Rash or Rational? North Korea and the threat it poses Contents

4The North Korean cyber threat

North Korean cyber capabilities

54.As with its nuclear programme, North Korea has also rapidly developed its cyber capability, enabling it to conduct numerous attacks across the world. It began its pursuit of cyber capabilities in the early 1990s, following the first Gulf War, and initial attacks were targeted against South Korea.75 However, it was its assault on Sony Pictures in November 2014 that first drew the world’s attention to its potential.76 This has since been further illustrated by increasingly sophisticated or widespread attacks, with examples as set out in the table below.

Table 3: Examples of cyber-attacks attributed to North Korea77



Mar 2013

Attacks on South Korean banks and media agencies, disrupting websites, shutting down computers and erasing hard drives.

Nov 2014

Attack on Sony Pictures, stealing data and erasing hard drives. This was in response to the film, The Interview, as it was considered a slight on Kim Jong-un. The film was pulled from cinemas, although later re-released.

Feb 2016

Theft of $101 million from the Bangladesh Central Bank via the SWIFT electronics payment system. There have also been reports of electronic thefts from other banks across the world since 2015.

Apr 2017

Theft of $73 million worth of bitcoins in a hack of the Youbit exchange in South Korea. A further attack in December 2017, which closed the exchange, is also likely to have been the work of North Korea.

May 2017

Global ransomware attack, Wannacry, affecting more than 200,000 computers in at least 100 countries. The attack exploited a vulnerability in Windows operating systems and locked users out of infected computers and other devices, unless they paid out a ransom. The attack is considered to be the work of the Lazarus Group, under the direction of North Korea.

55.Robert Hannigan, a former director of GCHQ, has been reported as admitting that the North Korean cyber-threat “crept up on us”, and that “because they are such a mix of the weird and absurd and medieval and highly sophisticated, people didn’t take it seriously”.78

56.Following the Sony Pictures attack, North Korea’s cyber capabilities were seen as an increasing threat to other countries. The Centre for Strategic and International Studies reported in 2015 that North Korea was already “emerging as a significant actor in cyberspace with both its clandestine and military organisations gaining the ability to conduct cyber operations”.79 Nigel Inkster told us that the early North Korean attacks were initially unsophisticated, but that he now ranks the country highly in its capabilities compared to other countries.

I would not put them in the same league as China and Russia in terms of either firepower, so to speak, or technical sophistication, but they are moving up the chain rapidly. I think it is a moot point whether they merit inclusion in the premier league, or whether they are still teetering on the brink of first division/premier league, but they are definitely up around that area.80

57.The success of North Korean cyber operations reflects the attention that the country has put into this field. The Centre for Strategic and International Studies reported in 2015 that North Korea has sophisticated organisations conducting cyber operations, with an estimated 6,800 hackers, supported by a technology base capable of hardware and software development.81 Nigel Inkster and the NCC Group told us about the well-established pipeline to develop skilled cyber personnel, for example, putting “their brightest and best students” into elite North Korean or overseas universities. The NCC Group also noted the additional privileges for workers in cyber operations.82

58.It is also likely that some regimes tacitly allow North Korea to base cyber operations in their countries. For example, Nigel Inkster told us that one of the North Korean cyber units has an operational base in a hotel in China, and that its activities must be known to the Chinese, given the bandwidth required and the close monitoring of web usage by the Chinese government.83 FCO Minister Mark Field noted that it is not clear whether there has been concerted cooperation between North Korea and neighbouring countries. However, he was certain that the UK Government was raising its concerns with these countries:

Rest assured, we will have those discussions—at times publicly but, more often than not, privately—to make clear our displeasure.84

59.Experts also consider that North Korean cyber capabilities will only improve. Robert Hannigan wrote in the Financial Times in October 2017 that the “Pyongyang regime’s capabilities will improve and they will continue to surprise us, as they have in other technology areas. There are an increasing number of sophisticated cyber tools available; they will learn from their mistakes and use them to better effect.”85 Nigel Inkster also told us that cyber-attack “is one of those areas where you learn best by doing. They [the North Koreans] are very active and they are working very hard to keep pace with the most up-to-date, cutting-edge techniques.”86

The threat to the UK

60.It is likely that North Korea has already conducted a cyber-attack on the UK through the Wannacry ransomware, which particularly disrupted the UK’s health system. The National Audit Office reported that at least 81 NHS trusts (34% of all trusts across England) were affected, along with nearly 600 GP practices. NHS England estimated that more than 19,000 appointments would have been cancelled as a result.87 The FCO formally confirmed that North Korea was likely to be behind the attacks in December 2017.88 Defence Minister Earl Howe accepted that Wannacry constituted an attack by North Korea on the UK.89

61.Witnesses, nevertheless, agreed that the UK was unlikely to have been the main target. Nigel Inkster felt that North Korea was fortunate to have affected the UK to the degree it did with Wannacry, being “a function of the serendipitous discovery that our healthcare sector in particular was heavily dependent on operational systems that were no longer supported by the manufacturers”.90 Asked whether the UK was the target, Earl Howe, told us that:

One has to assess whether that was the intended target. It is in the nature of viruses like that that you cannot predict where they will hit. Indeed, it was not just our NHS institutions; I understand many organisations around the world were affected. My understanding is that the target for that was South Korea but, in the nature of those activities, these viruses can spread almost anywhere.91

62.Our witnesses did not consider that the UK is a specific target for North Korean cyber-attacks. For example, as with North Korea’s nuclear targeting, Nigel Inkster thought that the UK was not on North Korea’s priority list.

We need to keep things in context. North Korea has a hierarchy of targets: they are most worried about South Korea, Japan and the United States, because they are the countries that most immediately impact on their national security.92

63.Nevertheless there is a risk that the UK may be subject to future North Korean cyber-attacks either in the course of Pyongyang’s pursuit of hard currency or in retaliation to perceived slights to the regime. The Intelligence and Security Committee reported in its 2016–17 Annual Report that “GCHQ has informed us that there is significant risk of a similar attack on the UK”, comparable with that on Sony Pictures.93 In its written evidence, the MoD told us that:

We judge North Korea to have a relatively low threshold for use of offensive cyber capabilities. For the most part, North Korean cyber-attacks have targeted South Korea. But as international sanctions tighten, the country may place more emphasis on the money-making opportunities that these capabilities afford, thereby subverting sanctions. Any actions of governments (including the UK) or corporate entities perceived by the regime to be insulting to the regime could lead to the use of offensive cyber.94

64.The risks are heightened by North Korea’s recklessness in its use of cyber-attacks, with little or no regard to retaliation or who might be affected. The Intelligence and Security Committee reported in its 2016–17 Annual Report that North Korea “is prepared to use its capabilities without any concern for attribution, and for ideological motives which are alien to other countries”.95 Earl Howe, when talking about Wannacry, also remarked that “I think Kim probably did not care very much where, who or what was affected … “96

65.The North Korean cyber threat, however, remains below that of Russia and China, given their more sophisticated cyber capabilities. As Nigel Inkster told us, “If we have reasonable defences to deal with the Chinas and the Russias, we should be able to handle North Korea.”97

66.North Korea has shown that it has both the ability and intent to conduct cyber-attacks around the world, whether for financial gain or in response to perceived slights against its leader. It has also demonstrated a level of sophistication which makes it one of the world’s most advanced cyber powers.

67.It is likely that North Korea has already successfully attacked the UK with the Wannacry ransonware, although we agree with the Government that the UK was probably not intended to be the principal target. Nevertheless, the Wannacry attack highlighted basic vulnerabilities in UK information technology systems. With North Korea unconcerned by who gets hurt when it lashes out, the UK will continue to be at risk from North Korean cyber-attacks.

UK cyber defence

68.The Government acknowledges the need for ever-improving cyber defences as cyberspace becomes ever more critical to the UK and the range of cyber-threats intensify. In its most recent National Cyber Security Strategy, 2016 to 2021, the Government set out the increasing cyber-threat from not only state and state-sponsored groups, but also from cyber-criminals, terrorists and hacktivists.98

69.To improve UK cyber-capabilities, including cyber-defences, the Government has been increasing investment in this area since the start of the decade. The 2010 National Security Strategy and 2013 Spending Review allocated a total of £860 million to the National Cyber Security Programme. The 2015 National Security Strategy and Strategic Defence and Security Review then announced £1.9 billion, over the following five years, for cyber-defence and ‘sovereign capabilities in cyber space’. In its written evidence, the MoD detailed a number of cyber-programmes that it is running as part of this investment.99

70.The National Cyber Security Centre (NCSC) was one of the programmes announced in 2015 as part of this investment and is considered a positive step by Government. It acts as the “lead across Government and the private sector in supporting organisations to defend themselves against cyber threats” and was established in October 2016 by GCHQ.100 Nigel Inkster considered that the NCSC helped strengthen the UK’s ability to “deal with the kind of threats that we might be subject to”.101 Professor Chalmers and the NCC Group also agreed that it helped public-private cooperation, although the NCC Group felt that more collaboration is still needed.102

71.We have not examined the effectiveness of the Government’s investment as part of this inquiry. Some of the Government’s work on cyber-security will, however, be examined by the Joint Committee on the National Security Strategy. It is currently conducting an inquiry on the cyber-security surrounding the UK’s critical infrastructure.103

72.The lack of sufficient numbers of skilled cyber-staff is, however, a concern for the UK’s cyber-capability development. Mark Field told us that GCHQ had difficulties retaining its cyber-staff.104 The Intelligence and Security Committee, in its 2016–17 Annual Report, also concluded that for GCHQ “recruiting and retaining technical specialists in the face of ever-growing levels of private sector competition remains a significant challenge”.105 In March 2018, the MoD opened a new Defence Cyber School to help develop specialist cyber-skills within both defence and the wider government.106

73.The Government signalled further increases in investment in cyber last year, potentially at the expense of conventional forces. The National Security Adviser, Sir Mark Sedwill, told the Joint Committee on the National Security Strategy that increasing cyber-threats, particularly from Russia, needed to be addressed as part of the National Security Capability Review (NSCR). However, he also confirmed that the review was to be fiscally neutral, so any funding increase for cyber-security would have to be taken from other areas across defence and security.107

74.We strongly believe that this trade-off between capabilities is the wrong approach. As we concluded recently on the Royal Marines and UK amphibious capability, “The answer to new and intensified threats must be augmented capabilities—not massively reduced ones such as the deletion of amphibious forces and specialised ships”.108

75.With the announcement of the Modernising Defence Programme (MDP) in January 2018, it is no longer clear how funding for cyber-security will be allocated across the MoD and the other government security organisations. The MDP separated defence from rest of the NSCR and its conclusions are likely to be published in July, a few months after the NSCR. The Secretary of State for Defence has been clear that the MDP has not been designed to be fiscally neutral.109

76.We welcome the Government’s continued investment in countering the growing cyber-threat to the UK, not only from North Korea, but also from other states and from non-state organisations. £1.9 billion has already been allocated to improve the cyber-defences of both public and private bodies and the Joint Committee on the National Security Strategy is examining how some of this funding may be improving the cyber-security of the UK’s critical national infrastructure. It is also expected that the Government will announce further investment following the National Security Capability Review and the (now separate) defence review, the Modernising Defence Programme, both of which are expected to be published later this year.

77.However, this additional funding must not be at the expense of conventional forces. As we have already highlighted in our report on the Royal Marines, the Government has an inescapable duty to ensure that there are sufficient funds to meet the new and intensified threats in addition to pre-existing threats which have not gone away. New threats require new investment, rather than simply seeking to ‘balance the books’ by sacrificing conventional capabilities. We would strongly recommend—indeed, we must insist—that the UK Government finds this additional cyber funding from outside the existing defence budget.

75 Q49 and Centre for Strategic & International Studies, North Korea’s Cyber Operations Strategy and Responses, (December 2015), p23 and p79

76 Centre for Strategic & International Studies, North Korea’s Cyber Operations Strategy and Responses, (December 2015), p4

77 Intelligence and Security Committee, Annual report 2016–17, HC 655, p30; Centre for Strategic & International Studies, North Korea’s Cyber Operations Strategy and Responses, (December 2015), p23 and p79; BBC Bitcoin exchange Youbit shuts after second hack attack 19 December 2017; Comptroller & Auditor General, Investigation: WannaCry cyber attack and the NHS, Session 2017–19, HC 414, p4 and p19

79 Centre for Strategic & International Studies, North Korea’s Cyber Operations Strategy and Responses, (December 2015), p4

80 Q53

81 Centre for Strategic & International Studies, North Korea’s Cyber Operations Strategy and Responses, (December 2015), p35

82 Q49 and NCC Group (NKO0004)

83 Qq50–51

84 Q153

86 Q53

87 Comptroller & Auditor General, Investigation: WannaCry cyber attack and the NHS, Session 2017–19, HC 414, pp6–7.

88 Foreign Office Minister condemns North Korean actor for WannaCry attacks, Foreign & Commonwealth Office press release, 19 December 2017

89 Q162

90 Q55

91 Q160

92 Qq55–56 and Q149

93 Intelligence and Security Committee, Annual Report 2016–17, HC 655, para 160

94 Ministry of Defence (NKO0003)

95 Intelligence and Security Committee, Annual Report 2016–17, HC 655, para 161

96 Q161

97 Q56 [Nigel Inkster]

98 HM Government, National Cyber Security Strategy 2016–2021, November 2016, pp17–20

99 HM Government, National Cyber Security Strategy 2016–2021, November 2016, para 1.3, Ministry of Defence (NKO0003) and Q149

100 Ministry of Defence (NKO0003)

101 Q55

102 Q56 [Professor Chalmers] and NCC Group (NKO0004)

103 Cyber security: Critical National Infrastructure inquiry launched, National Security Strategy Joint Committee press release, 21 December 2017

104 Q167

105 Intelligence and Security Committee, Annual Report 2016–17, HC 655, p41

106 New Defence Cyber School opens to help protect UK, Ministry of Defence news, accessed March 2018

107 Oral evidence taken before the Joint Committee on the National Security Strategy on 18 December 2017, HC (2017–19) 625, Q4, Q9 and Q11

108 Defence Committee, Third Report of Session 2017–19, Sunset for the Royal Marines? The Royal Marines and UK amphibious capability, HC 622, para 101.

109 PQ 127876 and Oral evidence taken on 21 February 2018, HC (2017–19) 814, Q11 and Qq16–17

Published: 5 April 2018