Vulnerable information security

A drill against hacking conducted by the National Computing and Information Agency has shown the vulnerability of the country’s information infrastructure. Members of college hacking clubs found unencrypted passwords to a data center that operates the entire information system of the government. In a mock attack in 2007, 57 of 67 government organizations were also found to be vulnerable.

Prosecutors announced Monday that the April 12 cyber attack on the National Agricultural Cooperatives Federation, or Nonghyup, was traced to North Korea. North Korea can also target computer networks of other financial institutions, Korea Exchange, and the Korea Financial Telecommunications and Clearings Institute as well as networks of nuclear power plants, military facilities and transportation systems. The 2007 Hollywood action film “Die Hard 4.0” describes how terrorists can paralyze American transportation, financial, electricity and gas systems by hacking the country’s central computer network. Such a dreadful situation could happen in real life.

In the past, cyber hackers took advantage of the weakness of a system to spread malignant codes and create network disruptions. Nowadays, however, they have become more organized and sophisticated with clear purposes and targets as seen in the hacking into financial institutions and online game sites. To break into computer networks with high security, hackers turn personal computers into zombie PCs. They also employ a stealth method that makes it difficult to detect and analyze malignant codes and hacking techniques.

Stuxnet, which targets national infrastructure, is more dangerous. The malware infiltrates a government organization’s integrated control system and paralyzes it. Last year, Stuxnet attacked a nuclear power plant in Iran and shut down 20 percent of the facility’s centrifuges. Automated control systems at China’s Sanchia dam and high-speed railway were also affected by the malware. Stuxnet moves from PC to PC and infiltrates computers at industrial facilities via USB drivers. Prosecutors said 1,300 personal computers in Korea were infected with the malignant code.

In the wake of the distributed denial of service (DDoS) attack in 2009, the government strengthened its preparedness against cyber attacks and fostered security personnel. As seen in the massive cyber attack on Nonghyup, however, even experts were found to have weak security awareness. In addition, identifying the route of the attack is tough because the bank’s network system was operated by a subcontractor. In this digitalized era, information security is part of a country’s infrastructure. The government needs to conduct a comprehensive review of domestic information infrastructure to preempt a security crisis that can paralyze the entire country.