What can ‘ghost ships’ tell us about the North Korean cyber threat?

In early December, the BBC reported [1] on a number of ships that have washed ashore in Japan in recent years, the majority of which have contained only dead bodies.

It appears likely that these ships, with no modern engines or navigational instruments, are fishing vessels which have been caught by ocean currents and swept off course; but two elements of the story are significant.

The first is an increase in the number of these vessels washing ashore. The second is that some of the recovered ships have plaques indicating that they belong to the North Korean military. Somewhat strangely, both of these elements can help shed light on the nature of the cyber threat emanating from North Korea.

It is thought that the reason for the rise in beached vessels is due to increased risk-taking, driven by free-market incentivisation of the fishermen; if they surpass their quota, they can keep a percentage of the surplus catch which they can then trade themselves. The fact military vessels are being used is evidence that the North Korean military is heavily involved in the fishing industry.

So what does this mean for the cyber threat? As analysts, we are subject to a broad range of cognitive biases which influence the way that we think. One of those biases is known as ‘mirror imaging’ [2], whereby we make an unwarranted assumption that the subjects of our analysis think and behave as we do. With such a neat delineation in Western countries between the public sector, private sector, military and criminal groups, we tend to assume that this is also the case everywhere else.

What the ghost ships show us is that, in North Korea, private citizens working for the state but motivated by personal gain are using military resources to meet both the regimes objectives and their own requirements simultaneously. The nature of this incentivisation is then driving them to take considerable risks.

When we look at the cyber threat from North Korea, the combination of public sector resources with a privateering approach to cyber criminality results in a particularly unstable and unpredictable threat actor. It makes the analysis of likely courses of action incredibly difficult.

I would therefore argue it is almost meaningless to use the conventional terminology of ‘state actors’, ‘state proxies’ and ‘organised crime groups’ in relation to North Korea.

In reality, there is no distinction to be made.


1. http://www.bbc.co.uk/news/world-asia-34981195

2. https://en.wikipedia.org/wiki/Cognitive_traps_for_intelligence_analysis

Published date:  21 December 2017

Written by:  Tim Haines

comments powered by Disqus

Filter By Service

Filter By Date