North Korea and Cyber Catastrophe—Don’t Hold Your Breath
The heightened tension over North Korea’s missile and nuclear weapons programs, combined with growing DPRK cyber capabilities and their use for coercion or theft, has led some to conclude that the North may launch cyber-attacks against US critical infrastructure, perhaps with catastrophic result. We can best assess this risk by placing it in a larger strategic context, and in this context, a major cyber-attack by the North is unlikely.
Several assumptions guide this assessment. First, the primary objective of the North Korean state and the Kim family is regime survival. Someone who is worshipped as a god-king by millions, controls immense personal wealth, and has unchecked power will be loath to put this at risk. Second, North Korea is willing to use provocations, including low level attacks, as part of its diplomatic repertoire, but attempts to calculate the limits of what it can do without provoking major conflict. Finally, while North Korean decision-making on the use of cyber actions is murky, it is likely that all major programs or actions require Kim’s approval.
North Korea is both cautious and cunning in its use of force, including cyber-attacks. It is willing to take provocative actions that flout international law and norms, but these have been limited in scope and effect, intended to shape and advance North Korea’s diplomatic agenda vis-à-vis the ROK and the US. These actions also serve to reinforce the regime’s narrative among its domestic population of a North confronting an evil hegemon who is powerless against heroic resistance. Its policy goals, in addition to regime survival, are to create political conditions that would cause the US to leave the peninsula and end its security commitment to the ROK, disrupt the US-Japan alliance, and improve its position in the region. It uses threats and provocative actions not to destroy opponents, but to manipulate opinion among ROK and Japanese leaders on the utility of alliance with the US and the benefits of concessions to the North.
North Korean cyber capabilities, while improving, still have not reached the level that would allow them to duplicate the effect produced by Stuxnet or the Russian attack on a Ukrainian power facility. The DPRK can disrupt data and services using variants of malware available on the cybercrime black market and could likely produce a result similar to the Iranian attack against Aramco (and there may be a link between the DPRK and Iran in developing cyber capabilities). The North has been successful only against poorly protected targets, of which there are many, suggesting that there is a relatively low ceiling for its cyber-attack capabilities.
In general, it is not in the North’s interest to start a war with the US, since the Kim regime would not survive. The DRPK’s nuclear program is driven by fears of regime change, and Kim does not wish to share the fate of Saddam Hussein or Muammar Gaddafi, dragged from their hiding places and killed. The North will use violent rhetoric and low-level provocations to shape US and ROK policies and to advance its policy goals while seeking to use nuclear threats to deter a US attack on North Korea.
North Korean cyber-attacks against targets, like US military forces, would not degrade US retaliatory capabilities sufficiently to ensure regime survival. Attacks on critical infrastructure in the US would also not degrade US military capabilities. A major cyber-attack by the North on civilian targets in the American homeland would likely be interpreted by the US as justifying a violent response. In no instance would a major cyber-attack against the US leave North Korea better off militarily or increase its chances of survival.
The North does engage in cyber reconnaissance, and there is an extensive discussion of how espionage and reconnaissance could be the precursor to attack. However, reconnaissance itself is not indicative of attack preparations unless it is accompanied by an increased tempo of reconnaissance activities and changes in military posture and readiness level. To date, the North has not miscalculated how much it can get away with in its provocations and it is hard to see why this would change, absent some extreme situation, to a point where a suicidal attack would make sense.
The North’s isolation and ideology increases the risk that it could miscalculate how much it could get away with in a provocative action against the US, but the risk of miscalculation is counterbalanced by the North’s assessment of US capabilities (including its ability to attribute the source of an attack) and intentions. Sony shocked the DPRK when it discovered that they were not invisible in cyberspace. The current US administration is more volatile than its predecessor, and this provides a degree of protection.
In extremis, if regime survival was in jeopardy, the North might be tempted to try a major cyber-attack against civilian infrastructure, but this calculation would be shaped by the expectations of Korean leaders on how this would affect the condition of conflict termination. Using major cyber-attacks to improve the conditions of conflict termination to make them more favorable to the North would be a desperate strategy and the effect of a cyber-attack against the US might be to worsen the terms of conflict termination rather than improve them. In any case, in extremis attacks would only occur after major armed conflict had begun.
The alternative scenario postulates that North Korea is a crazed opponent eager to attack the US and possess destructive cyber capabilities. This is cartoonish and not supported by the North’s pattern of behavior since Kim Jong Un assumed power. Cyber-attack is not sui generis, but another tool for a state to advance its larger strategic interests and it is in this strategic context that we are best able to assess the risk of catastrophic North Korean cyber-attacks.
Before the recent rapprochement with the ROK, the North might have been tempted to increase its use of provocative cyber actions, similar to the cyber actions we have seen in the past that stayed well below the threshold of catastrophe or significant damage. The acquisition of nuclear weapons and missiles has persuaded Kim, judging from his New Year’s speech, that he can deter the US, creating a space for cyber incidents where the North can act without fear of retaliation. In the absence of compelling penalties for low level cyber action, there may be even less reason for the North not to hack when it seems useful. Provocations to advance North Korea’s international goals of damaging US alliance relations with the ROK and with Japan are less risky under Kim’s nascent the nuclear umbrella, but probably also less appealing as long as the rapprochement lasts.
A few states have used cyber-attacks, and from this experience, we can identify factors that shape their decisions to do so. Decisions by states to launch cyber-attacks are made in the context of that state’s larger strategies and goals. The attacker will consider the likely reaction of victim, the ability to avoid or control escalation, the confidence in the covertness of the action, and the political land military benefit of an attack. These political factors mean that cyber tools will be used on occasions when it makes sense, which will be almost always for espionage, almost never for attack.
See, for example, https://www.nbcnews.com/news/north-korea/u-s-worried-north-korea-will-unleash-cyberattacks-n790831, http://www.cnn.com/2017/10/11/asia/north-korea-technological-capabilities/index.html, https://www.express.co.uk/news/world/878790/North-Korea-Kim-Jong-un-NHS-UK-cyber-attack-World-War-3-USA-Britain-health-ISIS-terror, or http://www.news.com.au/technology/online/hacking/north-korea-cyber-attack-capabilities-what-could-kim-jongun-do/news-story/1d7d7dbcd0ee18201eee6101160e7c0f
This is an excerpt from a larger project supported by the Smith Richardson Foundation to re-examine cybersecurity.
See “Aramco Says Cyberattack Was Aimed at Production,” Reuters, December 9, 2012, http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html; and Jose Pagliery, “The inside story of the biggest hack in history,” CNN, August 5, 2015, http://money.cnn.com/2015/08/05/technology/aramco-hack/index.html.