How to Halt North Korean Cyber Aggression

How to Halt North Korean Cyber Aggression

 

The United States and South Korea should develop a joint cyber deterrence strategy that clearly states the threshold of activities it seeks to deter and the alliance’s proportional responses.

 

by Eunjung Irene Oh

The National Interest, October 2, 2022

 

Amid growing threats in cyberspace, the Republic of Korea (ROK) under President Yoon Suk-yeol is likely to deepen its cyber cooperation with the United States. Unlike his predecessor, who had been criticized for being soft on Pyongyang, Yoon has made it clear that his administration will take a stern stance against North Korea’s aggression, including in cyberspace. Yoon’s administration has identified cybersecurity as one of the most pressing threats and designated it as a key national task. To that end, Yoon has repeatedly pledged to bolster cooperation with Washington on cybersecurity, as demonstrated by a joint statement issued just a week after his inauguration in which the word “cyber” appeared ten times.

 

In that statement, Washington and Seoul agreed to “expand cooperation to confront a range of cyber threats from the DPRK, including but not limited to, state-sponsored cyber-attacks.” The statement even included an entire paragraph on the specific focus areas of cyber policy: cyber deterrence, protection of critical infrastructure, and combating cybercrime and associated money laundering, to name a few. Most recently, both sides held their first cyber working-level group in Washington to discuss North Korea’s cyber threats and develop policy options to respond to those threats at the alliance level.

 

Despite these recent developments, South Korea and the United States have largely fallen short of making tangible progress in effectively deterring North Korea’s cyber threats. Cyber deterrence is the practice of preventing malicious cyber activities through the existence of a credible threat of counteraction. For successful deterrence, several conditions must be met: 1) A low level of aggressor motivation; 2) Clarity about who will be deterred and counteraction by deterring states; 3) A high level of confidence by an aggressor that defenders have the capability and will to carry out threats.

 

However, the current ROK-U.S. cyber strategy fails to address any of these elements, leaving North Korea to continue its cyber operations by reinforcing its perceptions that cyber operations are a low-cost and high-return enterprise. Key factors that have affected the North Korean regime’s cost-benefit analysis for carrying out cyberattacks include North Korea’s faltering economy and the United States and South Korea’s lack of credible retaliation measures. As a result, the current cyber strategies of the United States and the ROK need to be aligned to include elements of punishment in tandem with improved defensive cyber capabilities.

 

Cyber Operations: Low-Cost, High-Return

North Korea is known to employ cyber operations to achieve various strategic goals, including the punishment of critics who run afoul of the regime, intelligence gathering, and revenue generation. In recent years, cyberattacks have increasingly focused on generating income, primarily to sustain the regime and its nuclear program, as its economy has continued to shrink due to both internal and external factors, such as chronic food shortage and United Nations-led sanctions. The outbreak of COVID-19 and the following border closure have exacerbated North Korea’s economic situation; last year, its economy contracted at a record rate of 4.5 percent. These economic conditions have incentivized the North Korean regime to continue its cyber operations for financial profit. In 2021 alone, North Korea was believed to have stolen almost $400 million in cryptocurrency, marking a 40 percent increase compared to a year before. Given the cratering economy, North Korea is likely to continue its cyber operations, including cryptocurrency thefts, bank heists, ransomware and extortion, and attacks on cryptocurrency exchanges.

 

North Korea’s motivation to commit cyberattacks is also extremely high because Pyongyang believes it is low-risk, largely because it has been able to get away without appropriate punishment in the past. Instead of holding the DPRK accountable for its actions, the ROK and the United States have responded with passive measures, often without a coherent response at the alliance level. For instance, out of a series of cyberattacks against American and South Korean government institutions, media, financial infrastructure, and defense contractors since at least 2009, the alliance has neither made joint statements denouncing the DPRK in the immediate aftermath nor responded jointly with retaliatory actions that could have possibly discouraged the regime from pursuing future attacks. Instead, the alliance reacted by publishing a joint statement with vague wording, such as that the alliance “will continue to consult with one another to counter those threats [cyber threats emanating from North Korea],” which carries little signaling value.

 

The alliance has also lacked coordination in its responses to North Korea’s cyber aggression, mainly because of the two countries’ different approaches to cyber deterrence. For instance, the ROK’s main cyber strategy has been a purely defensive one that focuses on improving defensive cyber capabilities. According to the “110 key national tasks” released by the Yoon administration, the government will “strengthen its cyber deterrence capability” by “advancing hacking detection, disruption and tracking systems through research and development.” Likewise, the 2019 National Cyber Security Strategy published under the Moon Jae-in administration states that the “cyber deterrence strategy” is aimed at “developing preventive capabilities to collect, manage, and remove vulnerabilities in its networks.” In line with these deterrence strategies under two different administrations, the ROK has invested heavily in strengthening early warning and detection capabilities, mandating regular mock cyber crisis exercises in the government, and separating the intranet from the internet network for facilities and companies critical to national security.

 

On the other hand, the United States has taken a different trajectory by introducing a strategic concept that requires more proactive and “persistent engagement.” The new “Defend Forward” cyber strategy aims to “disrupt or halt malicious cyber activity at its source” by “defending against malicious cyberspace activities as far forward as possible” and “contesting adversary attempts to disrupt key government and military functions.” It is still unclear whether this strategy implies that the United States seeks to achieve deterrence in cyberspace, including by punishment. Past cases show that the United States may not be seeking deterrence by punishment, as indicated by a series of cyberattacks against North Korea in which the United States was suspected to be a perpetrator but never acknowledged its involvement. Whether or not the United States was behind these attacks with an aim to “deter” future threats from North Korea, Washington makes it clear that it seeks to achieve some level of deterrence against cyber threats. The 2020 Cyberspace Solarium Commission Final Report, for example, introduces the concept of “cyber layered deterrence,” which combines enhanced defense capabilities and a “clearer signaling strategy with collective action by [U.S.] partners and allies.” Despite the introduction of this concept, it is surprising that the ROK and the United States do not yet have any agreed-upon strategic framework that stipulates how the alliance will jointly respond to North Korea’s cyber operations, thereby clearly signaling to North Korea that its behavior in cyberspace will be met with a stern and consistent alliance response.

 

The Limitations of Denial

South Korea has mainly pursued deterrence by denial, that is, focusing on improving defensive cyber capabilities. Between 2019 and 2022, the South Korean government spent approximately $1 billion on cyber defense, especially on building data protection infrastructure. The reasoning for such a defensive strategy is that cyber aggressors will be less likely to conduct attacks if they believe that they have lower chances of success. Nevertheless, pursuing a defensive approach alone has had limited success in preventing the DPRK from conducting cyber operations; continued successful cyberattacks by state-backed North Korean hackers clearly demonstrate this limitation. This is because the denial strategy alone does little to address the actions and motivations of the attacker. In the current structure, even if the DPRK gets caught attempting to hack energy companies, for example, all it receives is public attribution by the South Korean government, with no retaliatory response. The DPRK has little, if any, incentive to halt cyber operations until the mission is successful, as it faces no retribution for its actions.

 

North Korea also has strong incentives to conduct cyber operations because it has much to gain from cyber operations against defenders with high internet connectivity and digitally reliant economies. It is extremely difficult for advanced, democratic states with high levels of internet penetration to develop, maintain, and strengthen cyber defense systems for all the vulnerable sectors that are capable of responding to continuously evolving offensive cyber threats. Plus, the government and publicly owned companies, which are often targets of cyberattacks, tend to lack the speed and agility necessary to respond to these attacks. Moreover, a high proportion of institutions in South Korea, including banks, media, hospitals, and defense contractors, are in the private domain and thus outside of government control, which makes oversight and seamless detection especially challenging. On the other hand, less than 1 percent of North Korea’s population has access to the internet, which means that it has far less of a need to invest in defense and can allocate most of its resources to developing offensive capabilities. Given this incentive structure, a simple denial strategy alone is unlikely to affect North Korea’s perceived costs and benefits of conducting cyber operations. To complement the strategy, South Korea needs a mechanism to credibly signal to North Korea that its aggression will be met with stern and consistent responses.

 

Realizing the limitations of past cyber strategies, the Yoon administration appears to be taking more proactive steps in strengthening South Korea’s cyber capabilities. Recently, cyber experts from South Korea participated for the first time in Cyber Flag 22, an annual U.S. Cyber Command exercise that offers realistic training against the activities of malicious cyber actors. Yoon also announced his plan to nurture “100,000 cyber warriors” that can “protect South Korea’s technology and cyber security amidst fierce cyber battles between major powers.” The announcement of the details of the plan signals a shift away from President Moon Jae-in’s approach toward developing a cyber force. While Moon had also stated that his government would “expand a cyber force,” at least on paper, his administration took no significant action toward meeting that goal, wary of growing its own cyber force for domestic political reasons. The Moon administration accused its Cyber Command of interfering in the presidential election by posting comments in favor of then-presidential candidate Park Geun-Hye. Moon even scrapped “cyber psychological warfare” conducted by the command to fight against the DPRK’s online misinformation campaigns. Unlike his predecessor, Yoon has neither a personal grudge against the Cyber Command nor an interest in politicizing the cyber unit. It is likely, therefore, that the Cyber Command will play a greater role in fighting North Korea’s cyber threats under Yoon, with more financial and human resources being devoted to the command.

However, given the publicly available information, the scope of operations that the ROK is willing to undertake to deter North Korea’s evolving cyber operations remains unclear. What is clearly lacking is an alignment between the South Korean and American cyber deterrence strategies, which is necessary to effectively address the motivations of the North Korean regime through collective action. The fragmented deterrence frameworks that the two countries currently have—one focusing on simple denial, and the other lacking a clear signaling mechanism for collective action—fall short in altering North Korea’s perceived costs of launching cyber operations. Rather than issuing vague diplomatic statements that do not credibly convey the alliance’s resolve to firmly respond to North Korea’s cyber aggression, the alliance should communicate its intent and commitment to counteracting Pyongyang’s aggression in cyberspace in order to prevent operations from being carried out in the first place.

 

A Joint Cyber Deterrence Strategy

 

Several key elements have to be agreed upon between the two allies in developing a joint cyber deterrence framework. First, what types of cyber operations and what level of activities does the alliance seek to deter? Answering this question is critical for developing appropriate response options and credibly communicating the “red line” to the adversary. As in conventional deterrence, defining a low-threshold cyberattack and devising a proportionate response measure can be particularly challenging.

 

The alliance can first try to deter the most dangerous types of cyberattacks. Such attacks include disruptions to critical infrastructure, including but not limited to joint U.S.-ROK military assets, power generation and distribution facilities, and nuclear plants. Of course, the alliance would need to agree on what constitutes “critical infrastructure.” With this basic agreement, the allies should consider revising the Mutual Defense Treaty or extended deterrence framework to explicitly include cyber threats as “armed attacks,” which would formally acknowledge that the alliance is prepared to act jointly to counter cyber threats.

 

Second, what would the proportional responses be if that “red line” is crossed? Would the alliance conduct a cyber response or use non-cyber retaliation? In the case of retaliatory responses against the DPRK, it could be argued that North Korea’s extremely limited internet access may limit the effectiveness of offensive cyber operations against the North. However, past cases show that an attack against North Korean servers could, at the very least, cause a significant nuisance to Kim Jong-un. For instance, an American hacker once took down North Korea’s entire internet connectivity.

 

Even though the deterrence effect of offensive cyberattacks should be assessed further, the alliance’s offensive capability can still serve as a useful tool for cyber deterrence by increasing the DPRK’s level of confidence that the two countries can retaliate. In addition to cyber responses, the alliance should consider responding with cross-domain options. In this case, the challenge would be to clearly establish what threshold a cyberattack would need to reach in order to be met with a specific non-cyber response and to manage the risk of escalation after the counteraction. However, the risk of escalation can be mitigated by clearly communicating with the adversary the threshold and corresponding response in advance. With this strategic framework, the alliance could jointly issue a diplomatic statement demonstrating its intent to make good on its threats.

 

This is not to argue that a denial strategy is a complete failure and that the alliance should shift away from improving its defensive cyber capabilities. However, the current denial strategy alone does not alter the incentives of the North Korean regime to conduct cyber operations. Thus, the alliance should implement a joint cyber deterrence strategy involving punishment in tandem with the existing focus on cyber defense. In addition to planning a strategic cyber defense framework, South Korea and the United States must continue their effort to strengthen their technical capability to defend against cyberattacks through exercises, training, workshops, and information sharing.

 

It may be argued that cyber deterrence is impossible because of the difficulties of attribution. As some scholars argue, North Korea’s advanced techniques to avoid detection may make early detection and attribution difficult for target states.

 

However, there is evidence that the attribution issue can be mitigated. For instance, research has found that deterrence may be possible even with imperfect attribution if certain improvements, such as reducing false alarms or replacing misidentification with non-detection, can be made. Moreover, an anonymous member of the UN Security Council Sanctions Committee on North Korea noted that recent developments in attribution technologies have made attribution less challenging than before.

 

In sum, focusing on the denial strategy alone, as South Korea has done, is ineffective in halting North Korea’s cyber aggression, while U.S. cyber strategy lacks a clear and credible signaling mechanism for how it will act collectively with allies and partners in response to cyber operations. To address this gap, the alliance should develop a joint cyber deterrence strategy—including appropriate punishment measures—which clearly states the threshold of activities it seeks to deter and its proportional responses. At the same time, the two countries should continue to strengthen their cyber resilience in partnership with other global and regional partners.

 

Eunjung Irene Oh is a participant in the North Korea Cyber Working Group (NKCWG), an initiative of the Korea Project at the Belfer Center for Science and International Affairs at Harvard University. The author would like to thank members of NKCWG for their feedback and insight.

 

Opinions, conclusions, and recommendations expressed or implied within are solely those of the author and do not represent the views of the United Nations, where Eunjung currently works.

 

Image: Reuters.