A theme of our recent analysis of Kim Jong Un’s behavior is that he may be more cautious than it appears. “Provocations” have not cost lives or destroyed property, as the sinking of the Cheonan and shelling of Yeonpyeong Island did in 2010. Rather, they have included nuclear tests on North Korean soil and missile tests that approach or fly over, but do not strike, neighbors; in a pored-over press availability in mid-September, Secretary Mattis made this point very clearly as well.
Yet cyber may provide another front in the contest of wills, and one that has somewhat similar properties: signaling North Korean resolve and even doing damage, but below the threshold that would invite a kinetic response. In addition, some cyberattacks have the additional motive of raising revenue in the face of a tightening sanctions regime. The question: will the US and its allies now respond in kind? The answer appears to be “yes.”
Prior to the passage of the most recent UN Security Council resolution, the North Koreans—of course—promised consequences. As always, the question was whether this was signal or noise. An Asahi story that got widely picked up claimed that Kim Jong Un had ordered the Reconnaissance General Bureau to prepare cyberattacks on the US, Japan and South Korea: on military entities, administrative agencies, nuclear power plants and banks. A former North Korean cyber agent interviewed for the story claimed that while denial-of-service attacks were favored in the past, the RGB was working on malware and outright theft as well. This claim is certainly credible given attributions with respect to the December 2014 Sony hack, Bangladesh bank heists, and the Wannacry ransomware episode.
One particular set of actions that caught the attention of FireEye was North Korean hacking of Bitcoin exchanges. They reported that since May of this year, there have seen a succession of spearphishing episodes by North Korean actors targeting three South Korean cryptocurrency exchanges; last week, this story was confirmed by South Korean police. Palo Alto Networks picked up another spearphishing campaign of interest, and while they did not explicitly say “North Korea,” the inference was drawn by others (see CyberScoop here). The North Koreans are clearly on this.
Are cyber responses from the US in the works, or does cyber provide instruments for cross-domain deterrence? According to The Washington Post, the Trump administration had already signed off on a pressure strategy following its policy review in March that included a cyber component. In particular, the article reports that Cybercom undertook distributed denial of service attacks against the Reconnaissance General Bureau, effectively knocking North Korean servers offline; the story even reports North Korean complaints about the service interruption.
Beyond such efforts, the Mattis press availability referenced above also raised speculation about left-of-launch capabilities, particularly Mattis’ response to a question suggesting that the United States had military options that would not place Seoul at risk. In general, it has been North Korea that has benefitted from the stability-instability paradox: the ability to calibrate provocations so they fly underneath the level that generates a kinetic response. But does cyber generate parallel capabilities for the US: responses that would do damage but put the risk of escalation on Pyongyang?
Finally, an interesting story that shows how North Korean cyber capabilities will depend on the weak-link problem that plagues all sanctions regimes. A well-done story at 38North by Martyn Williams suggests how Russia may play a spoiler role with respect to containing North Korean cyber capabilities. Up until recently, North Korean internet connections mostly ran through a China Unicom link established in 2010. Just after the purported US DDOS attack, a Russian connection started appearing in internet routing databases, provided by a Russian firm called TransTeleCom. This new connection allows the DPRK more cyber resilience and bandwidth, which also makes the job of compromising DPRK systems more challenging. The additional connectivity through Russia also poses a political challenge: how directly does the US want to initiate a conflict with Russia as well as China on the provision of service to North Korea? Such service clearly violates the sweeping presidential Executive Order and although we don’t know the details of TransTeleCom’s arrangement with the DPRK government, it likely violates UNSCR 2375’s proscription on joint ventures. But does the US want to pick the fight, and how exactly?
One thing is certain; we have not heard the end of the cyber dimension of the current standoff.