Despite two recent summits between the United States and North Korea in Singapore and Hanoi, North Korea continues to build its strategic capabilities that pose a serious threat to the United States and its allies. While best known for their nuclear weapons program, the asymmetric and subtle nature of North Korea’s cyber capabilities present a more immediate danger, especially because the international community lacks a normative framework for addressing the issue. Preserving international security in the digital age relies on U.S. leadership to establish independent technical organizations, regional assurance, and domestic cooperation.
What threats exist in cyberspace?
Cyberspace, like physical space, is closely tied to notions of property and nationality. At its core, cyberspace is a network of computers that communicate, store, and share information online. However, ownership of the requisite physical hardware can create a basis for conflict, theft, and security breaches between various actors, including states, companies, private groups, and even individuals.
However, cyber conflicts have never escalated into war. An independent group of experts sponsored by NATO produced the Tallinn Manual and its successor, the Tallinn Manual 2.0, to apply existing international law to cyberspace. These experts claim a cyberattack only constitutes an act of war if it has the effect of a physical act of war. Technically, since no one has ever been killed by a cyberattack, the world has never seen true cyberwar.
This does not discount the significant threat of global cybercrime. The United Nations broadly defines cybercrime as “offences against the confidentiality, integrity and availability of computer data and systems.” As valuable assets like intelligence or cryptocurrency become increasingly linked to data and its transmission over the internet, state-sponsored and criminal groups have learned to co-opt computer weaknesses to gain access, ultimately sapping a trillion dollars from the U.S. and world economy every year. Even if conventional regulations could account for all the implications of new tech, the exponential rate of its development would outpace them. Regulating existing cyberspace can be daunting in and of itself; search engines can currently retrieve only 4% of the internet, known as the “clear internet.” The other 96%, the “dark web,” is intentionally difficult to access. This impenetrability protects the worst of human rights abusers and criminals.
What are North Korea’s cyber capabilities?
This lack of regulation enables North Korea’s state-sponsored groups to extort financial institutions, dismember critical infrastructure, and steal government intelligence with relatively low cost means, which include maintaining a government intranet and routing cyber attacks through proxies in China and New Zealand.
The Kim regime continues to support its WMD program by diverting cash flows from international banks into state coffers, long starved by international sanctions imposed in 2016 and 2017. According to ex-NSA official Priscilla Moriuchi, manipulating cryptocurrency in South Korea and outright stealing from conventional banks in Africa and Asia have illegally generated about $700 million worth of revenue for North Korea. The most recent report from the U.N. totals the proceeds from these cyber financial crimes at $2 billion. Experts fear that state-sponsored groups have also enabled ship-to-ship transfers of resources and fuel to alleviate the economic pressure of isolation. This funnel of stolen money to nuclear weapons systems directly undermines longstanding U.S. policy to denuclearize North Korea.
Additionally, North Korea directly threatens U.S. and international infrastructure by engaging in cyber-enabled economic warfare, or the use of cyber attacks “to weaken [an adversary’s] economy and thereby reduce its political and military power.” For example, the North Koreans wiped Sony Pictures’s computer infrastructure and leaked a massive amount of employee information, all in response to the production of a film that caricatured Kim Jong-un. The whole incident cost the company an estimated $15 million. North Korean agents were also implicated in the WannaCry ransomware attacks in 2017, in which a distributed denial of service attack (DDoS) affected more than 230,000 computers in more than 100 countries, shutting down the British healthcare system and imposing eight billion dollars in damages. A similar attack could decimate U.S. critical infrastructure, causing a catastrophe on par with a natural disaster like Superstorm Sandy and damages upwards of $53 billion.
North Korean cyber espionage also aims to maintain a diplomatic advantage in negotiations with South Korean and U.S. governments. At least two separate North Korean cyber groups are dedicated to extracting information on South Korean and American domestic policy deliberations, the debate on denuclearization, and political concerns within the US-ROK alliance itself. Extracting key U.S. concessions is already difficult—allowing North Korea to gain additional leverage is directly against national interest.
Why has there been no retaliation?
Despite North Korea’s record, there is little retaliation for technical and normative reasons. On the technical side, the code snippets and timestamps often used as evidence can be manipulated, making attribution of an attack difficult. Attempts to document such code trails may eventually backfire as attackers use publicized research to better deceive future investigations. Some researchers also posit that North Korea’s underdeveloped cyberspace, stunted by state censorship and lack of access, would be a poor target for U.S. or South Korean forces. Since few connections to the outside world exist, the state can easily secure their network against outside attack. On the other hand, the magnitude of the U.S. or South Korea’s intellectual property, network connectedness, and mobile device use makes the success of a cyberattack more likely and more costly to bear.
Despite the extent of this threat, governments have failed to work together. Private companies have set precedent for collaboration through a database documenting terrorist abuse of media in the Global Internet Forum to Counter Terrorism. Member entities can better safeguard their platforms by monitoring repeat offenders and sharing research on identifying exploitation of their services. While President Obama’s Cyber Information Sharing Act streamlines intelligence sharing amongst U.S. stakeholders, no equivalent platform exists for the international community.
International law’s inability to adapt continues to allow state-sanctioned cybercriminals to undermine the rule of law with impunity. While private companies may be able to remove malicious users, malign cyberattacks can fail to meet the threshold for armed attacks, precluding the possibility of just retaliation or a collective defense mechanism. Even when they do inflict damage, international law impedes the detection and persecution of transnational cybercrimes. The publication of Tallinn 2.0 upholds the principles of state sovereignty and due diligence, preventing a state from taking direct action against an attacker in another country until proof of the attack compels the host state and the routing state to eliminate the threat. Until then, the target state can incur significant damage from a cyberattack. Furthermore, constant technological advancement prevents countries from seeking accountability through international treaties or traditional nonproliferation regimes—innovation would likely outpace any gains from the negotiations themselves. Criminals are allowed to attack with further impunity because the associated bad press for victims leads to the underreporting of challenges that others could learn from.
Finally, the lack of public-private coordination reduces the overall quality of any objective investigation into an attack. Because governments and the private sector often independently analyze attacks and use disparate nomenclature in their analyses, collaboration across organizations is difficult. For example, well-regarded cybersecurity firm Crowdstrike labels the North Koreans behind WannaCry as “STARDUST CHOLLIMA”; the U.S. government calls them “HIDDEN COBRA,” most private sector companies use “the Lazarus Group,” and the group refers to itself as the “Guardians of Peace.” As such, prosecuting cyberattack perpetrators can become a confusing and prolonged process.
Ultimately, the U.S. has resorted to ineffective “name and shame” tactics that attempt to undermine a nation’s normative power by exposing their culpability in a cyberattack. For example, in 2017 the U.S., Australia, Canada, Japan, and Britain formally accused North Korea of spawning WannaCry. However, this tactic is wholly ineffective against an isolated regime uninvested in the international community, especially when the condemnation is halfhearted.
What do we need to do?
The role of the internet in our everyday lives and national security will only grow. Allowing North Korea to continue exploiting and widening weaknesses in the global security apparatus is unacceptable. More focus and drastic action is needed to develop a wider and deeper framework for addressing cybercrime–on an international level and a national one.
First, the balance between political independence and international accountability can be struck in the framework of a strictly technical organization like the IAEA. Dedicated to attributing international cyberattacks, this cyber organization would standardize analysis, provide technical assistance for securing civilian critical infrastructures, and train neutral auditors to investigate potential cyberattacks. These capabilities would remove speculation concerning the perpetrator and the extent of a cyberattack.
Going so far as to recommend appropriate responses to punish perpetrators would likely draw ire, not solidarity or support; since it would likely receive most of its funding from Western nations committed to strengthening norms of international accountability, the organization should maintain its objectivity above all in order to truly build the respect and unbiased reliability necessary to make progress towards global accountability.
Second, priority must be given to developing U.S. unilateral capabilities at an international, regional, and domestic level to counter and deter future North Korean attacks on the United States’ assets and capabilities. Addressing the circumvention of sanctions directly through the Security Council would set a precedent for addressing cybercrime in an institutionalized and transparent manner on an intra-state level.
Regionally, building cooperation and channels of information-sharing with allies such as South Korea, Japan, Australia, and India would raise the costs of leveraging cyber attacks on the U.S. and its allies, bolstering the region’s collective security and strategic relationships countering regional threats such as China. At the national level, establishing a national commission to bring U.S. government agencies and the private sector together would create structures for information sharing and collaboration.
Once the United States understands the gravity of the North Korean cyber threat, the next step is to define collective cyber defense. As a nation, the U.S. has an obligation to protect its citizens from a national security threat; as a global leader, the United States has an obligation to define the landscape of an emerging international security issue in terms of transparency and accountability.