North Korea’s Cyber Capabilities: Deterrence and Stability in a Changing Strategic Environment
In addition to long-standing international concerns about North Korea’s pursuit of nuclear weapons and technology, the US and its regional allies—the Republic of Korea (ROK) and Japan—are increasingly worried about the DPRK’s growing cyber offensive capabilities. A recent HP study detailing North Korea’s electronic warfare capabilities and uses is illustrative of persistent attempts to understand the DPRK’s strategic calculus as a whole or the pecking order of the use of different military instruments—a task increasingly difficult in light of the changing strategic environment. Subsequently, it is becoming more difficult to anticipate North Korea’s responses to certain actions by the West, or to a crisis. While information about the DPRK’s cyber capabilities remains scarce and is based on hard to corroborate defector accounts, it is worth adopting a macro-perspective to analyze the influence of offensive cyber capabilities on North Korea’s broader strategy.
Outlining DPRK Cyber Capabilities
The gamut of tools for waging offensive (or defensive) action in the cyber domain can be broadly classified into two categories: information gathering and disruptive or destructive. The impact of these tools can extend to software and/or hardware, but spillover effects are not limited to the cyber realm. For instance, a distributed denial of service (DDoS) attack that overwhelms and subsequently shuts down the servers of a country’s major bank, or revelations that third parties have gained access to its clients’ information, can cause financial panic, extending the impact of the cyber offensive tools far beyond the damaged machines.
North Korea has been actively pursuing both espionage and disruptive/destructive technologies, investing in education and training of cyber specialists in local and foreign universities since the 1980s. It has also successfully cross-purposed the cyber offensive tools at its disposal, utilizing data collection and system penetration of foreign targets in the public and private sector not only to exfiltrate information, but also to test adversaries’ defenses, detection capabilities and their range of responses. While the prestige associated with demonstrating mastery of increasingly sophisticated cyber offensive technologies seems to have initially appealed to North Korea in a manner comparable to its pursuit of nuclear weapons technology and the status associated with membership in that exclusive club, the DPRK has shifted towards stealthy long-term data collection and sensitive target penetration missions.
Reports in early July 2014 indicate that over the last two years the DPRK has doubled the number of personnel working in its cyber offensive technologies division under the General Reconnaissance Bureau. The North has a number of known units with the two largest believed to be conducting DDoS attacks from Chinese territory.
- Office No. 91 is believed to be the headquarters of the cyber division, and is reportedly based in Pyongyang.
- Unit 121, forms the bulk of the cadre and has the most advanced capabilities. This unit is presumably tasked with disabling command, control and communications structures in the ROK in case of an armed conflict.
- Lab 110, is understood to be responsible for technology reconnaissance and targeting the ROK’s telecommunications infrastructure. This unit was identified as the group of hackers behind the DDoS attacks against the ROK and the US in June 2009.
- Unit 35, the smallest of this task force, is responsible for internal investigations and security functions, but also maintains offensive cyber capabilities.
- Unit 204 is designated for psychological operations and information warfare.
- Offices 31, 32 and 56 form the Command Automation (i.e. hacking) Department under the General Military Staff, and are responsible for developing system penetration programs.
North Korean cyber offensive units are also adept at analyzing malicious codes written and employed by foreign hackers in attacks elsewhere in the world, and integrating parts of that code to advance the DPRK’s cyber capability development. Moreover, a thriving international black market for cyber attack tools exists, facilitated by specialized internet forums where offers abound to sell information identifying vulnerabilities in widely used software that its developers have not yet discovered (aka zero day exploits) for several thousand, or several hundred-thousands of dollars. Such communities can also be used to outsource the advancement of cyber offensive tools, allowing able programmers from anywhere to be recruited for a few thousand dollars. Furthermore, North Korean military and diplomatic personnel stationed abroad reportedly further the nation’s advances by penetrating foreign cyber systems for intelligence or financial gain.
Cyber Dimension of DPRK’s Strategy
Historically, North Korea’s strategic approach has been to brandish its hybrid offensive capabilities and use unexpected offensive bursts as a means of asserting its geopolitical stance as well as responding to external pressures. Over the past decade, Pyongyang has been consistently seeking international recognition as a nuclear weapons state, in addition to its long-standing goal of unification of the Korean peninsula on the North’s terms. The DPRK’s growing cyber offensive capabilities, which Kim Jong Un is reportedly particularly fond of, add a new dimension to its strategy.
Since the mid-2000s, North Korea has pursued the development of asymmetric warfare technologies—including nuclear and missile—in an open manner, regularly parading its latest achievements and demonstrating advancement through tests. The quest has also been observable through open and illicit purchases made internationally, as well as discussions and photographs in the local media. In contrast, the lack of demonstrability of progress and adequate benchmarks to measure the DPRK’s cyber capabilities makes assessments more problematic. Furthermore, lack of awareness of its cyber advances turns each of the North’s attacks into a bolt out of the blue event, with the prospect of such increasingly damaging surprises chipping away at any political goodwill or trust that may be building among the regional counterparts, subsequently detracting from regional stability.
Paradoxically, North Korea might prove increasingly able to cause greater damage by destroying data and equipment through cyber strikes than by launching conventional missile strikes, especially when the likelihood and costs of retaliation are considered. A cyber arsenal offers North Korea a cheaper way of developing global military reach, in contrast to the enormous political costs of its nuclear pursuits, and the price tag attached to WMD technology. In addition, unlike missile systems, the range of which the DPRK has been struggling to extend for years, cyber offensives are by design not limited in range. Moreover, adapting to US reluctance to commit troops to conflict and increasing reliance on forward-deploying advanced military technologies instead, the DPRK could potentially use cyber offensives to disrupt satellite communications or the Global Positioning System (GPS) signals of these forces moving into an armed conflict theater, impeding their ability to maneuver, coordinate and effectively support US regional allies in a confrontation with the North. In addition, Pyongyang would be able to acquire such capabilities faster and with greater functional certainty in the cyber domain than by trying to develop comparable kinetic military technologies. These concerns may not be unique to North Korea’s cyber offensive arsenal, but they seem to carry the most immediacy and potentially greatest impact, being the first such integrated strategic pursuit and carried out by an isolated adversarial regional power aspirant.
The problem extends beyond the increasingly damaging impact of North Korea’s cyber offensives. Once a cyber incident occurs, the difficulty in attributing it to a particular perpetrator is widely recognized, and poses a two-fold risk of escalation. First, there is a risk of involving more parties in a conflict, e.g. if the victim of the attack retaliates against a misidentified attacker or against a group of states allied with a labeled culprit. Second, the challenge of effective retaliation for an attack in the cyber realm, and the abovementioned spillover effects of such attacks outside the cyber domain, mean that retaliation is highly likely to take place outside the cyber realm. The subsequent difficulty in establishing a proportionate response poses a high risk of conflict escalation, for example, by meeting a DDoS attack that shuts down an electric power plant with drone strikes against the presumed perpetrator’s industrial targets. On a related note, in constructing and communicating an effective deterrent stance, in the cyber domain it seems even more problematic to establish red lines not to be crossed and to convey the punishment due for their violation to potential adversaries.
Cyber attacks attributed to North Korea are a rather frequent occurrence, but so far none of these incidents have been met with a direct military or economic response by target states or their allies. Indeed, given the restrained international response to the DPRK’s limited conventional attacks on South Korea in 2010, an incident in the cyber realm can hardly be expected to produce a more forceful (or even equivalent) response, since the applicability of the rules of armed conflict is still under discussion. Significantly, these incidents risk leading North Korea to believe that it can act with increasing impunity without realizing how close it might be inching to the line of conflict. Moreover, North Korea’s reliance on high-end Chinese hardware, and third party internet infrastructure insulates it against potential retaliation in kind, another factor weighing in favor of cyber aggression.
Signaling of advancement and capabilities in the cyber domain—to potentially reduce uncertainty and thus lower tensions among adversaries—is a difficult task even among willing parties. Namely, cyber offensive tools are often designed to attack particular types of customized industrial machines or to make use of a specifically identified loophole in software running on more generic computers. This means that the same cyber offensive tool has a relatively singular use—afterwards, not only the victim, but most other parties observing the attack would fix the highlighted loopholes and the opportunity would be “used up.” Thus, the attacking party has a strong incentive not to reveal its full technological potential through any given incident. At the same time, this muddies the ability of outside observers to assess how far North Korea would be ready to go politically (as opposed to be capable of going technically), in terms of inflicting economic and physical damage.
Implications and Future Challenges
Ironically, the international effort to curb North Korea’s attempts to procure technology and materials for nuclear weapons and missiles is pushing the DPRK to double down on developing cyber offensive capabilities. The current fixation of the international community with strengthening export controls as a primary response to proliferation of sensitive nuclear and missile technologies will do little to affect the spread of cyber weapons, which play an increasingly important role in North Korea’s strategic posture.
According to the head of the Military Cooperation Department in the Strategic Planning Bureau of the ROK Joint Chiefs of Staff, we might already be seeing the first indications of the DPRK’s integrated use of cyber offensive tools and more conventional weapons. Namely, in the controversial sinking of the South Korean navy corvette Cheonan during one of the largest joint US-ROK anti-submarine warfare exercises in 2010, the North Korean torpedo that hit this vessel may have been equipped with a device that disrupted the Cheonan’s GPS signal, impeding its ability to navigate and detect the incoming torpedo. In more comprehensive armed engagement scenarios, the DPRK’s stated four-pronged strategy designates cyber offensives for striking critical infrastructure of its adversaries, while WMD-armed missiles are meant to destroy the allied military bases, conventional forces—to attack the demilitarized zone, and commandos—to take on the rear guard. In addition, in an armed confrontation, the joint operational command and control of US forces in the region and South Korean and/or Japanese defenses would be a likely target of cyber disruptive activities.
Meanwhile, regional powers are increasingly vocal about their perceived need to develop military technologies of their own as a direct response to North Korean ones: South Korea has declared its pursuit for cyber offensive capabilities, while Japan has shown a growing appetite for conventional military technologies, as well as more expansive civilian nuclear technologies. Traditional US security guarantees to these countries, backed by a nuclear arsenal, may increasingly be seen as a less credible threat if the North’s nuclear and missile arsenal continues to grow, but particularly as a likely response to the North’s cyber provocations. In short, a deterrent geared towards thwarting a direct military confrontation may need to be reconsidered in the face of the new realities that spell more frequent hostile interactions in cyberspace. It is important for the US to find new ways to effectively reassure its regional allies—their inclination towards a demonstrably tougher military stance in response to presently growing security concerns seems likely to further the escalation spiral vis à vis the North.
Deterrence relies on the ability of the parties to send and interpret each other’s signals in political, military, economic and other domains. A successful deterrent means the party it is directed at continues to make the decision that launching an offense would be futile, because of the overwhelming retaliation that would follow or because an attack is unlikely to achieve the desired result. North Korea’s systematic cyber offensives against the ROK, Japan and the US—increasingly damaging yet unanswered—indicate a crack in the foundation of their deterrent that may increasingly convince the North that it can act with impunity to further its objectives.
The growing role of cyber offensive capabilities in the DPRK’s arsenal makes its strategic calculus increasingly hard to delineate, and its behavior and responses increasingly difficult to predict. Furthermore, an aspiring power such as North Korea, seeking to change the status quo to its advantage, has an inherently different threat perception and set of security concerns, as well as a different appetite for military adventurism compared to established powers confronting it in an attempt to maintain the present geopolitical balance. Attempts at strategic signaling built around these opposing perspectives and assumptions of underlying threats, escalation and interconnectedness of events across different domains create further potential for miscalculation on both sides. Combined, these factors spell growing regional instability in the absence of open dialogue.
The changing nature of the DPRK’s capabilities and strategic stance dictates a need to re-calibrate the collective defenses of the US and its regional allies. Henceforth, it is important not only to integrate cyber and traditional military forces on the operational level, but also to bridge the gap between the communities of defense policy and technical experts in the cyber field. Synergies between conceptual strategic thought on the future of armed conflict and technical expertise in the rapidly evolving cyber domain can open new avenues better suited to address the emerging challenges discussed in this article. However, such a change in strategic approach necessitates recognizing a broader conceptual scope of problems at hand and accepting the challenges involved in adjusting the analytical lens.