By Terrence Matsuo

One of the newest areas in national security is cyber policy. Policymakers in the United States and South Korea have outlined its importance and identified areas of concern such as North Korea’s cyber activities. But there remain important questions for the alliance to answer.

Both American and Korean strategy documents highlight the importance of cybersecurity to national defense. In the national security strategy released by the Trump administration in 2017, the U.S. government notes that “cyberspace offers states and non-state actors the ability to wage campaigns against American political, economic, and security interests without ever physically crossing our borders.” The administration adds that “cyberattacks have become a key feature of modern conflict,” in order for states to project influence and defend their interests.

Similarly, the most recent South Korean Ministry of National Defense white paper notes that “cyberattacks constitute another serious type of transnational threat.” It lists the WannaCry and NotPetya attacks of 2017, and attack on a Turkish cryptocurrency exchange in 2018 as examples of these kinds of incidents. “Many countries around the world are accelerating efforts to develop a strategy for responding to cyber-threats,” it observes.

Although the U.S. and South Korea share similar views of the threat posed by cyberattacks, there are certain ambiguities that must be addressed. In particular is the question of a North Korean cyberattack on either side, and what would be the appropriate response. “North Korea is a cyber superpower,” says Lt. Gen. Chun In-Bum, a retired member of the South Korean military. “North Korea’s ability and intent to harm and cripple the United States and South Korea should not be taken lightly.”

But although these policy documents identify the threat from North Korea, other documents need to be updated or clarified. Entering into force in 1953, it is not surprising that the mutual defense treaty that outlines the U.S.-ROK alliance offers little perspective on cybersecurity. Article III of the treaty says that an “armed attack” on territory under either American or Korean jurisdiction “would be dangerous to its own peace and safety,” and that both “would act to meet the common danger in accordance with its constitutional processes.”

Experts have varying views on what kind of response was appropriate for a cyberattack from North Korea. Lt. Gen. Chun said that a response would be conditioned by the damage it inflicted. “If it is just a lot of money, I don’t see the Defense Treaty being invoked,” he said in an email. But he also said: “If a cyberattack causes loss of life that’s a different matter, especially if it is a lot of people.” Col. David Maxwell is a retired member of the U.S. military now working as an analyst at the Foundation for Defense of Democracies. During a livestreamed event held by KEI, he observed that “if you take down [the] infrastructure of Seoul, or New York City, or Washington, DC, you are going to create tremendous problems for the citizens in those countries.”

Other experts are pessimistic that the alliance would have a unified position, much less reaction. Joshua Stanton is an analyst of issues on the Korean Peninsula. In an email, he said that in the event of a North Korean cyberattack, “the government in Seoul would be paralyzed by doubt and hesitation, the alliance would be paralyzed by mutual distrust, and Washington would be paralyzed by Trump’s isolationist impulses, his broader antipathy toward South Korea, and his election-year interest in claiming a diplomatic success through his summits with Kim.”

Mr. Stanton warns: “In all likelihood…Kim probably calculates that there would be no response all. The implications for deterrence are obvious.”

Thus it is critical that American and Korean officials determine how the alliance will handle threats in the cyber domain. The foreign ministries of the U.S. and South Korea have held a series of meetings focused specifically on cyber policy issues. The first round of talks were held in 2012, between Song Bong-heon, Ambassador for International Security Affairs, and Christopher Painter, Coordinator for Cyber Issues. Citing South Korean officials, Yonhap reported at the time that the two officials discussed “ways to strengthen bilateral cooperation for protecting critical government infrastructure and enhancing online security.”

The talks have been held biannually since, with the most recent being in 2018. According to a readout from the State Department, Robert Strayer, Deputy Assistant Secretary for Cyber and International Communications and Information Policy met with Ambassador Moon Duk-ho, a successor to Ambassador Song. Both officials led delegations that included representatives from other ministries and agencies related to security and diplomacy from their respective governments. In addition to defending government infrastructure from cyberattacks, they also discussed capacity building, information sharing, and military-to-military cyber cooperation, in addition to other topics.

Unlike their diplomatic counterparts, there have been no meetings focused solely on issues in the cyber domain. But public statements do indicate there is an awareness on the need for greater cooperation in this area. The 51^st US-ROK Security Consultative Meeting was held in November of last year and included American Secretary of Defense Mark Esper and South Korean Minister of National Defense Jeong Kyeong Doo. In a joint statement released after the meeting, both sides “committed to maintain close communication and coordination in the cyber domain, including sharing trends of cyber threats as well as corresponding policy changes in their respective nations and discussing common issues of interest.”

In some instances the U.S. has clarified its obligations under alliance treaties with regards to a cyberattack. Bruce Klingner, an analyst for the Heritage Foundation, points to the U.S.-Japan Security Consultative Meeting of 2019 as being one example. Secretary of State Pompeo and Acting Secretary of Defense Shanahan met with Minister for Foreign Affairs Kono, and Minister of Defense Iwaya in Washington. A joint statement released after the meeting said: “The Ministers affirmed that international law applies in cyberspace and that a cyberattack could, in certain circumstances, constitute an armed attack for the purposes of Article V of the U.S.-Japan Security Treaty.”

It is not clear if or when American and Korean officials will meet to discuss these issues. The negotiations over burdensharing, and the coronavirus pandemic have weighed heavily on both bilateral relations and international meetings in general. However, experts are optimistic that talks are likely to be held despite these pressures. Mr. Klingner said that the U.S.-ROK Security Consultative Meeting is usually held in the fall, and Col. Maxwell said that a meeting could be held virtually, as many other international summits are held this year.

As cybersecurity remains an unexplored topic for policymakers in both the U.S. and South Korea, further discussions between both governments is imperative. According to Jenny Town, the Deputy Director of 38 North, the public record clearly demonstrates that Pyongyang is looking to use cyber operations to further its national interest, whether it’s electronic robbery or for intelligence gathering. “North Korea’s cyber capabilities have really improved in recent years, and their confidence seems to be growing as well,” she said.

Terrence Matsuo is a writer and analyst of American foreign policy in the Indo-Pacific region and a Contributing Author for The Peninsula. The views expressed here are the author’s alone.

Image from Markus Spiske’s photostream on flickr Creative Commons.

By Linnea Logie

Kim Jong-un and his inner circle have since the beginning of 2018 professed their ardent desire for peace on the Korean peninsula.  Yet however impassioned their rhetorical allusions to the prospect of peacefully reunifying the Korean peninsula and integrating North Korea (DPRK) into the global community, North Korean leaders are keenly aware that attempting a major pivot would undermine the ideological and theoretical basis of regime legitimacy.  Fearful that relinquishing nuclear weapons and seeking out alternative means of regime security would precipitate their downfall, Kim and company remain intent on developing alternative means of not only defending elite activities against external interference, but also inflicting damage on so-called foreign “enemies.”  Continued nuclear-weapons development, for all the attention it receives from the outside world, is only part of this broader strategy.

The regime has not survived on the threat of nuclear terrorism, alone.  Contrary to popular belief, North Korea is rapidly amassing capabilities with arguably greater destructive potential than nuclear or ballistic missiles.  Pyongyang’s elaborate licit and illicit financial networks grow more sophisticated and its army of cyber warriors grows more adept with each passing day, posing fearsome threats to Northeast Asia, the United States, and the entire international system.  This has become increasingly evident under the leadership of Kim Jong-un, who has overseen a dramatic expansion of criminal activities into the vast realm of cyberspace to bolster the economic security of the ruling class, as well as threaten the national interests of foreign adversaries.  These malicious activities belie the appearance of civility and openness crafted so carefully by the North Korean leadership since it launched a pre-Olympics charm offensive in early 2018.  Add to this Pyongyang’s recent recriminations of the U.S. negotiating posture, and the prospects of Kim adopting a radically new tact seem slim.

Focusing on North Korea’s nuclear-weapons development at the exclusion of other ominous regime objectives neither diminishes the North Korean cyber threat, nor renders it more easily contained.  With the time already won through the ongoing charm offensive, this threat is now even more disquieting, demanding extreme vigilance from the United States and its allies.  As the revenue-generating activities of regime cyberwarriors rapidly gather steam, Kim will almost certainly remain recalcitrant.

Fighting the Next War

The international community made a critical error in reducing the threat posed by the North Korean regime to one of a strictly nuclear nature.  That the Kim dynasty is first and foremost a “nuclear conundrum” remains the prevailing view, underlying the strategic thinking of key policymakers around the world and virtually institutionalizing a preference for diplomacy in addressing the North Korean threat.  Meanwhile, behind a veil of nuclear belligerence, the ruling Kim family has been quietly and painstakingly preparing to fight the next war: a “Secret War” waged not with guns and bullets, but with information and network access.

Former NSA deputy director Chris Inglis describes cyber as a “tailor-made instrument of power” for the North Korean regime, offering a relatively anonymous, low-cost means of both procuring financial resources and threatening foreign public and private-sector infrastructure.   The rapid escalation of malicious North Korean cyber activities over the past decade seems to confirm the utility of hacking operations for the ruling elite, indicating that cyberwarfare has become a core survival tactic of the current regime.

Pyongyang’s cyber program took root decades prior to Kim Jong-un’s rise to power, however.  The experiences and observations of scientists returning to North Korea from abroad in the 1990s sparked a realization within the regime that programming skills could help the domestic economy recover from the ravages of famine, while concomitantly amplifying the regime’s ability to spy on and attack the United States and South Korea (ROK).  This catalyzed the still-continuing process of identifying and recruiting promising talent for specialized education in elite North Korean or Chinese computer-science programs.  Some North Koreans posted to the UN in the mid-1990s even enrolled in New York-based computer-programming courses.

By the time the U.S. invaded Iraq in 2003, Kim Jong-il was ostensibly convinced that information, rather than conventional military power, would define the future of warfare.  He impressed this conviction upon his son, who, after navigating an uncertain transition of power in the early 2010s, found himself armed with an increasingly potent weapon only just beginning to be taken seriously by outside observers.

Surveying an interconnected globalized landscape with an expanded 21^st-century understanding of cyberspace, Kim Jong-un came to regard cyber capabilities as more valuable than his father likely ever dreamed possible: a new asset to be leveraged in conjunction with the tools already in the regime’s arsenal.  With support from Offices 39 and 91, he expanded the modest ranks of programmers serving his father’s regime into an army of cyberwarriors perhaps 7,000-10,000 strong (ROK Defense Ministry estimates from early 2015 placed this figure at 6,000).  These hackers have carried out increasingly sophisticated attacks on targets in South Korea and around the globe, graduating from “distributed denial-of-service” (DDoS) assaults in 2009, 2011, and 2013; to the infamous Sony hack in 2014; to sensitive data-collection campaigns in 2016; to socially disruptive attacks in 2017; and, increasingly, to digital bank and cryptocurrency-exchange heists.  Indeed, decades-long investments in the grooming of North Korean talent have given rise to a range of malicious North Korean cyber activities known by authorities in the United States and around the world as “Hidden Cobra.”

The third ruling Kim allegedly believes he now wields a fearsome “all-purpose sword” comprised of offensive cyber capabilities, nuclear weapons, and ballistic missiles: a mighty arsenal to be employed not only as a weapon, but for revenue-generation, harassment, and geopolitical retribution.  His efforts to cultivate a robust cyber army have only just begun to pay real dividends for Pyongyang, yielding the advanced technical capabilities necessary for the regime to shift the focus of its cyber strategy from espionage to money-making.

Cashing In

Cybercrime has emerged as a new means of extending the lifespan of the North Korean regime amid punishing international sanctions, whose deleterious effect on Sino-North Korean trade threatens regime economic security and, in turn, legitimacy.  Current estimates place the value of North Korean cybertheft as high as $1 billion annually, and with continued advancement in North Korean programming and cyberinfiltration skills, this already massive sum is poised to balloon rapidly, providing a financial lifeline for the regime while undermining regional and global stability.

Since 2015, North Korean hackers have hit banks in Mexico, Nepal, the Philippines, Poland, Taiwan, and Vietnam, pulling off an $81-million theft in February 2016 from a Bangladesh Central Bank account managed by the U.S. Federal Reserve.  And though some of these banks managed to protect at least a portion of targeted accounts, security experts are sounding the alarm that with improved North Korean computer skills, Hidden Cobra is becoming broader in scope and increasingly sophisticated, designed to successfully perform critical data-collection and revenue-generating functions.

Indeed, Pyongyang only recently embraced cryptocurrency theft and mining as new preferred mechanisms for raising the hard currency it so desperately needs.  Within the first few months of 2017, North Korean hackers pulled off a $7-million heist from Youbit that ultimately shuttered the platform, in addition to a 3,931 Bitcoin (BTC) theft from Yapizon.  Other online exchanges in East Asia, including Coinis in South Korea and Coincheck in Japan, have suffered similar North Korean attacks of various magnitude and frequency.

Undaunted

Evidence suggests that rather than stopping or slowing in the wake of the historic April meeting between Kim Jong-un and President Moon Jae-in of South Korea, Pyongyang’s cyberassault on the South has gathered momentum.  In the weeks following the inter-Korean dialogue in April (and subsequent talks in May), North Korean hackers struck out at the South in a quest for sensitive information that could help the regime prepare for and control the optics surrounding Kim Jong-un’s June 12 summit with President Trump.  Hidden Cobra actors targeted financial companies and organizations known to focus on North Korea, including an independent think tank and a non-governmental group with a history of sending food and material aid to the DPRK.  The use of spear-phishing emails in this attack allegedly yielded strategic gold for Pyongyang, granting hackers access to information detailing U.S.-ROK expectations and ongoing preparations for the Trump-Kim summit.

Meanwhile, the hundreds of North Korean hackers tasked with infiltrating cryptocurrency exchanges continue to flex their growing muscles.  Over a forty-minute period in the wee hours of Monday, June 11^th, 2018, they stole tokens with an estimated value upwards of $36 million from Conrail, the seventh-largest cryptocurrency exchange in South Korea.  Their successful theft represented roughly thirty percent of the total coin owned by the online service, and news of the breach sent the trading value of Bitcoin into a tailspin, driving the global price down more than seven percent by the time markets closed on Monday.  Then came Bithumb, which had already suffered a July 2017 breach that caused over $1 million in losses.  On Wednesday, June 20, representatives of the Seoul-based cryptocurrency exchange—currently the sixth-largest in the world—revealed that hackers had stolen nearly $31.6 million-worth of digital currency overnight, prompting a temporary freeze on withdrawals and deposits.  Fortunately, Bithumb managed to recoup nearly half of its losses by the end of June through a collaborative recovery effort with various worldwide exchanges.

Conclusion

The fact that brazen North Korean cyberattacks on South Korea and other foreign targets have not merely continued unabated but actually accelerated in the weeks since recent meetings with U.S. and ROK leaders belies Kim Jong-un’s repeated allusions to peace, while also suggesting that economic sanctions and the firm messages communicated through direct diplomatic engagement have yet to chasten North Korean leaders.  Instead, hubris appears to remain a prominent feature of Pyongyang’s self-image and worldview.

Kim Jong-il seemingly recognized roughly fifteen years ago that technology was once again transforming the nature of warfare, and the next battle would be surreptitiously waged over information and access.  His son had little choice but to incorporate this conviction into his asymmetrical survival strategy.

While keeping the international community preoccupied with the dangers posed by his ever-improving nuclear arsenal, Kim Jong-un has overseen a thriving network of criminal activity and accelerated the development of robust domestic cyber capabilities.  He now appears confident that he can have his cake and eat it, too: winning time and possible concessions through diplomatic engagement, while quietly ratcheting up a malicious cyberwarfare campaign that is proving increasingly profitable for the regime.

Ultimately, the question is whether the Kim regime recognizes that rebuffing a one-time offer of cooperation from the United States may elicit a devastating response from the Trump administration.  Pyongyang’s diplomatic track record, unceasing activities at major domestic nuclear sites, and continued misbehavior in cyberspace suggest the ruling core has yet to accept the necessity for a dramatic strategic shift.  Events unfortunately seem to be building toward an unsavory breakdown in comity, leaving observers only to wonder how negotiations may founder, and when.

Linnea Logie is an incoming graduate student with the Security Studies Program at Georgetown University.  She is currently an Intern at the Korea Economic Institute of America. The views expressed here are the author’s alone.   

Image from Prachatai’s photostream on flickr Creative Commons.