Amid growing threats in cyberspace, the Republic of Korea (ROK) under President Yoon Suk-yeol is likely to deepen its cyber cooperation with the United States. Unlike his predecessor, who had been criticized for being soft on Pyongyang, Yoon has made it clear that his administration will take a stern stance against North Korea’s aggression, including in cyberspace. Yoon’s administration has identified cybersecurity as one of the most pressing threats and designated it as a key national task. To that end, Yoon has repeatedly pledged to bolster cooperation with Washington on cybersecurity, as demonstrated by a joint statement issued just a week after his inauguration in which the word “cyber” appeared ten times. In that statement, Washington and Seoul agreed to “expand cooperation to confront a range of cyber threats from the DPRK, including but not limited to, state-sponsored cyber-attacks.” The statement even included an entire paragraph on the specific focus areas of cyber policy: cyber deterrence, protection of critical infrastructure, and combating cybercrime and associated money laundering, to name a few. Most recently, both sides held their first cyber working-level group in Washington to discuss North Korea’s cyber threats and develop policy options to respond to those threats at the alliance level.
Despite these recent developments, South Korea and the United States have largely fallen short of making tangible progress in effectively deterring North Korea’s cyber threats. Cyber deterrence is the practice of preventing malicious cyber activities through the existence of a credible threat of counteraction. For successful deterrence, several conditions must be met: 1) A low level of aggressor motivation; 2) Clarity about who will be deterred and counteraction by deterring states; 3) A high level of confidence by an aggressor that defenders have the capability and will to carry out threats. However, the current ROK-U.S. cyber strategy fails to address any of these elements, leaving North Korea to continue its cyber operations by reinforcing its perceptions that cyber operations are a low-cost and high-return enterprise. Key factors that have affected the North Korean regime’s cost-benefit analysis for carrying out cyberattacks include North Korea’s faltering economy and the United States and South Korea’s lack of credible retaliation measures. As a result, the current cyber strategies of the United States and the ROK need to be aligned to include elements of punishment in tandem with improved defensive cyber capabilities.
Cyber Operations: Low-Cost, High-Return
North Korea is known to employ cyber operations to achieve various strategic goals, including the punishment of critics who run afoul of the regime, intelligence gathering, and revenue generation. In recent years, cyberattacks have increasingly focused on generating income, primarily to sustain the regime and its nuclear program, as its economy has continued to shrink due to both internal and external factors, such as chronic food shortage and United Nations-led sanctions. The outbreak of COVID-19 and the following border closure have exacerbated North Korea’s economic situation; last year, its economy contracted at a record rate of 4.5 percent. These economic conditions have incentivized the North Korean regime to continue its cyber operations for financial profit. In 2021 alone, North Korea was believed to have stolen almost $400 million in cryptocurrency, marking a 40 percent increase compared to a year before. Given the cratering economy, North Korea is likely to continue its cyber operations, including cryptocurrency thefts, bank heists, ransomware and extortion, and attacks on cryptocurrency exchanges.
North Korea’s motivation to commit cyberattacks is also extremely high because Pyongyang believes it is low-risk, largely because it has been able to get away without appropriate punishment in the past. Instead of holding the DPRK accountable for its actions, the ROK and the United States have responded with passive measures, often without a coherent response at the alliance level. For instance, out of a series of cyberattacks against American and South Korean government institutions, media, financial infrastructure, and defense contractors since at least 2009, the alliance has neither made joint statements denouncing the DPRK in the immediate aftermath nor responded jointly with retaliatory actions that could have possibly discouraged the regime from pursuing future attacks. Instead, the alliance reacted by publishing a joint statement with vague wording, such as that the alliance “will continue to consult with one another to counter those threats [cyber threats emanating from North Korea],” which carries little signaling value.
The alliance has also lacked coordination in its responses to North Korea’s cyber aggression, mainly because of the two countries’ different approaches to cyber deterrence. For instance, the ROK’s main cyber strategy has been a purely defensive one that focuses on improving defensive cyber capabilities. According to the “110 key national tasks” released by the Yoon administration, the government will “strengthen its cyber deterrence capability” by “advancing hacking detection, disruption and tracking systems through research and development.” Likewise, the 2019 National Cyber Security Strategy published under the Moon Jae-in administration states that the “cyber deterrence strategy” is aimed at “developing preventive capabilities to collect, manage, and remove vulnerabilities in its networks.” In line with these deterrence strategies under two different administrations, the ROK has invested heavily in strengthening early warning and detection capabilities, mandating regular mock cyber crisis exercises in the government, and separating the intranet from the internet network for facilities and companies critical to national security.
On the other hand, the United States has taken a different trajectory by introducing a strategic concept that requires more proactive and “persistent engagement.” The new “Defend Forward” cyber strategy aims to “disrupt or halt malicious cyber activity at its source” by “defending against malicious cyberspace activities as far forward as possible” and “contesting adversary attempts to disrupt key government and military functions.” It is still unclear whether this strategy implies that the United States seeks to achieve deterrence in cyberspace, including by punishment. Past cases show that the United States may not be seeking deterrence by punishment, as indicated by a series of cyberattacks against North Korea in which the United States was suspected to be a perpetrator but never acknowledged its involvement. Whether or not the United States was behind these attacks with an aim to “deter” future threats from North Korea, Washington makes it clear that it seeks to achieve some level of deterrence against cyber threats. The 2020 Cyberspace Solarium Commission Final Report, for example, introduces the concept of “cyber layered deterrence,” which combines enhanced defense capabilities and a “clearer signaling strategy with collective action by [U.S.] partners and allies.” Despite the introduction of this concept, it is surprising that the ROK and the United States do not yet have any agreed-upon strategic framework that stipulates how the alliance will jointly respond to North Korea’s cyber operations, thereby clearly signaling to North Korea that its behavior in cyberspace will be met with a stern and consistent alliance response.
The Limitations of Denial
South Korea has mainly pursued deterrence by denial, that is, focusing on improving defensive cyber capabilities. Between 2019 and 2022, the South Korean government spent approximately $1 billion on cyber defense, especially on building data protection infrastructure. The reasoning for such a defensive strategy is that cyber aggressors will be less likely to conduct attacks if they believe that they have lower chances of success. Nevertheless, pursuing a defensive approach alone has had limited success in preventing the DPRK from conducting cyber operations; continued successful cyberattacks by state-backed North Korean hackers clearly demonstrate this limitation. This is because the denial strategy alone does little to address the actions and motivations of the attacker. In the current structure, even if the DPRK gets caught attempting to hack energy companies, for example, all it receives is public attribution by the South Korean government, with no retaliatory response. The DPRK has little, if any, incentive to halt cyber operations until the mission is successful, as it faces no retribution for its actions.
North Korea also has strong incentives to conduct cyber operations because it has much to gain from cyber operations against defenders with high internet connectivity and digitally reliant economies. It is extremely difficult for advanced, democratic states with high levels of internet penetration to develop, maintain, and strengthen cyber defense systems for all the vulnerable sectors that are capable of responding to continuously evolving offensive cyber threats. Plus, the government and publicly owned companies, which are often targets of cyberattacks, tend to lack the speed and agility necessary to respond to these attacks. Moreover, a high proportion of institutions in South Korea, including banks, media, hospitals, and defense contractors, are in the private domain and thus outside of government control, which makes oversight and seamless detection especially challenging. On the other hand, less than 1 percent of North Korea’s population has access to the internet, which means that it has far less of a need to invest in defense and can allocate most of its resources to developing offensive capabilities. Given this incentive structure, a simple denial strategy alone is unlikely to affect North Korea’s perceived costs and benefits of conducting cyber operations. To complement the strategy, South Korea needs a mechanism to credibly signal to North Korea that its aggression will be met with stern and consistent responses.