How to Halt North Korean Cyber Aggression

How to Halt North Korean Cyber Aggression

The United States and South Korea should develop a joint cyber deterrence strategy that clearly states the threshold of activities it seeks to deter and the alliance’s proportional responses.

Realizing the limitations of past cyber strategies, the Yoon administration appears to be taking more proactive steps in strengthening South Korea’s cyber capabilities. Recently, cyber experts from South Korea participated for the first time in Cyber Flag 22, an annual U.S. Cyber Command exercise that offers realistic training against the activities of malicious cyber actors. Yoon also announced his plan to nurture “100,000 cyber warriors” that can “protect South Korea’s technology and cyber security amidst fierce cyber battles between major powers.” The announcement of the details of the plan signals a shift away from President Moon Jae-in’s approach toward developing a cyber force. While Moon had also stated that his government would “expand a cyber force,” at least on paper, his administration took no significant action toward meeting that goal, wary of growing its own cyber force for domestic political reasons. The Moon administration accused its Cyber Command of interfering in the presidential election by posting comments in favor of then-presidential candidate Park Geun-Hye. Moon even scrapped “cyber psychological warfare” conducted by the command to fight against the DPRK’s online misinformation campaigns. Unlike his predecessor, Yoon has neither a personal grudge against the Cyber Command nor an interest in politicizing the cyber unit. It is likely, therefore, that the Cyber Command will play a greater role in fighting North Korea’s cyber threats under Yoon, with more financial and human resources being devoted to the command.

However, given the publicly available information, the scope of operations that the ROK is willing to undertake to deter North Korea’s evolving cyber operations remains unclear. What is clearly lacking is an alignment between the South Korean and American cyber deterrence strategies, which is necessary to effectively address the motivations of the North Korean regime through collective action. The fragmented deterrence frameworks that the two countries currently have—one focusing on simple denial, and the other lacking a clear signaling mechanism for collective action—fall short in altering North Korea’s perceived costs of launching cyber operations. Rather than issuing vague diplomatic statements that do not credibly convey the alliance’s resolve to firmly respond to North Korea’s cyber aggression, the alliance should communicate its intent and commitment to counteracting Pyongyang’s aggression in cyberspace in order to prevent operations from being carried out in the first place.

A Joint Cyber Deterrence Strategy

Several key elements have to be agreed upon between the two allies in developing a joint cyber deterrence framework. First, what types of cyber operations and what level of activities does the alliance seek to deter? Answering this question is critical for developing appropriate response options and credibly communicating the “red line” to the adversary. As in conventional deterrence, defining a low-threshold cyberattack and devising a proportionate response measure can be particularly challenging.

The alliance can first try to deter the most dangerous types of cyberattacks. Such attacks include disruptions to critical infrastructure, including but not limited to joint U.S.-ROK military assets, power generation and distribution facilities, and nuclear plants. Of course, the alliance would need to agree on what constitutes “critical infrastructure.” With this basic agreement, the allies should consider revising the Mutual Defense Treaty or extended deterrence framework to explicitly include cyber threats as “armed attacks,” which would formally acknowledge that the alliance is prepared to act jointly to counter cyber threats.

Second, what would the proportional responses be if that “red line” is crossed? Would the alliance conduct a cyber response or use non-cyber retaliation? In the case of retaliatory responses against the DPRK, it could be argued that North Korea’s extremely limited internet access may limit the effectiveness of offensive cyber operations against the North. However, past cases show that an attack against North Korean servers could, at the very least, cause a significant nuisance to Kim Jong-un. For instance, an American hacker once took down North Korea’s entire internet connectivity. Even though the deterrence effect of offensive cyberattacks should be assessed further, the alliance’s offensive capability can still serve as a useful tool for cyber deterrence by increasing the DPRK’s level of confidence that the two countries can retaliate. In addition to cyber responses, the alliance should consider responding with cross-domain options. In this case, the challenge would be to clearly establish what threshold a cyberattack would need to reach in order to be met with a specific non-cyber response and to manage the risk of escalation after the counteraction. However, the risk of escalation can be mitigated by clearly communicating with the adversary the threshold and corresponding response in advance. With this strategic framework, the alliance could jointly issue a diplomatic statement demonstrating its intent to make good on its threats.

This is not to argue that a denial strategy is a complete failure and that the alliance should shift away from improving its defensive cyber capabilities. However, the current denial strategy alone does not alter the incentives of the North Korean regime to conduct cyber operations. Thus, the alliance should implement a joint cyber deterrence strategy involving punishment in tandem with the existing focus on cyber defense. In addition to planning a strategic cyber defense framework, South Korea and the United States must continue their effort to strengthen their technical capability to defend against cyberattacks through exercises, training, workshops, and information sharing.

It may be argued that cyber deterrence is impossible because of the difficulties of attribution. As some scholars argue, North Korea’s advanced techniques to avoid detection may make early detection and attribution difficult for target states. However, there is evidence that the attribution issue can be mitigated. For instance, research has found that deterrence may be possible even with imperfect attribution if certain improvements, such as reducing false alarms or replacing misidentification with non-detection, can be made. Moreover, an anonymous member of the UN Security Council Sanctions Committee on North Korea noted that recent developments in attribution technologies have made attribution less challenging than before.

In sum, focusing on the denial strategy alone, as South Korea has done, is ineffective in halting North Korea’s cyber aggression, while U.S. cyber strategy lacks a clear and credible signaling mechanism for how it will act collectively with allies and partners in response to cyber operations. To address this gap, the alliance should develop a joint cyber deterrence strategy—including appropriate punishment measures—which clearly states the threshold of activities it seeks to deter and its proportional responses. At the same time, the two countries should continue to strengthen their cyber resilience in partnership with other global and regional partners.

Eunjung Irene Oh is a participant in the North Korea Cyber Working Group (NKCWG), an initiative of the Korea Project at the Belfer Center for Science and International Affairs at Harvard University. The author would like to thank members of NKCWG for their feedback and insight.

Opinions, conclusions, and recommendations expressed or implied within are solely those of the author and do not represent the views of the United Nations, where Eunjung currently works.

Image: Reuters.