from cinemas, although later re-released.
Theft of $101 million from the Bangladesh Central Bank via the SWIFT electronics payment system. There have also been reports of electronic thefts from other banks across the world since 2015.
Theft of $73 million worth of bitcoins in a hack of the Youbit exchange in South Korea. A further attack in December 2017, which closed the exchange, is also likely to have been the work of North Korea.
Global ransomware attack, Wannacry, affecting more than 200,000 computers in at least 100 countries. The attack exploited a vulnerability in Windows operating systems and locked users out of infected computers and other devices, unless they paid out a ransom. The attack is considered to be the work of the Lazarus Group, under the direction of North Korea.
55.Robert Hannigan, a former director of GCHQ, has been reported as admitting that the North Korean cyber-threat “crept up on us”, and that “because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously”.
56.Following the Sony Pictures attack, North Korea’s cyber capabilities were seen as an increasing threat to other countries. The Centre for Strategic and International Studies reported in 2015 that North Korea was already “emerging as a significant actor in cyberspace with both its clandestine and military organisations gaining the ability to conduct cyber operations”. Nigel Inkster told us that the early North Korean attacks were initially unsophisticated, but that he now ranks the country highly in its capabilities compared to other countries.
I would not put them in the same league as China and Russia in terms of either firepower, so to speak, or technical sophistication, but they are moving up the chain rapidly. I think it is a moot point whether they merit inclusion in the premier league, or whether they are still teetering on the brink of first division/premier league, but they are definitely up around that area.
57.The success of North Korean cyber operations reflects the attention that the country has put into this field. The Centre for Strategic and International Studies reported in 2015 that North Korea has sophisticated organisations conducting cyber operations, with an estimated 6,800 hackers, supported by a technology base capable of hardware and software development. Nigel Inkster and the NCC Group told us about the well-established pipeline to develop skilled cyber personnel, for example, putting “their brightest and best students” into elite North Korean or overseas universities. The NCC Group also noted the additional privileges for workers in cyber operations.
58.It is also likely that some regimes tacitly allow North Korea to base cyber operations in their countries. For example, Nigel Inkster told us that one of the North Korean cyber units has an operational base in a hotel in China, and that its activities must be known to the Chinese, given the bandwidth required and the close monitoring of web usage by the Chinese government. FCO Minister Mark Field noted that it is not clear whether there has been concerted cooperation between North Korea and neighbouring countries. However, he was certain that the UK Government was raising its concerns with these countries:
Rest assured, we will have those discussions—at times publicly but, more often than not, privately—to make clear our displeasure.
59.Experts also consider that North Korean cyber capabilities will only improve. Robert Hannigan wrote in the Financial Times in October 2017 that the “Pyongyang regime’s capabilities will improve and they will continue to surprise us, as they have in other technology areas. There are an increasing number of sophisticated cyber tools available; they will learn from their mistakes and use them to better effect.” Nigel Inkster also told us that cyber-attack “is one of those areas where you learn best by doing. They [the North Koreans] are very active and they are working very hard to keep pace with the most up-to-date, cutting-edge techniques.”
60.It is likely that North Korea has already conducted a cyber-attack on the UK through the Wannacry ransomware, which particularly disrupted the UK’s health system. The National Audit Office reported that at least 81 NHS trusts (34% of all trusts across England) were affected, along with nearly 600 GP practices. NHS England estimated that more than 19,000 appointments would have been cancelled as a result. The FCO formally confirmed that North Korea was likely to be behind the attacks in December 2017. Defence Minister Earl Howe accepted that Wannacry constituted an attack by North Korea on the UK.
61.Witnesses, nevertheless, agreed that the UK was unlikely to have been the main target. Nigel Inkster felt that North Korea was fortunate to have affected the UK to the degree it did with Wannacry, being “a function of the serendipitous discovery that our healthcare sector in particular was heavily dependent on operational systems that were no longer supported by the manufacturers”. Asked whether the UK was the target, Earl Howe, told us that:
One has to assess whether that was the intended target. It is in the nature of viruses like that that you cannot predict where they will hit. Indeed, it was not just our NHS institutions; I understand many organisations around the world were affected. My understanding is that the target for that was South Korea but, in the nature of those activities, these viruses can spread almost anywhere.
62.Our witnesses did not consider that the UK is a specific target for North Korean cyber-attacks. For example, as with North Korea’s nuclear targeting, Nigel Inkster thought that the UK was not on North Korea’s priority list.
We need to keep things in context. North Korea has a hierarchy of targets: they are most worried about South Korea, Japan and the United States, because they are the countries that most immediately impact on their national security.
63.Nevertheless there is a risk that the UK may be subject to future North Korean cyber-attacks either in the course of Pyongyang’s pursuit of hard currency or in retaliation to perceived slights to the regime. The Intelligence and Security Committee reported in its 2016–17 Annual Report that “GCHQ has informed us that there is significant risk of a similar attack on the UK”, comparable with that on Sony Pictures. In its written evidence, the MoD told us that:
We judge North Korea to have a relatively low threshold for use of offensive cyber capabilities. For the most part, North Korean cyber-attacks have targeted South Korea. But as international sanctions tighten, the country may place more emphasis on the money-making opportunities that these capabilities afford, thereby subverting sanctions. Any actions of governments (including the UK) or corporate entities perceived by the regime to be insulting to the regime could lead to the use of offensive cyber.
64.The risks are heightened by North Korea’s recklessness in its use of cyber-attacks, with little or no regard to retaliation or who might be affected. The Intelligence and Security Committee reported in its 2016–17 Annual Report that North Korea “is prepared to use its capabilities without any concern for attribution, and for ideological motives which are alien to other countries”. Earl Howe, when talking about Wannacry, also remarked that “I think Kim probably did not care very much where, who or what was affected … “
65.The North Korean cyber threat, however, remains below that of Russia and China, given their more sophisticated cyber capabilities. As Nigel Inkster told us, “If we have reasonable defences to deal with the Chinas and the Russias, we should be able to handle North Korea.”
66.North Korea has shown that it has both the ability and intent to conduct cyber-attacks around the world, whether for financial gain or in response to perceived slights against its leader. It has also demonstrated a level of sophistication which makes it one of the world’s most advanced cyber powers.
67.It is likely that North Korea has already successfully attacked the UK with the Wannacry ransonware, although we agree with the Government that the UK was probably not intended to be the principal target. Nevertheless, the Wannacry attack highlighted basic vulnerabilities in UK information technology systems. With North Korea unconcerned by who gets hurt when it lashes out, the UK will continue to be at risk from North Korean cyber-attacks.
68.The Government acknowledges the need for ever-improving cyber defences as cyberspace becomes ever more critical to the UK and the range of cyber-threats intensify. In its most recent National Cyber Security Strategy, 2016 to 2021, the Government set out the increasing cyber-threat from not only state and state-sponsored groups, but also from cyber-criminals, terrorists and hacktivists.
69.To improve UK cyber-capabilities, including cyber-defences, the Government has been increasing investment in this area since the start of the decade. The 2010 National Security Strategy and 2013 Spending Review allocated a total of £860 million to the National Cyber Security Programme. The 2015 National Security Strategy and Strategic Defence and Security Review then announced £1.9 billion, over the following five years, for cyber-defence and ‘sovereign capabilities in cyber space’. In its written evidence, the MoD detailed a number of cyber-programmes that it is running as part of this investment.
70.The National Cyber Security Centre (NCSC) was one of the programmes announced in 2015 as part of this investment and is considered a positive step by Government. It acts as the “lead across Government and the private sector in supporting organisations to defend themselves against cyber threats” and was established in October 2016 by GCHQ. Nigel Inkster considered that the NCSC helped strengthen the UK’s ability to “deal with the kind of threats that we might be subject to”. Professor Chalmers and the NCC Group also agreed that it helped public-private cooperation, although the NCC Group felt that more collaboration is still needed.
71.We have not examined the effectiveness of the Government’s investment as part of this inquiry. Some of the Government’s work on cyber-security will, however, be examined by the Joint Committee on the National Security Strategy. It is currently conducting an inquiry on the cyber-security surrounding the UK’s critical infrastructure.
72.The lack of sufficient numbers of skilled cyber-staff is, however, a concern for the UK’s cyber-capability development. Mark Field told us that GCHQ had difficulties retaining its cyber-staff. The Intelligence and Security Committee, in its 2016–17 Annual Report, also concluded that for GCHQ “recruiting and retaining technical specialists in the face of ever-growing levels of private sector competition remains a significant challenge”. In March 2018, the MoD opened a new Defence Cyber School to help develop specialist cyber-skills within both defence and the wider government.
73.The Government signalled further increases in investment in cyber last year, potentially at the expense of conventional forces. The National Security Adviser, Sir Mark Sedwill, told the Joint Committee on the National Security Strategy that increasing cyber-threats, particularly from Russia, needed to be addressed as part of the National Security Capability Review (NSCR). However, he also confirmed that the review was to be fiscally neutral, so any funding increase for cyber-security would have to be taken from other areas across defence and security.
74.We strongly believe that this trade-off between capabilities is the wrong approach. As we concluded recently on the Royal Marines and UK amphibious capability, “The answer to new and intensified threats must be augmented capabilities—not massively reduced ones such as the deletion of amphibious forces and specialised ships”.
75.With the announcement of the Modernising Defence Programme (MDP) in January 2018, it is no longer clear how funding for cyber-security will be allocated across the MoD and the other government security organisations. The MDP separated defence from rest of the NSCR and its conclusions are likely to be published in July, a few months after the NSCR. The Secretary of State for Defence has been clear that the MDP has not been designed to be fiscally neutral.
76.We welcome the Government’s continued investment in countering the growing cyber-threat to the UK, not only from North Korea, but also from other states and from non-state organisations. £1.9 billion has already been allocated to improve the cyber-defences of both public and private bodies and the Joint Committee on the National Security Strategy is examining how some of this funding may be improving the cyber-security of the UK’s critical national infrastructure. It is also expected that the Government will announce further investment following the National Security Capability Review and the (now separate) defence review, the Modernising Defence Programme, both of which are expected to be published later this year.
77.However, this additional funding must not be at the expense of conventional forces. As we have already highlighted in our report on the Royal Marines, the Government has an inescapable duty to ensure that there are sufficient funds to meet the new and intensified threats in addition to pre-existing threats which have not gone away. New threats require new investment, rather than simply seeking to ‘balance the books’ by sacrificing conventional capabilities. We would strongly recommend—indeed, we must insist—that the UK Government finds this additional cyber funding from outside the existing defence budget.
75 Q49 and Centre for Strategic & International Studies, , (December 2015), p23 and p79
76 Centre for Strategic & International Studies, , (December 2015), p4
77 Intelligence and Security Committee, , HC 655, p30; Centre for Strategic & International Studies, , (December 2015), p23 and p79; BBC 19 December 2017; Comptroller & Auditor General, , Session 2017–19, HC 414, p4 and p19
78 The New York Times, 15 October 2017
79 Centre for Strategic & International Studies, , (December 2015), p4
81 Centre for Strategic & International Studies, , (December 2015), p35
82 Q49 and NCC Group ()
85 , Financial Times, 25 October 2017
87 Comptroller & Auditor General, , Session 2017–19, HC 414, pp6–7.
88 , Foreign & Commonwealth Office press release, 19 December 2017
92 Qq55–56 and Q149
93 Intelligence and Security Committee, , HC 655, para 160
94 Ministry of Defence ()
95 Intelligence and Security Committee, , HC 655, para 161
97 Q56 [Nigel Inkster]
98 HM Government, , November 2016, pp17–20
99 HM Government, , November 2016, para 1.3, Ministry of Defence () and Q149
100 Ministry of Defence ()
102 Q56 [Professor Chalmers] and NCC Group ()
103 , National Security Strategy Joint Committee press release, 21 December 2017
105 Intelligence and Security Committee, , HC 655, p41
106 , Ministry of Defence news, accessed March 2018
107 Oral evidence taken before the Joint Committee on the National Security Strategy on , HC (2017–19) 625, Q4, Q9 and Q11
108 Defence Committee, Third Report of Session 2017–19, , HC 622, para 101.
109 PQ and Oral evidence taken on 21 February 2018, HC (2017–19) 814, Q11 and Qq16–17
Published: 5 April 2018