By Terrence Matsuo

One of the newest areas in national security is cyber policy. Policymakers in the United States and South Korea have outlined its importance and identified areas of concern such as North Korea’s cyber activities. But there remain important questions for the alliance to answer.

Both American and Korean strategy documents highlight the importance of cybersecurity to national defense. In the national security strategy released by the Trump administration in 2017, the U.S. government notes that “cyberspace offers states and non-state actors the ability to wage campaigns against American political, economic, and security interests without ever physically crossing our borders.” The administration adds that “cyberattacks have become a key feature of modern conflict,” in order for states to project influence and defend their interests.

Similarly, the most recent South Korean Ministry of National Defense white paper notes that “cyberattacks constitute another serious type of transnational threat.” It lists the WannaCry and NotPetya attacks of 2017, and attack on a Turkish cryptocurrency exchange in 2018 as examples of these kinds of incidents. “Many countries around the world are accelerating efforts to develop a strategy for responding to cyber-threats,” it observes.

Although the U.S. and South Korea share similar views of the threat posed by cyberattacks, there are certain ambiguities that must be addressed. In particular is the question of a North Korean cyberattack on either side, and what would be the appropriate response. “North Korea is a cyber superpower,” says Lt. Gen. Chun In-Bum, a retired member of the South Korean military. “North Korea’s ability and intent to harm and cripple the United States and South Korea should not be taken lightly.”

But although these policy documents identify the threat from North Korea, other documents need to be updated or clarified. Entering into force in 1953, it is not surprising that the mutual defense treaty that outlines the U.S.-ROK alliance offers little perspective on cybersecurity. Article III of the treaty says that an “armed attack” on territory under either American or Korean jurisdiction “would be dangerous to its own peace and safety,” and that both “would act to meet the common danger in accordance with its constitutional processes.”

Experts have varying views on what kind of response was appropriate for a cyberattack from North Korea. Lt. Gen. Chun said that a response would be conditioned by the damage it inflicted. “If it is just a lot of money, I don’t see the Defense Treaty being invoked,” he said in an email. But he also said: “If a cyberattack causes loss of life that’s a different matter, especially if it is a lot of people.” Col. David Maxwell is a retired member of the U.S. military now working as an analyst at the Foundation for Defense of Democracies. During a livestreamed event held by KEI, he observed that “if you take down [the] infrastructure of Seoul, or New York City, or Washington, DC, you are going to create tremendous problems for the citizens in those countries.”

Other experts are pessimistic that the alliance would have a unified position, much less reaction. Joshua Stanton is an analyst of issues on the Korean Peninsula. In an email, he said that in the event of a North Korean cyberattack, “the government in Seoul would be paralyzed by doubt and hesitation, the alliance would be paralyzed by mutual distrust, and Washington would be paralyzed by Trump’s isolationist impulses, his broader antipathy toward South Korea, and his election-year interest in claiming a diplomatic success through his summits with Kim.”

Mr. Stanton warns: “In all likelihood…Kim probably calculates that there would be no response all. The implications for deterrence are obvious.”

Thus it is critical that American and Korean officials determine how the alliance will handle threats in the cyber domain. The foreign ministries of the U.S. and South Korea have held a series of meetings focused specifically on cyber policy issues. The first round of talks were held in 2012, between Song Bong-heon, Ambassador for International Security Affairs, and Christopher Painter, Coordinator for Cyber Issues. Citing South Korean officials, Yonhap reported at the time that the two officials discussed “ways to strengthen bilateral cooperation for protecting critical government infrastructure and enhancing online security.”

The talks have been held biannually since, with the most recent being in 2018. According to a readout from the State Department, Robert Strayer, Deputy Assistant Secretary for Cyber and International Communications and Information Policy met with Ambassador Moon Duk-ho, a successor to Ambassador Song. Both officials led delegations that included representatives from other ministries and agencies related to security and diplomacy from their respective governments. In addition to defending government infrastructure from cyberattacks, they also discussed capacity building, information sharing, and military-to-military cyber cooperation, in addition to other topics.

Unlike their diplomatic counterparts, there have been no meetings focused solely on issues in the cyber domain. But public statements do indicate there is an awareness on the need for greater cooperation in this area. The 51^st US-ROK Security Consultative Meeting was held in November of last year and included American Secretary of Defense Mark Esper and South Korean Minister of National Defense Jeong Kyeong Doo. In a joint statement released after the meeting, both sides “committed to maintain close communication and coordination in the cyber domain, including sharing trends of cyber threats as well as corresponding policy changes in their respective nations and discussing common issues of interest.”

In some instances the U.S. has clarified its obligations under alliance treaties with regards to a cyberattack. Bruce Klingner, an analyst for the Heritage Foundation, points to the U.S.-Japan Security Consultative Meeting of 2019 as being one example. Secretary of State Pompeo and Acting Secretary of Defense Shanahan met with Minister for Foreign Affairs Kono, and Minister of Defense Iwaya in Washington. A joint statement released after the meeting said: “The Ministers affirmed that international law applies in cyberspace and that a cyberattack could, in certain circumstances, constitute an armed attack for the purposes of Article V of the U.S.-Japan Security Treaty.”

It is not clear if or when American and Korean officials will meet to discuss these issues. The negotiations over burdensharing, and the coronavirus pandemic have weighed heavily on both bilateral relations and international meetings in general. However, experts are optimistic that talks are likely to be held despite these pressures. Mr. Klingner said that the U.S.-ROK Security Consultative Meeting is usually held in the fall, and Col. Maxwell said that a meeting could be held virtually, as many other international summits are held this year.

As cybersecurity remains an unexplored topic for policymakers in both the U.S. and South Korea, further discussions between both governments is imperative. According to Jenny Town, the Deputy Director of 38 North, the public record clearly demonstrates that Pyongyang is looking to use cyber operations to further its national interest, whether it’s electronic robbery or for intelligence gathering. “North Korea’s cyber capabilities have really improved in recent years, and their confidence seems to be growing as well,” she said.

Terrence Matsuo is a writer and analyst of American foreign policy in the Indo-Pacific region and a Contributing Author for The Peninsula. The views expressed here are the author’s alone.

Image from Markus Spiske’s photostream on flickr Creative Commons.

This briefing comes from Korea View, a weekly newsletter published by the Korea Economic Institute. Korea View aims to cover developments that reveal trends on the Korean Peninsula but receive little attention in the United States. If you would like to sign up, please find the online form here.

What Happened

• An investigation into a recent cybersex crime case revealed that social service agents had unsanctioned access to personal information through other public officials’ IDs.
• There were also several cases of public officials leaking COVID-19 patients’ personal information without their permission.
• On March 11, National Assembly Research Service reported that Korea ranked among the top 10 countries in the “E-Government Development Index” and “E-participation Index,” while its ranking in the “Cybersecurity Index” did not reach the same heights.
• The government plans to enhance its digital infrastructure, adopting cloud storage, and promoting greater data integration.

Implications: While South Korea is a leader in e-governance, its cybersecurity infrastructure appears less prepared to protect citizens’ personal data. This has elicited worries because the government plans to pursue more expansive data integration in preparation for future national crises. The problem stems from the lack of protocol and careless practices of public officials. An investigation into the handling of a recent high-profile criminal case revealed that public officials had often delegated their authority illegally. Agencies that were implicated in this investigation announced that they will strengthen oversight and disciplinary measures, but more comprehensive reforms are also needed to better protect personal data.

Context: Concerns around data privacy are not new in South Korea. An investigation in 2018 found that the number of cases involving the misuse of personal information by public officials had increased over the previous 5 years. The government had pushed for data integration to improve administrative efficiency, but had provided government officials with too much access to personal information. Moreover, weak and rare disciplinary actions against public officials exacerbated these lapses in data protection.

Korea View was edited by Yong Kwon with the help of Gordon Henning, Soojin Hwang, Hyungim Jang, and Ingyeong Park.

From user Andrew on Flickr

By Jenna Gibson

Earlier this month, three U.S. senators took on North Korea (DPRK) by introducing a broad sanctions bill aimed at addressing concerns about cyberwarfare and the North’s continued nuclear ambitions. Known as the North Korean Sanctions and Policy Enhancement Act (S. 2144), this bill would codify the sanctions put in place by presidential Executive Orders after previous North Korean provocations, including the Sony hacking incident last year, and impose additional sanctions on the North, including penalizing any financial institution that conducts business with the DPRK. S. 2144 mirrors many of the provisions in a similar North Korea sanctions bill (H.R. 757) that passed the Foreign Affairs Committee of the U.S. House of Representatives last February. But while these bills are sold as a response to cyber and nuclear provocations from the North, the Senate and House versions also contain additional steps to address the issue of human rights and accountability in the DPRK, building on the previously enacted North Korean Human Rights Act of 2004.

Along with its enhanced sanctions provisions, Title III of this the new bill asks for concrete plans on how the U.S. Government can more effectively promote human rights in North Korea. If passed, the president would be required to submit a classified report to Congress on how to make “unrestricted, unmonitored, and inexpensive electronic mass communications available to the people of North Korea.”  In addition, the bill requires the State Department to submit another report to Congress to delineate a strategy on how to “promote international awareness of the human rights situation in North Korea.”

Further, S. 2144 takes on the issue of forced overseas labor of North Korean citizens. Interestingly, this is one of the few sections unique to the Senate bill – perhaps as a result of the increased attention put on this subject since the House bill passed committee in February. In fact, this issue was the subject of a program KEI hosted earlier this year in collaboration with the Database Center for Human Rights in North Korea, which raised awareness about the plight of North Koreans sent abroad in to work in terrible conditions to raise money for the Kim regime. To address the issue, the Senate bill would require an annual report that includes a list of countries that forcibly repatriate North Korean refugees,  a list of countries where North Korean laborers work, and a diplomatic strategy to end repatriation of North Korean refugees and forced labor and slavery of North Koreans overseas.

One other difference between S. 2144 and H.R. 757 is that the Senate bill creates a North Korea Enforcement and Human Rights fund, which would take fines for violating sanctions and redirect the money toward human rights promotion, such as radio broadcasting into the DPRK.

Public understanding of the North Korean human rights issue has risen exponentially since the release of the United Nation’s Commission of Inquiry report in February 2014. Up until that point, in the mind of the general public, the DPRK was a strange, mysterious place where bad things probably happen. The COI report, with its thorough and detailed descriptions of exactly what the Kim regime has done to the people of North Korea, changed all that, and has allowed a discussion of North Korean human rights to make its way into the media in an unprecedented way. In a similar way, producing official documentation and creating concrete strategies to combat the gross human rights violations occurring within North Korea and in countries where North Korean forced laborers work could keep this important issue in the news, and hopefully up the pressure on this regime to make some changes.

One word of caution, however – these new reports must stick to the facts and not become hyperbolic in order to be viewed as credible in the eyes of the global community. The harsh truth about North Korea’s deplorable human rights violations is already so startling that there is no need to exaggerate.  This has been a problem for some North Korean defectors who reportedly feel pressured to attract more attention by exaggerating their harrowing escape stories.

If done correctly, these new American publications could serve a similar function as the COI report. The State Department’s annual Human Rights Report and International Religious Freedom Report are the gold standard for tracking these issues around the world, and should serve as models for this new North Korea-focused report. Similar to the COI report, the annual release of these State Department reports garners a lot of attention from foreign governments and from the general public. While these bills have not become law yet, Title III of H.R. 757 and S. 2144 legislation could be one of the few items that can easily pass Congress because of the commonality between the two bills, and this provision would not be viewed as objectionable by the Executive Branch. Hopefully, this provision will be signed into law and this new publication can become a similarly authoritative source that will keep the discussion going about this important issue.

Jenna Gibson is the Associate Director for Communication Technology and Programs at the Korea Economic Institute of America. The views expressed here are the author’s alone.

Photo from Phil Roeder’s photostream on flickr Creative Commons.