North Korea's Next Weapon of Choice: Cyber

This text was adapted from Future Scenarios: What To Expect From a Nuclear North Korea, an issue paper released by the Asia Society Policy Institute.

After decades of broken promises and failed diplomatic efforts, North Korea has built an arsenal of nuclear weapons and ballistic missiles. Chairman Kim Jong Un has vowed that his nuclear “sword” will never be relinquished and that “denuclearization” comes only with global disarmament. 

Would international acceptance of its nuclear status produce better behavior? Not likely. The Kim family business model is extortion; Jong Un, no less ruthless than his father and grandfather, has an unprecedented array of weapons at his disposal. Even if he freezes his entire program, Kim can generate new leverage by threatening to proliferate. North Korea’s history of selling nuclear know-how and its expanding uranium stockpile make that threat credible.  

But there is a newer, better weapon of choice for North Korea: cyber. 

This high-impact, low-cost, and low-risk digital-age way to steal cash, hack secrets, and terrorize wired nations, is increasingly appealing to the regime. An elite corps of highly trained cyber hackers has already stolen hundreds of millions of dollars, blunting the effect of sanctions. Kim has linked cyber with nuclear weapons as another “all-purpose sword” and experimented with cyber attacks against critical overseas infrastructure. The United States and other developed nations are particularly vulnerable to Kim’s next weapon of mass destruction. 

The attractions of cyber theft and cyber terror to North Korea are considerable. Cyber attacks can be camouflaged to make attribution uncertain, particularly given the degree to which North Korean hackers are embedded in China or utilize Chinese servers. North Korea’s primitive infrastructure, its national intranet system’s disconnection from the World Wide Web, and a draconian regulation of communications technology all serve to shield it from scrutiny and largely insulate it from cyber retaliation. Developing offensive cyber capabilities does not depend on procurement of difficult-to-obtain specialized equipment, nor is it particularly expensive. And unlike missiles and nukes, cyber is a revenue generator, not a cost center. Cyber allows North Korea to conduct low-intensity but damaging strikes against developed countries with highly computer-dependent infrastructure, with a far lower risk of retaliation than nuclear or missile testing, let alone an armed attack. 

North Korea’s elite cyber force, under the control of its military and the Reconnaissance General Bureau, Kim’s clandestine security apparatus, is composed of about 7,000 hackers, extensively trained in specialized domestic programs and, in some cases, trained also in Russia and China. The regime speaks of its disruptive cyber capability in the same terms as its nuclear weapons and ballistic missiles, adding it to the list of Pyongyang’s “all-purpose swords that guarantee our military’s capability to strike relentlessly,” according to a report by the South Korean intelligence service. 

North Korean offensive cyber activities seem to align around three apparent goals: intelligence collection; harassment, disruption, and retaliation; and revenue generation through cyber theft. 

The cybersecurity firm CrowdStrike has documented frequent North Korean intrusions into government and military systems to steal sensitive information. North Korea hacked the smartphones of South Korean politicians and high-level military officers to intercept messages and phone calls. North Korean hackers in 2016 stole more than 40,000 defense documents including 60 classified files from contractors in South Korea that contained information on F-16 fighters and drones. North Korea is also believed to have stolen a PowerPoint summary of the U.S. military’s top secret war plan “OPLAN 5027,” as reported by South Korean media.  

In retaliation for the unflattering comic portrayal of Kim in the movie The Interview, North Korean hackers inflicted significant damage to Sony Pictures in 2014. Other digital attacks include the serious disruption of hospitals in the United Kingdom along with ransom demands to some 300,000 users in 150 countries in the 2018 “WannaCry” episode. In 2013, during a major U.S.-South Korea military exercise and just days after the U.N. Security Council adopted new sanctions following North Korea’s third nuclear test, malware was used to disrupt South Korean banking and public broadcast networks. It took weeks for these systems to recover. Those attacks were followed by large-scale denial-of-service attacks against defector-led media, the South Korean presidential office and other government agencies, along with the deletion of large numbers of banking records. Officials estimate South Korea has incurred more than $650 million in damages from North Korean cyber attacks. 

Already, North Korea is targeting financial institutions and cryptocurrency exchanges and manipulating interbank financial systems to raise large sums of money for the North Korean regime, according to the private cybersecurity firm FireEye. Estimates from South Korean monitoring groups range as high as $1 billion per year. A U.N. panel of experts recently reported to the Security Council that Pyongyang has used cyber theft to create a war chest of at least $2 billion including digital currency stolen from cryptocurrency exchanges in South Korea and elsewhere in Asia. In February 2016, North Korean hackers netted $81 million from the Bangladesh Central Bank by hacking the U.S.-based SWIFT system and, but for sloppy grammar, nearly succeeded in stealing as much as $1 billion. In 2017, the same North Korean hacking unit was implicated in the theft of $60 million from a bank in Taiwan and tens of million more from India and Chile as recently as November 2018. Other attacks have been documented in the United States, Southeast and South Asia, Eastern Europe, South America, and Africa. 

The North Korean cyber threat is significant and evolving. North Korean computer scientist and defector Kim Heung Kwang told the BBC that the regime is using cyber attacks to begin demonstrating a cyber war capacity that can destroy civilian infrastructure and inflict large-scale fatalities. As Morgan Wright, a cybersecurity expert pointed out in an opinion piece for The Hill, “Cyber warfare levels the global playing field in a way nuclear weapons can’t for North Korea. The risk-return calculation for hacking versus nukes is exponentially different.” The U.S. Department of Homeland Security and the Federal Bureau of Investigation revealed malicious attacks against infrastructure in the United States and 17 other countries by “Hidden Cobra,” the U.S. government’s code name for North Korean cyber attacks. 

The data security company Rapid7, which publishes the National Exposure Index, rates the United States as the most vulnerable to disruptive cyberattacks in every index. South Korea and Japan are not far behind. Former U.S. Director of National Intelligence Dan Coats warned of the vulnerability of American infrastructure, which he described as “under attack.” Vice President Michael Pence called for a “cyber security moonshot,” warning that adversaries are seeking to infiltrate and shut down American power stations and grids, citing a ransomware attack in 2018 that crippled public services in Atlanta, Georgia. Pre-digital-era infrastructure facilities are often retrofitted with makeshift internet linkages that can easily be compromised. Moreover, 80% of America’s critical infrastructure is privately owned, and the cost of upgrading existing power plants, air traffic control facilities, rail systems, cellphone networks, or dams is unattractive to business. As the internet of things pervades everyday life, particularly in the industrialized West, new interconnectivity provides new opportunities for malicious cyber attacks.   

Defense and deterrence are key components of a strategy to undercut North Korea’s ability to extort. To be effective, they require resources, resolve, clarity, and credibility. If enhanced cyber defense can be combined with denial of access to servers outside North Korea, the threat from its cyber attacks and thefts is diminished.  

What will matter most in stemming North Korea’s threats and altering its behavior will be restoring and enlarging cooperation between the United States and China. Meaningful pressure can only be brought to bear on North Korea with the active support of China. China cannot be expected to apply significant pressure on North Korea without significant trust in the United States, confidence in a shared approach, and mutual agreement on an overall strategy for the Korean peninsula, if not Northeast Asia as a whole. At the same time, solidarity and coordination between Washington and its allies in Seoul and Tokyo will also be necessary to forge and implement a coercive containment strategy.  

Thus, the three interrelated components of an effective strategy of coercive containment will be diplomacy, defense, and deterrence. The fact that these are not new policy elements does not discredit the strategy; it simply underscores the importance of getting each right. Diplomacy is the tool for forging the shared strategic approach that presents North Korea with both seamless international unity and a path toward resolution.  

Defense is a tool to blunt North Korea’s ability to use its weapons, including cyber, and therefore reduce Pyongyang’s leverage. And deterrence is a tool for preventing escalation and managing risk. As daunting as the requirements of coercive containment may seem at the present time, the alternatives, war and appeasement, leave us no better choice.