A Washington, D.C.-based think tank released one of the only English open-source reports on North Korean cyber strategy on Jan. 26.
Focusing on explaining North Korea’s cyber strategy and how it fits into the country’s larger counter U.S. and South Korea strategy, a Center for Strategic and International Studies (CSIS) report analyzes North Korea’s likely strategy, cyber organizations, and future threats. It also recommends policy options for the United States to better counter North Korean strategy and provocations.
Highlighting North Korea (officially called the Democratic People’s Republic of Korea, DPRK) has historically relied on asymmetric and irregular means in peacetime and wartime to counter U.S. and South Korean conventional military strength on the Korean peninsula, “Cyber capabilities provide another means of exploiting U.S. and ROK [Republic of Korea, South Korea] vulnerabilities at relatively low intensity while minimizing risk of retaliation or escalation,” the CSIS report, North Korea’s Cyber Operations, Strategy and Responses, said.
The 100-page report is the result of a year-long study to better understand North Korea’s cyber behavior, while few similar open-source resources exist.
“The work of our cyber team on this project has drawn notable attention and praise from colleagues in the U.S. government, Capitol Hill, and the private sector; we are glad that the report has been helpful to them,” Victor Cha, CSIS Korea Chair and co-director of the project, said in a statement.
“Only by examining the historical, strategic, and organizational context in which incidents such as the Sony hack occurred can we understand North Korea’s motivations and future activities in cyberspace. The authors hope this report serves as a common base among those in policy, industry, academia, and the public for further debate on responding to North Korea’s cyber threat,” primary author Jenny Jun added.
North Korea sees cyber operations as a relatively low-cost and low-risk way of targeting the vulnerabilities of the United States and South Korea, which heavily rely on cyberspace for national and military activity. Disruptive or destructive cyber attacks then become a kind of direct power projection, especially against the United States, without the complexities of a physical attack, CSIS said.
The report notes cyber capabilities are also an effective way to disrupt or neutralize the benefits of the United States and South Korean networked military model. Difficulties in attribution and a lack of established norms make it hard for attack targets to explain boundaries of behavior or credibly threaten retaliation.
CSIS goes into detailed examples how North Korea’s current peacetime strategy is to initiate low-intensity unconventional operations to disrupt the status quo without escalating hostilities to a level the DPRK cannot control and win. If war did break out, the DPRK’s strategy would then switch “to launch extensive irregular operations that exploit U.S. and ROK vulnerabilities and support its regular military operations.”
North Korean asymmetric methods have previously included commando raids, assassination attempts, kidnappings, bombings, attacks on military vessels, submarine infiltrations, building tunnels under the demilitarized zone (DMZ), and the pursuit of nuclear weapons with ballistic missile vehicles.
In this category, “cyber capabilities offer one of the best investments for an isolated state that is looking for the capability to coerce, compel, harass, spy, and raise capital through legal and illicit means,” the report said.
This strategy is unlikely to change because as long as the Korean peninsula is locked in a stalemate while South Korea and the United States have conventional superiority, “and the DPRK still aims to undermine the ROK, the DPRK will be motivated to diversify its arsenal of asymmetric and unconventional weapons,” the report said.
The authors highlight the asymmetric strategy emanates from two traditions tied to two separate government institutions in North Korea: the peacetime use of disruptive provocations and the disruption of opposing conventional operations. Although the traditions model well with cyber capabilities, “these traditions are operational or strategic concepts that existed before cyber capabilities.”
The Korean People’s Army (KPA) General Staff Department (GSD) oversees military operations and conducts operational planning to ensure army readiness in case of war. The GSD, focusing on disrupting its opponent’s conventional operations, is not tied closely to cyber provocations, but it may prepare in disruptive attacks and operations in support of conventional military operations.
In contrast, the North Korean army’s Reconnaissance General Bureau (RGB), the main intelligence and clandestine operations office, is associated with most peacetime coercive/disruptive efforts including cyber attacks.
The report says with this strategy and organization understanding that without restraints the DPRK will continue to conduct cyber operations, either continuing current low-intensity operations or escalating to higher-intensity attacks that may approach the use of force threshold.
Although the lower intensity options are more probable because they are less likely to provoke an escalatory response, “planners should prepare for scenarios of spikes in intensity based on a history of unexpected provocations by North Korea,” the report said. North Korea may also deepen its integration of cyber capabilities with conventional military force to use in military operations.
CSIS then illustrated a worst-case future cyber scenario: North Korea, emboldened by successful cyber attacks or miscalculation, pursues more damaging cyber operations against the United States or South Korea. These actions “may risk leading to an escalated scenario outside the control of any parties involved.”
The think tank said recommendations to deal with these continuing threats in terms of four main policy objectives: prepare a graduated series of direct responses targeting North Korea’s cyber operations, curb North Korea’s operational freedom in cyberspace, identify and leverage North Korea’s vulnerabilities to maintain strategic balance, and adopt damage mitigation and resiliency measures to ensure critical systems and networks maintain operational continuity during and following an attack.
Specifically, the report recommends the United States establish declaratory policies on the range of countermeasures for low-intensity cyber attacks as wrongful international acts, implement sanctions against specific DPRK individuals or entities engaging in cyber attacks that pose a threat to national security, promote strengthening international legal measures and norms of behaviors of state behavior in cyberspace to form a basis for assigning culpability to North Korea, and promote international cooperation in response to DPRK provocations.
CSIS also recommends specific actions by the U.S.-South Korean alliance: prepare various contingency plans and response options with South Korea, identify and leverage DPRK, assess cyber effects on the strategic balance on the Korean peninsula, mitigate alliance network vulnerabilities, encourage information sharing outside of government entities, engage in regional confidence measures and confidence building regarding cyber issues, and further entrench international norms and standards in cyberspace.
In addition to Jun, Scott LaFoy and Ethan Sohn are authors of the report. The project directors are Victor Cha and James Lewis.