Open-source databases of state-sponsored cyber operations hosted by the Council on Foreign Relations and the Center for Strategic and International Studies show that North Korea remains an active perpetrator of malicious cyber activity. The Republic of Korea’s (ROK’s) National Intelligence Service also reported that the COVID-19 pandemic has not slowed down the North’s cyber operators, with stepped-up operations against the South’s public sector, especially entities related to national security. This makes North Korea’s cyber activity a growing concern for the US-ROK alliance to address, calling for concrete steps to craft and implement a credible and effective cyber deterrence strategy toward the North.
Deterrence is often connected to nuclear weapons and US-Soviet competition during the Cold War, but deterrence theory can be applied beyond that particular situation. Essentially, deterrence can be thought of as influencing the adversary’s decision-making such that the adversary decides not to conduct an action. In practice, the most common conception of how to deter is by threatening unacceptable violence in retaliation for the adversary taking an unwanted action. This is typically known as deterrence by punishment and was the dominant form of deterrence thinking during the Cold War.
The other main conception of how to deter is called deterrence by denial, which was first defined by Glenn Snyder in the 1950s. Jeffrey Knopf wrote, “denial strategies aim to dissuade a potential attacker by convincing them that the effort will not succeed and they will be denied the benefits they hope to obtain.” This shows that deterrence can be thought of as influencing the adversary’s cost-benefit calculus for taking a particular action. Deterrence by punishment dissuades by increasing the costs of acting, and deterrence by denial dissuades by decreasing the benefits of acting. Joseph Nye defined deterrence as “dissuading someone from doing something by making them believe that the costs to them will exceed their expected benefit,” which captures this cost-benefit thinking.
Some scholars, including Snyder, include the provision of rewards for not acting as consistent with deterrence logic. This implies that there are two cost-benefit calculations that can be influenced: One for acting and one for not acting. Thus, the adversary can be deterred by increasing the costs of acting, decreasing the benefits of acting, or increasing the benefits of not acting. It is important to remember that the adversary makes these cost-benefit calculations, so deterrence occurs in the mind of the adversary. Just as crucial as crafting a credible deterrence strategy is effectively signaling the adversary to influence the adversary’s cost-benefit calculation.
From Theory to Practice
The beginning of any deterrence strategy must be clarifying what is to be deterred. Simply stating that all malicious North Korean cyber activity is to be deterred is too broad and unrealistic. The history of the alliance shows that deterring low-level kinetic attacks by North Korea is more challenging than deterring strategic attacks, and a parallel can be drawn in the cyber domain. Article II of the US-ROK Mutual Defense Treaty of 1953 also makes this distinction by stating the alliance will focus on deterring external attacks that threaten the “political independence or security” of either ally. Thus, the alliance should focus on deterring North Korean cyber operations that could threaten South Korea’s security.
This is not to say that South Korea must just accept lower-level North Korean cyber operations, but the focus of a deterrence strategy should be on strategic-level cyber attacks. As with lower-level kinetic attacks, deterrence can be one of the tools used in combination with defensive and offensive tools to counter lower-level North Korean cyber operations. But, similar to nuclear or other strategic-level kinetic attacks, deterrence should be the main tool used to counter strategic-level cyber attacks because such attacks threaten the “political independence or security” of the target country. Therefore, the alliance must signal a credible deterrence strategy to prevent North Korean cyber operations that could have strategic effects on South Korea.
Declaring an intention to deter strategic-level cyber attacks may still be too vague, so further clarity on what constitutes a cyber attack that could have strategic effects is necessary. Much known North Korean cyber activity has been intended to generate revenue for the regime, gather intelligence or steal intellectual property or cause some low-level disruption to South Korean public or private institutions, which do not fit a conception of strategic attack. But North Korean hacking of South Korean nuclear entities and Ministry of National Defense systems are examples of cyber operations that could produce strategic effects and that the alliance should posture to deter in the future, although those attacks arguably did not produce strategic effects on their own. Uncertainty regarding the impact of individual cyber operations is a significant issue that the alliance will have to grapple with when making a cyber deterrence strategy.
Building a Cyber Deterrence Strategy
The allies have given some indications as to what they consider most important for cyber security, and which provide a starting point for what they consider strategic-level cyber attacks. The joint communique issued after last year’s US-ROK Security Consultative Meeting (SCM) between the respective ministers of defense cited needing to bolster cyber security for “critical infrastructure, including information and space systems.” Critical infrastructure here could be expanded to include civilian critical infrastructure, such as energy and public health infrastructure, and military infrastructure, such as command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR), early warning systems, and other systems essential for network-centric warfare. Cyber operations on these systems could have strategic effects on their own or enable follow-on attacks that have strategic effects, and the alliance should take the following steps to establish a credible cyber deterrence strategy to prevent strategic-level attacks on South Korea.
First, the allies must move beyond vague statements like those in the SCM joint communiques and clearly state that cyber deterrence is part of the overall alliance deterrence strategy and that cyber threats are covered by the Mutual Defense Treaty. The United States and North Atlantic Treaty Organization (NATO) allies took this step in 2014 when they declared that cyber attacks could threaten national and Euro-Atlantic security and that cyber attacks could lead to an invocation of Article 5 in the Washington Treaty, calling for collective defense actions in response. The NATO allies have since made “cyber security, defense, and deterrence” an unambiguous part of NATO’s core tasks and implemented the steps to make this a reality. Washington and Seoul should take similar steps to place cyber deterrence as a core function of the US-ROK alliance, which would send an unambiguous signal to Pyongyang. The United States should explicitly say that cyber capabilities will be included in its extended deterrence to South Korea, in addition to US nuclear, conventional and missile defense capabilities.
Second, a cyber deterrence strategy should be formulated and integrated into the alliance’s Tailored Deterrence Strategy that was established in 2013 to address North Korea’s strategic and asymmetric capabilities. In addition to defining what is to be deterred, a joint cyber deterrence strategy should also address the methods to deter threatening North Korean cyber activities and clarify roles for the United States and South Korea. Unlike in the nuclear domain, both the United States and South Korea have significant, whole-of-government capabilities that can be used for cyber deterrence, but the allies must agree to principles on how they want to deter cyber threats. A combination of deterrence by punishment and by denial, similar to the layered cyber deterrence concept developed by the US Cyberspace Solarium Commission, likely is necessary to effectively deter North Korean cyber threats.
Third, a more robust combined cyber defense unit under the Combined Forces Command should be formed and empowered to dynamically deter, defend and respond to North Korean cyber attacks. This would build on existing cooperative mechanisms in the cyber domain that have been established between various US and South Korean government agencies, and a combined cyber defense unit would help the allies coordinate on two key concepts being employed by US Cyber Command: defend forward and persistent engagement.
Taken together, the two concepts call for US cyber operators to constantly engage with adversaries on both US and non-US networks, including those operated by adversaries and allies, to influence adversary behavior and provide security for US and allied networks. While deterring cyber attacks that produce strategic effects should be the focus, employing persistent engagement to address lower-level attacks could reduce the scope, scale and frequency of such attacks. But pursuing defend forward and persistent engagement against North Korea must be done in close coordination with South Korea to reduce potential friction, misaligned expectations and unintended escalation within the alliance.
Fourth, the allies must improve their understanding of North Korea’s tactical, operational and strategic goals in the cyber domain and how Pyongyang envisions exploiting the cyber domain to achieve overall strategic goals. This is critical whether the allies choose to employ deterrence by denial, punishment or a combination of both. Generally, strong cyber security practices could produce some deterrence by denial effects on North Korea, but tailoring denial to North Korean cyber capabilities and operations would be more effective over time if North Korean cyber operations are repeatedly denied. Deterrence by punishment, either in-domain or cross-domain, could be effective only if the allies understand what Pyongyang would consider as imposing unacceptable costs. And could some sort of positive inducements be given to deter North Korea by increasing the benefits of not conducting malicious cyber activity?
Finally, a joint cyber deterrence strategy can deter only if its creation and implementation are properly signaled to North Korea. While classification concerns remain a challenge in the cyber domain, Washington and Seoul must signal their joint resolve to deter Pyongyang’s cyber operations and not let the cyber domain become a wedge issue in the alliance. Again, NATO can be used as an example with that alliance’s purposeful ambiguity regarding deterrence thresholds and collective responses to cyber attacks, so NATO attempts to both clearly signal collective will to deter and introduce doubt into an adversary’s mind regarding thresholds and responses. Public statements and strategy documents, combined exercises to demonstrate denial and punishment capabilities and intentions, and allied resolve to continually update and implement a deterrence strategy are all ways that North Korea can be signaled.
One of the trickiest issues that the allies will have to grapple with when crafting this cyber deterrence strategy is North Korea’s information campaigns against South Korea. North Korea has long conducted information campaigns aimed at influencing South Korean society and politics and has shifted much of this activity to the cyber domain, including via social media. Over time, such information campaigns could produce strategic effects by influencing South Korean elections, inter-Korean relations or relations with the United States. Whether deterrence is the appropriate tool to counter such actions and whether the United States is an appropriate actor to counter are both questions that the allies will have to deal with.
North Korea’s malicious cyber activity presents a significant challenge for the US-ROK alliance, but the alliance has successfully deterred a strategic attack from North Korea for nearly 70 years. The allies should build on this history of deterrence cooperation by more actively formulating a cyber deterrence strategy. For South Korea, this would bolster its core asymmetric advantage over North Korea and the overall alliance with the United States. It would also position Seoul as an ideal partner for Washington to defend forward against Pyongyang’s cyber threats. Taking the steps outlined here would let the allies reseize the advantage in the cyber domain and better position themselves to deter future North Korean cyber threats.
Opinions, conclusions, and recommendations expressed or implied within are solely those of the author and do not necessarily represent the views of the Air University, the United States Air Force, the Department of Defense, or any other US government agency.