Since roughly 2009, North Korea has been active and noisy in cyberspace. From the hacking of government web sites in South Korea and the United States to the trashing of South Korean bank and media company information systems, the revenge attack on Sony, the infiltration of South Korean infrastructures such as nuclear power plants and subway systems, the theft of $81 million from Bangladesh, and, most recently, the release of the WannaCry ransomware, there seem to be few if any constraints on North Korean behavior in cyberspace.
Criminal motives are obvious in some cases; North Korea needs hard currency, notably for its nuclear programs. Not all such attacks are cybercrimes, though. What are the motives for the others?
The least unlikely – although least satisfying – answer is because they can. Granted, understanding North Korean motives remains particularly iffy, and North Korea likes it this way. Observers believe Kim Jong-un has consolidated power so rapidly and completely by adopting his military’s priorities as his own. However, that just pushes the question down one level, it hardly provides a strategic rationale explaining what they are trying to achieve,
Perhaps not much motivation is needed – cyber warfare is cheap. North Korea’s Bureau 121, the cyber warfare unit of the North Korean intelligence, does what it does using, by one estimate, only 2,000 hackers compared to over a million soldiers in its army. Hackers also do not need much in the way of fancy equipment – code-breaking hardware can be expensive but, as bitcoin-mining schemes have shown, it can be borrowed from the unwitting.
Furthermore, cyber attacks can damage others with far less risk of retaliation against their sponsors. To be sure, North Korea is already confident because other countries fear it may respond to force by unloading an artillery barrage, or even nuclear weapons, on Seoul, killing hundreds of thousands. Even if something larger than the sinking of a South Korean corvette cannot be conducted without risk, those risks are less for a cyber attack. Any use of force in response to a nonfatal attack – and no cyber attack has ever hurt anyone directly – would seem disproportionate. North Korea’s low level of digitization and ultra-low level of connectivity means that cyberspace-only responses would not be something their leaders would fear. North Korea’s isolation and autarky give additional sanctions little potential value. In addition, convincing attribution of cyber attacks is difficult – at least without a far more open U.S. disclosure policy for evidence and intelligence related to attribution. Many fair-minded observers still doubt, without good reason, that North Korea was responsible for the Sony attack. However, understanding that cyber warfare is incurs relatively low costs hardly provides a motivation for conducting it in the first place, apart from rejoicing in anything that discomforts South Korea.
Do North Korea’s cyber attacks have strategic purpose? Certainly, North Korea does what it can to compromise South Korean military systems – not least of its efforts was their penetration of South Korea’s military cyber command.
Yet, that hardly explains their depredations against South Korea’s infrastructure. Perhaps, they may have implanted malware within South Korea’s critical infrastructure to be detonated in case of war or perhaps just before its own forces move south. Such a detonation would complicate South Korea’s defense both logistically and psychologically.
There’s a problem with that argument, though. True, South Koreans have discovered multiple North Korean implants in their infrastructure systems – whether or not such implants could have disrupted operations or just administrative work is another issue. However, no one needs to fear implants that have already been discovered, because they are, or at least should be, removed quickly, along with any suspicious code that looks sufficiently like such implants. The implants to fear are those that have not yet been found because they remain active. This is the opposite of the case for most weapon systems; countries display them to inspire fear and caution in their potential foes – and displaying them hardly lessens their power.
Because visible implants can be removed, anything that looks like it was done intentionally for deterrent effect in cyberspace must be ignored because it means it is unlikely there are further, yet undiscovered, implants. It is always hard to infer what has not been seen from what has been seen. Using cyber attacks for deterrence or compulsion may require a degree of subtlety so far missing from anything else North Korea has done. Without subtlety, victims will believe that the intrusions they find are the only that exist, meaning there is limited credibility in establishing deterrence through cyber means.
While many North Koreans are being trained in China and are based in the Chinese city of Shenyang, China may not be actively aiding North Korea’s hacking. WannaCry has hurt Chinese organizations, yet the Chinese are certainly condoning North Korean hacking. Those counting on China to tamp down North Korea’s cyberspace adventurism could be in for a long wait. Beijing does not compartmentalize North Korea’s behavior; it is all of a whole. Even if it did consider cyberspace issues to be separate from others, China’s one-sided agreement to cease commercial cyber-espionage against the U.S. may be enough of a concession to U.S. demands for the time being. If China were going to really pressure North Korea for something, it would likely be motivated by the consequences from the latter’s nuclear program. Compared to that, the threat from North Korea’s cyberspace depredations is small potatoes.
