Podcasts
Caveat
Ep 197
Caveat 12.7.23
Ep 197 | 12.7.23

North Korea's evolving cyber program.

Show Notes
Transcript

Michael Barnhart: This isn't a nation-state sponsored set of cyber groups or APTs as we call them, this is a criminally sponsored nation-state actor, which is very, very unique because, as you can imagine with any other country, your funding comes from the top. For these guys, it starts at the very bottom and the money flow goes upwards, which is extremely unique.

Dave Bittner: Hello, everyone, and welcome to "Caveat", the CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner and joining me is my co-host Ben Yelin from the University of Maryland, Center for Health and Homeland Security. Hello, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: Today Ben discusses a preliminary injunction against the Montana law banning TikTok. I've got the story of a college student frustrated with his lack of privacy on campus. And later in the show, my conversation with Michael Barnhart from Mandiant, we're talking about the evolution of North Korea's cyber program. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben, we've got some good stories to share this week. What have you got for us?

Ben Yelin: So, my story comes from the great state of Montana. As you recall, we've talked about this in the past, earlier this year, their state legislature passed a bill that would ban TikTok in the entire state. Now a lot of other states have instituted laws or executive orders banning TikTok on state-issued devices. This is the first law that just bans TikTok in the entire state.

Dave Bittner: Even for consumers.

Ben Yelin: Even for your average consumer.

Dave Bittner: Okay.

Ben Yelin: So, TikTok, joined by a bunch of Montana plaintiffs, sued the state seeking a preliminary injunction against this law. It's really interesting who they chose as plaintiffs, it was a bunch of people whose use of TikTok plays a meaningful role in their economic activities, so there's like one rancher who has 30,000 followers on her TikTok account because she does videos about being a rancher. So, they did a good job of finding plaintiffs here. And they have succeeded in court, at least preliminarily. So, a district court judge in Montana, a Bill Clinton appointee who's been around since the 1990s issued this preliminary injunction saying that the plaintiffs, TikTok and these TikTok's consumers, are likely to succeed on the merits. So, I'll note this is just a preliminary injunction, there's going to be a full hearing on this case sometime next year. The preliminary injunction is very indicative of how courts are going to see these types of laws. There are really a couple of major legal issues that the court identified with the law here. We have a big First Amendment problem. So, there's the First Amendment-protected activity on the part of TikTok itself and then on TikTok's consumers. I won't get into all of the legal mumbo-jumbo, as you know that I want to do. But basically, courts either look at First Amendment laws with the highest level of scrutiny called strict scrutiny. That's when the law and dispute targets particular contents, what's called a content-based restriction on speech, preventing somebody from talking about a particular topic. And then there are content and neutral restrictions on speech, which are still bad in the eyes of the court but they use a lesser method of scrutiny for analyzing those laws called intermediate scrutiny. What the judge says here is basically it's likely that this is a content-neutral restriction because you're not just banning the discussion of a single topic on TikTok, you're banning literally everything that happens on the application. But even under that intermediate level of scrutiny, the law would fail. The state has not demonstrated that they have a proper important governmental interest here. The things that they've tried to claim as the important governmental interests are protecting national security and consumer privacy but they haven't really proven that this law will achieve those ends. For one, the state of Montana doesn't get to make foreign policy and this is ultimately --

Dave Bittner: I was going to ask you that. Yeah.

Ben Yelin: Yeah, I mean, this is ultimately a foreign policy question on how we deal with ByteDance and China and China's eagerness and willingness to obtain data from this application is really a federal issue. And then the other issues they identified were about consumer protections. And as this judge notes, Montana has passed broad laws or at least in one or the other chamber of their legislature protecting data privacy, they could just do that and not target the single application which people rely on for a significant number of their communications. So, those are the First Amendment issues. And then there's an issue under the federal commerce clause. And now, I can start to see eyes rolling and people falling asleep.

Dave Bittner: Actually, this is a line of questions I was going to pursue. So, proceed, counselor.

Ben Yelin: All right. I will try and make this as interesting as it possibly can be, given that we're talking about the commerce clause. So, the commerce clause grants the federal government the power to regulate interstate commerce. By extension, courts have found dormant powers in the commerce clause that basically means states cannot pass laws that interfere with interstate commerce. So, it's really a method of controlling protectionist laws where states are trying to enact laws that benefit an in-state interest or an in-state entity at the expense of an out-of-state entity. And the judge here says that this likely violates the dormant commerce clause because it would have such a broad interruption on interstate commerce given that these plaintiffs have demonstrated that they rely on TikTok for their business activities. It really could impact the national economy if one state is shut off from this engine of economic activity. Now, we could argue that TikTok maybe shouldn't be an engine of economic activity but it is.

Dave Bittner: And that would be for the feds to decide on a national level.

Ben Yelin: Ultimately, yes because they have the authority to regulate interstate commerce, exactly. So, there is that commerce clause problem along with the First Amendment problem. So, the standard for a preliminary injunction, basically you have to have a likeliness of succeeding on the merits, which the judge says they have. And then the plaintiff would have to suffer irreparable harm. And that was really a large portion of his decision as to whether the plaintiffs here would suffer irreparable harm. I think for TikTok it probably wouldn't be irreparable harm. I mean, you know, no offense to the State of Montana but it has like -- I don't know, 800,000 -- 700,000 person population.

Dave Bittner: Thank California.

Ben Yelin: Exactly. TikTok would probably subscribe or would probably survive if Montana was wiped off the face of the Earth. I love Montana, I hope we have some Montana listeners. I hope that does not happen.

Dave Bittner: A beautiful country. Absolutely.

Ben Yelin: It is beautiful. Glacier National Park, amazing place. But I think the big issue here is the plaintiffs. I talked about that rancher, there are just a couple of other examples of people who, not only make a living on TikTok but they make a living on TikTok exclusive from what they do on other social media sites. So, I think the state was saying, "Why don't you just do it on Instagram or why don't you just do it on Meta, or whatever?" And what these plaintiffs convinced the judge of is that their advertising strategy is unique to TikTok. TikTok offers something that a lot of these other services do not, these kind of short bite-sized videos, content that gets put in somebody's For You tab that a bunch of followers get to see. I think the judge was convinced that another social media application would not be able to replicate that. And as a result, there is irreparable harm here. We have this preliminary injunction and for now, the law is off the books until we have a full hearing on it.

Dave Bittner: So, I'm trying to understand. I'm trying to wrap my head around the interstate commerce, you know, stuff and how it could apply to something like this, and I, of course, am taking this to the extreme, you know, I'm imagining myself taking a cross-country road trip and coming to the border at Montana, you know, and having seen signs that say "Welcome to Montana, please -- "

Ben Yelin: It's a TikTok-free zone.

Dave Bittner: Right. "Please uninstall TikTok," right? And I was trying to think of like are there examples with that? And I guess the thing that first comes to mind are gun laws like there are some states where they give you a gun when you cross the border, right, practically. But if you're traveling and you have a firearm and you're coming from a state where it is absolutely your right to do so, am I correct that there are some states that you could have a problem with without the proper, you know, permitting or whatever of traveling through that state with your firearm. Is that the reality?

Ben Yelin: I think that's a very good and interesting point. And generally, courts are pretty deferential to the states on this issue as long as the state can demonstrate some non-protectionist interest. So, with guns, it's like, you know, who knows what this current Supreme Court would say, but at least courts in the past have said, "Well, protecting your citizens against gun violence is clearly a proper exercise of the state's police powers." So, you can't be more restrictive with guns even if it does burn interstate commerce. I think the problem here was there was nothing in the record that demonstrated a proper state interest on behalf of Montana. They weren't sufficiently clear about what they were trying to do, you know, I don't think the State of Montana is going to force somehow ByteDance to sell TikTok to a US company. And there are other ways that they could have passed broad-based data privacy legislation that would have solved a lot of the data privacy issues here. So, I just think the interest on the part of the State of Montana simply wasn't strong enough to justify that regulation.

Dave Bittner: Do we suppose -- and I guess we're speculating here, but do we suppose that the legislators in Montana got a little carried away with wanting to make a statement against China and this made its way through?

Ben Yelin: Yeah, I mean, they really did the best they could. You know, part of anticipating these court cases is getting everything in the legislative records so your legislation has a purpose paragraph. And that purpose lays out what this legislation is trying to do. So, they failed on that measure. They put their best foot forward. And at least according to this preliminary injunction, they didn't do a good enough job. It's possible that they go back to the drawing board and try to do massage their justification for the statute to conform with this opinion, although looking at the opinion like I don't see how that would really be possible but maybe my imagination is just not wild enough. But, yeah, I do think they were attempting to do something that no state has ever done that is well within their right as the state legislature. There is something still legislatures can't do and this is one of them. And the court smacked them down for it.

Dave Bittner: So, perhaps they go back and follow more the path that other states have blazed here of a broader digital privacy legislation attempt.

Ben Yelin: Yeah. I think you married that broader digital privacy legislation with more limited regulations on TikTok like banning it from state-issued devices where there is clearly a role for the state, there is a very clear objective, protecting the private information, personally identifiable information of constituents in the state is certainly a justifiable state interest for that kind of ban. So, I think you'd have just a much easier time justifying that rather than this broad-based law. I'll also say, and I'm not sure how relevant this is, but TikTok claims they've set up a firewall that will prevent China from accessing US data and they've done that through Oracle. There is a facility that protects all US persons' data. I think there are a lot of skeptics who question whether that's actually going to be effective.

Dave Bittner: How permeable that wall may be?

Ben Yelin: Exactly. Whether it's the big beautiful wall or it's, you know, little plastic house of bricks. So, I think that might have helped TikTok a little bit on these proceedings that they could say, "Contrary to what you've heard, it's not easy to get US persons' information from TikTok. We're not, you know, sending over your dossiers to the Chinese government." That might have had a little bit of an impact here.

Dave Bittner: All right. Interesting. Well, we will have a link to that story in the show notes. My story this week comes from the folks over at the Markup, this is the article written by Tara García Mathewson. It's titled "He Wanted Privacy. His College Gave Him None." So, first, I want to start off by taking a little trip down memory lane here to maybe contrast my own experience in college versus the subject of this article, an individual named Eric Natividad, Natividad, who is a 32-year-old student at Mt. San Antonio College in California. Now, Ben, I think --

Ben Yelin: This is going to be about how old you are.

Dave Bittner: Yes. And I think your college experience probably straddles the two of us. So, I'm also interested in the degree to which things changed between my experience in college back in the days when dinosaurs ruled the Earth, yours when certainly there was more technology online, and what Mr. Natividad is experiencing today at his college in California. So, I'm thinking of like what were the opportunities when I was in college for the university to gather information about my comings and goings. And I went into a big state school, I went into the University of Maryland --

Ben Yelin: Go Terrapins.

Dave Bittner: -- with 30-some-thousand of my closest friends. Really the only place I remember my ID being checked and it was a physical ID like a driver's license was when you went into one of the big libraries on campus, they would check your ID to make sure you were a student because students were entitled to use the libraries, and not everyone else was. But getting in and out of my dorm room, we had a physical key. We did not have passkeys, the electronic passkeys. There was no Wi-Fi. There was barely an internet, right? We could just connect -- only because my roommate was an electrical engineering major and he knew how to do such things were we able to connect to the internet and, you know, use the most primitive ways of connecting online. But the point is that back then, you could really come and ago and there wasn't an effective way for the university to gather information about you. And I think as a result of that, I didn't really have the sense that they were really interested in gathering information about our comings and goings. You know, occasionally there would be a crime on campus like anywhere and then they'd have an interest. But the day-to-day comings and goings of the students really didn't seem to be something that they were tracking. I'm curious what your experience was like.

Ben Yelin: Yeah, I mean, I do think I'm sort of the middle ground between what you went through and what this individual went through. We did have Wi-Fi in our dorms, I certainly used it. By the end of my time in college, we had key cards to get into our dorm rooms and our buildings. So, there was that. I mean, there was a pretty extensive online record. I used campus email for all of my communications. But I am not that young, unfortunately. So, a lot of the things they described in this article didn't exist when I went to college, the type of kind of pervasive surveillance. Certainly, something like virtual classes would have seemed extraordinarily difficult. I mean, I think video chat was just becoming a thing kind of as I graduated college.

Dave Bittner: Yeah. So, digging into this article, again, this student Eric Natividad, he has been attempting to preserve his privacy while he studies at Mt. San Antonio College in California. And he's finding it extraordinarily difficult to do so because of all of this technology that the campus is making use of. Like we said, key cards to enter buildings, the use of Wi-Fi, the campus makes use of license plate readers to keep track of who's paid for permission to park on campus. Now, again, back in my day, we had a little, you know, a rearview mirror hanger that said, you know, you can park here in lot 4, which is four miles from --

Ben Yelin: I will say amongst all the angst in this piece, this is the one type of technology for a very specific reason I hope did exist because there was one guy in my college, he's probably not listening to this but he knows who he is, put up a fake handicap placard on his car and would park in front of all of the academic buildings. And actually, one of my friends tried to call the campus police on them. They didn't do anything. But now I kind of wish we had this technology so that guy could get his comeuppance.

Dave Bittner: Well, shame on him.

Ben Yelin: Yes. And he knows who he is.

Dave Bittner: Right. So, the reporters at the Markup dug into this and they did a lot of I suppose FOIA requests with the college to get some of the contracts that the college has with the providers of these various types of technologies. And they're trying to see how long is the information kept, is the information sold, you know, who uses the information. There are a few things here that were more troubling to me than I had anticipated on the surface of this article, right, and we have the tracking of the comings and goings and all that sort of thing. That seems to me more of a side effect of a robust key access system to your university. And I can see it being very much in the interest of the university to know who's coming and going from our buildings, who's unlocking doors. They talked about when COVID happened and there were students living on campus that it was useful for them to know if a student hadn't left their dorm in several days that perhaps they could go do a health check. And they checked in with the students to figure out what did the students consider to be a comfortable amount of time before they wanted to be checked in on.

Ben Yelin: That seems a little creepy to me.

Dave Bittner: Yeah. But one of the things that caught my eye here was the professors -- and I'm curious on your take as a professor -- the professors could tell the degree to which the students were engaged with the materials of the class. How often did this student log into the outline for the course, how much time did they spend with the online materials? Did they download them? And Mr. Natividad's concern was, he said, "Well, what if I just download everything to my computer and that's where I spend my time reading it, but my professor could look at that and say, 'Oh, this person spends hardly any time online with this stuff. They must not be interested in my class?' And that could have an effect on my professor's perception of me as a student."

Ben Yelin: Yeah, I mean, that's something I worry about. I do have that power, at least we use kind of a content management system for our classes, and I can see the last time that a student logged in. I try to avoid looking at it just for that reason. I want to give students some leeway and not feel like, you know, I'm a second-grade teacher looking over their shoulder, but I'm not sure every professor is like that. And I think we are losing some of the freedoms that we have to kind of go at it at our own pace. And achieve whatever results we're able to negotiate based on our own work habits. So, yeah, I mean, I think that's the type of thing that would have considerably hurt my college experience personally, feeling like somebody was always watching me. And we tried to do virtual exam proctoring during COVID and it really was more trouble than it was worth.

Dave Bittner: Really?

Ben Yelin: It was just the technology was kind of glitchy and there were a lot of issues with students feeling like their privacy was being invaded, they were taking exams in their own classrooms, sometimes they needed to get up and use the bathroom and having to negotiate that --

Dave Bittner: You mean in their homes?

Ben Yelin: Yeah, exam proctor. So, I do think, and the article notes this, I think there's value in universities having a chief privacy officer that's just an oversight authority on all of these issues. That's not going to solve all of the problems. I mean, this technology exists and universities are going to want to use it. But I think just to kind of add up a privacy perspective so that before you purchase any new system, privacy is at least taken under consideration. I think that's really the easiest thing that universities can do at this point.

Dave Bittner: Yeah. And this particular student said that, you know, just one of the most troubling thing is that he has -- there's no effective way for him to opt-out.

Ben Yelin: Right.

Dave Bittner: And so, he actually -- because he's someone who cares about privacy, he goes to great measures to attempt to circumvent some of these things. He studies in a building that does not have key access rather than going to the library, for example, you know a building that has key access. And that's a burden on him because, you know, it makes it harder for him to collaborate with the other students who aren't as concerned about their privacy as he is. So, it's an interesting case that he makes here. I suspect he's probably not going to get very far. I mean, like we said, the university certainly has an interest in collecting a good deal of this information. But to what degree do they keep it, how long do they keep it, you know, perhaps that's something that should be shared with the student body. You know, we keep this information -- we keep your comings and goings for a month or six months or a week, or whatever it is.

Ben Yelin: Or forever, yeah. Yeah, I do think that's ultimately the only practical solution here is some type of transparency. And just being conscious of with every decision that you make to protect campus safety or whatever you're using technology for, it's introducing these risks. I mean, that's what bothers me the most about it is kind of this lack of available alternatives. You basically have to live in the woods to avoid this kind of technology. I mean, I know classes, even in my college era, you could handwrite everything, even if we all had laptops.

Dave Bittner: That's right.

Ben Yelin: Now in many classes, they forbid you for doing that for one reason or another.

Dave Bittner: Oh, yeah. My youngest son is in high school and everything is online. I mean, there is no written papers, they don't write anything. And I'm okay with that. I'm okay with that. But I mean, I think for those of us who are from the previous generation, it's hard for us to wrap our heads around the degree to which this change has occurred and that it's just the standard operating procedure these days.

Ben Yelin: Yeah, I think that's important for us old people to be aware of it. And it's not just colleges and universities. I mean, I have an elementary school-aged child, and certainly not all of this but some elements of this type of tracking are things I worry about with her. So, yeah, I think it's just important for us to be very conscious about things like this.

Dave Bittner: Yeah. At the same time, I can see, you know, I can see the argument that it is better as a college student if there is an enhanced degree of safety of the university having a log of who's coming and going from their buildings. You know, when I was in school, all the buildings were just unlocked because there was no practical way to control that. So, if you had someone from off-campus who had no business being there, who was looking to cause trouble, be it, you know, thievery or harassment or whatever, there really wasn't anything stopping them. And now there is more of a burden.

Ben Yelin: I mean like controlled entry seems very obvious to us now. And I think like if you ask the average parent of a college student do you want to have controlled access to our dorm buildings and academic buildings, of course, they would say yes.

Dave Bittner: Right. I suspect if you ask the average college student, they would say yes.

Ben Yelin: They would probably say yes too. And so, you know, you have to recognize the importance of that. Colleges aren't just being arbitrary here and stalking you for the sake of stalking you. I mean, there are reasons that these technologies exist, even if they're using things like facial recognition. I just think having some type of chief privacy officer or ombudsman among the executive leadership of the university is a way to try and balance the school's legitimate needs versus what the students deserve in terms of personal privacy.

Dave Bittner: Right. Who watches the watchmen? All right. We will have a link to the story. Again, it's an article from the Markup. We would love to hear from you. If there's something you'd like us to consider for this show, you can email us. It's caveat@n2k.com. [ Music ] Ben, I recently had the pleasure of speaking with Michael Barnhart. He is from security company Mandiant, one of the big names in cybersecurity. And our conversation centers on the evolution of North Korea's cyber program. Here's my conversation with Michael Barnhart.

Michael Barnhart: You know, any real intelligence apparatus, intel cyber threat, intelligence organization is going to want to have a good organizational structure, you're going to want to understand the adversary, not just both the activity that's going on but how -- what they think, how they think, how they operate as a whole. And so, one of the things that we at Mandiant try to do, especially with these blog posts, and what we've done in years past is to kind of give a who's who in the zoo but also the major thing with this is just how the threat actors are adapting, how they're evolving. They aren't like the other bigger nation-states that one would track. So, this is -- it's we actually get a better insight once we understand a little bit about who they are unlike some of the other groups or countries rather.

Dave Bittner: Well, let's dig in there. I mean, what are some of the specifics that set North Korea apart from some of our other adversaries in cyber?

Michael Barnhart: Well, I think really the country as a whole is something that we should probably kind of look and re-evaluate. It's not quite a government per se, it's not quite a -- it is not run -- I mean, as everyone knows, North Korea is a bit odd in how it's structured anyways and how it's cut off from the rest of the world. Their intelligence collection efforts and what they do in the cyberspace definitely echoes the exact same thing. This isn't a nation-state-sponsored set of cyber groups or APTs as we call them, this is a criminally sponsored nation-state actor, which is very, very unique because, as you can imagine with any other country, your funding comes from the top. For these guys, it starts at the very bottom, and the money flow goes upwards, which is extremely unique.

Dave Bittner: Help me understand exactly how that works here. I mean, is this a matter of folks at the bottom sort of paying tribute to the folks up the food chain from them? Is this the leadership looking the other way? How is it structured?

Michael Barnhart: Yes, and it really goes back, you know, years ago, if you think about, you know, these are the same set of guys I believe I've even heard it on your podcast for we've had the guys, you know they're selling fake cigarettes, fake Viagra, fake all kinds of things. It's always been kind of structured around the kind of that criminal enterprise for a typical government or a typical even military unit, you know, you're being supplied from the government, you know, your taxpayers, all that. Here, you know, to supply the weapons programs, you have your TraderTraitors, that's one of the groups that we track and it's big on the cryptocurrency chain. They're stealing hundreds of millions of dollars. And that goes up to supply the regime, it's there to supply the weapons program. You have other groups like what we saw with Andariel several, several months ago, and the past few years. At one point, they were ransoming hospitals and that was directly tied to their cyber espionage efforts. So, you can have your APTs like your AppleJeus, CryptoCore, all of the different ones dealing with crypto and financial efforts that's there to supply the government, where even the other ones, so just APT43 and Andariel, a lot of their efforts they're there for cyber espionage but they're going to also do crime on the side to support their own operations. And that's just something that's extremely unique for this nation.

Dave Bittner: To what degree are their efforts about raising funds and to what degree is it espionage?

Michael Barnhart: It all depends on the actor. And I think that's one of the things we really tried to break down in this blog that we just recently released. I like it how we have it structured in there because I think it was also kind of a PSA to a degree. A lot of times, and one of the things we wanted to stress whenever we put this especially out was we wanted to break down some of the groups, "Hey, these are the groups you should watch for if you're a crypto exchange." If you're a financial institution or a bank that might be starting to get into the crypto and blockchain technologies, hey, here are the ones you should watch here. If you're a ministry of foreign affairs, hey, you know, you might -- you know, a person might get hacked by an APT43 or one of the other APTs, but they're not coming for your money, they're coming for your intelligence, your private intelligence requirements filling them for, you know, North Korea. So, Ministry of Foreign Affairs, you know, a defense industrial-based entity, you might be looking at your Temp.Hermits or your Andariel. These are the different groups are going to grab your different things. And so, everyone has their own flavors. But I think the biggest thing that we had from here and the one that we kind of wanted to sound alarms on is that they're blending, everything is blending, everything is overlapping. And we used to kind of joke about it and say, "Hey, it's not all called Lazarus Group, you know, guys, everyone, stop saying that." It turns out, you know, just wait a few years, now they kind of are, they're kind of all becoming this one gigantic blob where everyone's sharing tool, everyone's sharing infrastructure. And I think that was the biggest thing because as, you know, governments around the world and partners that we work with and clients and other, you know, colleagues at different companies that we work with, we're all so focused on figuring the granular who exactly is doing this activity instead of looking at the activity and going, "Hey, I know it's North Korea. I know this is what they're after. I'll focus on this. I'll figure out who exactly it is later, but we have a job to do and we should focus on the mission."

Dave Bittner: For you and your colleagues there at Mandiant, are there any particular tell-tale signs when something comes across your workstation that you say, "Ah, this is North Korea"?

Michael Barnhart: I mean, we have the different type of signatures and mitigations and it's a bit different for a lot of our guys because we've seen them and worked with certain actors so much that as soon as we even see a domain that happens to look a certain way or is hosted a certain way, or some type of tell-tale sign there, we can almost tell you specifically what group or, you know, which uncategorized cluster, we call them UNCs here at Mandiant just to kind of keep them small and broken apart. But there's many, many different ways to do that. A lot of it comes from -- you know, one of it we've had issues with because as you can tell, if you're tracking only malware, if you're only tracking a certain piece of infrastructure, and then it is handed to another group as we are seeing, that might model distribution so that's kind of part of the reason why we're trying to get better there as well. But being able to tell that it's North Korea, yeah, there's always signs and different type of trip wires that are set that we can identify the countries there overall. Then it starts getting really murky on which specific group inside it is.

Dave Bittner: As you look at some of the policy decisions that other nations around the world have taken when it comes to dealing with North Korea do you have any sense for how effective the rest of the world is with blocking what they're up to?

Michael Barnhart: I think we're still in that wait-and-see approach. I think one thing I do like about really even that thought, Dave, is just we are all in this together. So, you know, the South Korean government, the US government, the UK, we're all doing these efforts, especially on the crypto front, we're all trying to get after the adversary, we're all trying to get in front of what North Korea is doing in this space. But really, you know, it kind of goes back to how -- again, this is a criminal nation-state but how does crime and technology play a part, you know? The criminal will always figure out the best way to leverage or, you know, manipulate a piece of software technology before defenders do. And it's kind of even built that way. You almost build software technology to work first and then security is always an afterthought. I feel like there's no country in the world or no really, you know, effort. North Korea really seems to embrace that the best way. They're always -- they were in the crypto game years before anyone else was. I joke about it but, you know, if crypto wasn't around and suddenly Furbies got hot like they were in the '90s, they would find a way to leverage that to make money. They're always looking for the next big thing, and right now crypto is that thing, and they're going to keep beating that pinata, and there's no real end in sight as it stands now.

Dave Bittner: You know, I think about comparing this to when you look at nation-states and, for example, you know, their space programs, you know, during the great space race, you know, you look at the US's approach to putting people in space and on the Moon and in orbit, and you compare that and contrast it with how the Russians were coming at things, there were differences, different mindsets, different philosophies. What are we seeing with DPRK here? Is there -- to what degree are they sophisticated or are they hard workers, are they persistent? What are some of the labels that we can apply to them culturally?

Michael Barnhart: Well, for North Korea, I wouldn't put it quite as the same as the cyber operators because, you know, you can really even see just the divide of the country itself. This is a country that has rolling blackouts, this is a country that doesn't have a lot of access to the -- very little access to the outside world. There's a famine going on right now. There is so much going on with the typical everyday North Korean and the hardships that they face, I mean, what's going on now is very, you know, equated to a lot of the starvation and terrible times that we had in the '90s. But for your cyber operators, they're much more different and I mean, really in every sense of the word. Their operators, a lot of them come from outside the country. They do this for a variety of reasons, both from infrastructure, both from, you know, attribution muddling. There's many different ways for that. They have a completely different life, both outside. They have privileges. They are trained up at such a very, very young age where they're vetted both with the loyalty to the regime, also for their aptitude for any type of mathematics and problem-solvings, and computer skills. These guys are taken away at such a young age to start this training and become this really the cyber warrior that's so well versed in everything that every day in North Korea, in the cyber operator for the APTs or the IT workers, which is a whole other realm, they're a lot different. And if we're describing those cyber operators, agile, fluid. These guys, if they're working on a crypto project, they're not doing things like me. I'm from Tennessee, I'm a hillbilly. I don't know half of what's going anywhere of crypto. Like I have people that interpret it to me. And these guys operate at the highest level of crypto development. They're not asking questions whenever they're trying to find answers like, "Hey, what is protocol? What is this token the ERC70, or whatever?" They're asking super, super detailed development questions because they clearly know what they're doing and they're trying to build something to work for them and their efforts they're doing. They will then the very next day take that exact same high level and apply it toward missile defense-related technology, satellite targeting. It's weird to be so good at so many different things and so fluid, but really if you look even in the blog that we've pushed, we kind of made an example of the famous Park Jin Hyok, all the efforts that he was a part of. I want to cry. He did some of the TraderTraiter crypto targeting, the Bangladesh heist, the Sony hack. There's many -- there's others like him and they all operate at such a, such a high level whereas, you know, the rest of the country sometimes can't even get the lights on or basic human resources, you know.

Dave Bittner: Yeah. Where do you suppose we're headed here? As you look towards the future, is this sort of a cat-and-mouse game? Is that the shape of things to come in your estimation?

Michael Barnhart: I feel like we're close to that and I think we're getting better about getting out of it. This blog we did is -- it's a drop in the bucket compared to all the people doing very similar efforts just trying to get the word out. These North Korea and their cyber efforts, they're under the radar, and it's exactly where they want to be. I know that a lot of the crypto efforts and a lot of the things that are happening in the crypto space is kind of letting the world know that, you know, they are a lot more skilled than we're, you know, giving them credit for. I think this, I don't think we need another 9/11 to happen. Do you remember when it happened? Everyone was suddenly, you know, they became focused on counterterrorism and everyone wanted to do all these things and really kind of get in the fight. And that was our wake-up call. And then, you know, just a huge push for around the world, our government and several other ones, you know, getting smart on counterterrorism and building up efforts, and really, you know, this will never happen again. My problem is that we don't need another type of 9/11 type of event to happen in cyberspace to suddenly be aware of the threat that North Korea is. We can see what they're doing. We know where they are and the weapons development plan. We've seen all of the missile tests that were going on this year. And they are happening at an, you know, alarming rate, much, much faster they have in the past. We see what they're targeting in the cyber space and we know what the country wants based on the questions they're asking and the activities they're doing. We should be getting ready, we shouldn't be so reactionary. We should be more proactive. And that's one thing that we're doing at Grant Mandiant and that Google club, it's something that we're working with our partners on, and we're just trying to get everyone on the same page so that we can be ahead of the curve instead of behind it, you know. [ Music ]

Dave Bittner: Ben, what do you think?

Ben Yelin: As if we need something else to worry about. I mean, there are already a lot of foreign adversaries that are pretty advanced in their cyber capabilities, Russia and China foremost among them. But this country has unfortunately a lot of enemies and the DPRK is one of them, so to hear their level of sophistication is kind of disturbing.

Dave Bittner: Yeah, it's interesting to me how much because of North Korea's place in the world of being a global outcast, the degree to which their activities have to do with basically stealing other people's money, you know.

Ben Yelin: Yeah, I mean, there is just not that much you can produce in a small country that's cut off to the entire world. It's pretty impossible to visit North Korea, let alone engage in commerce with North Korea.

Dave Bittner: Right, right. Not a very robust tourist industry.

Ben Yelin: And it's certainly not although I actually know people who have been there which is kind of crazy to me. I would not do that myself. But to each their own, I guess.

Dave Bittner: Yeah, that's fascinating. All right. Well, again, our thanks to Michael Barnhart from Mandiant for joining us. We do appreciate him taking the time. [ Music ] That is our show. We want to thank all of you for listening. A quick reminder that N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our Executive Producer is Jennifer Eiben. The show is edited by Tré Hester. Our Executive Editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.