Security challenges in Asia come not only from nuclear threats or geopolitical conflicts, but also increasingly from the cyber space. As Jung Pak, senior fellow in the Brookings Center for East Asia Policy Studies and SK-Korea Foundation Chair in Korea studies said during a June conference at Brookings on cybersecurity in Asia: “Cyber is a threat we can’t see, that cross borders, and is one of the tools of coercive diplomacy.”
As experts discussed at the event, compared to traditional security threats, cyber threats are harder to detect or attribute, more often transnational or even transcontinental, and can be very disruptive at a relatively low cost to perpetrators. Cybersecurity has become especially important for Asia, which is home to a significant number of cyber perpetrators and their targets. Below are some key takeaways from the conference, during which a range of U.S. and South Korean cybersecurity experts discussed the capabilities and intentions of regional actors and examined government policies to counter evolving threats.
The cyber landscape in Asia
In a keynote address, former Coordinator for Cyber Issues at the U.S. Department of State Chris Painter argued that we should perceive cybersecurity as both a threat and an opportunity for Asia. He explained that regional actors like China and North Korea have frequently exercised their cyber power to achieve their strategic goals around the globe. Yet their motivations and objectives differ: While North Korea primarily aims to develop capabilities for revenue generation and destructive capabilities for potential conflicts outside North Korea, China mainly utilizes its cyber means for espionage and intellectual property theft. “Naming and shaming” has been an effective tool against China because of its government’s concerns on the potential blowback on its soft power, Painter said.
Painter also said that the rest of the region is starting to recognize vulnerabilities in its own defense systems and striving to catch up. This growing awareness of cyberattacks has prompted countries like Singapore, Japan, and South Korea to increase their investments in cyber capabilities in recent years. Most notably, Singapore—which was once thought to be one of the most vulnerable countries in the world to cyber threats—has become a regional leader and has assisted other ASEAN countries in developing their cyber capacities.
North Korea and China
Sangmyung Choi of Hauri Inc., a Seoul-based cybersecurity firm, outlined the spectrum of North Korea’s cyberattacks toward South Korea. In sum, North Korea has hacked or attempted to hack almost every well-known industry, institution, government agency, and large corporation in South Korea. It is also capable of simultaneously affecting a high volume of systems. According to Choi, North Korean hackers in 2009 infiltrated about 400,000 computers in South Korea through a distributed denial of service (DDoS) attack, using approximately 2,000 servers around the world. He detailed North Korea’s method of starting its attack from a subsidiary of the main target. For example, when North Koreans extracted nuclear reactor designs from a South Korean nuclear power plant, they were able to infiltrate the plant’s internal intranet by first hacking into one of the plant’s partner companies. Choi also noted that North Korean hackers tailor their attacks by identifying and taking advantage of certain South Korean vulnerabilities, such as the 23 known vulnerabilities found in the widely used Korean word processor, Hangul Office.
On Chinese cyber capabilities, William Carter, deputy director of the Technology Policy Program at the Center for Strategic and International Studies (CSIS), discussed Beijing’s move toward professionalization and civil-military fusion in cyber arenas. Unlike Russia, for instance, China largely limits its projection of cyber power to propaganda, intellectual property theft, and intelligence gathering. Building on Painter’s assessment of China’s concern for maintaining its soft power, Carter also stated that China prefers to be seen playing the role of the “good guy.” But for China to have its cake and eat it too, it must be more subtle in its operations and focus on strategic goals. He views the professionalization of China’s capabilities as another way to delegitimize the United States: Beijing not only wants to gain influence in the region, but to raise its standing in the international mechanisms that control the cyber sphere. In its push toward professionalization, China is increasingly consolidating its private-sector capabilities with its military intelligence services and focusing on long-term strategic goals, rather than disruptive attacks.
Priscilla Moriuchi, director of strategic threat development at Recorded Future, views the internet as another domain for North Korea’s criminal ventures, primarily in generating illicit funds for the Kim Jong-un regime. She detailed how North Korea commits cybercrimes through hacking banking operations, cryptocurrency thefts in operations and mining, as well as other low-level financial crimes. She raised specific concerns regarding hacks against banking operations because domestic intrabank transfer systems tend to be “variously secured.” It is especially difficult to attribute these attacks since banks are not typically transparent and have no reason to publicize the incidents.
In the case of North Korea’s WannaCry attack in May 2017 and its use of cryptocurrency as ransom payments, many observers initially perceived North Korea’s tactics as naïve, but Moriuchi explained how this was actually not the case:
Experts also explored government policies to address cybersecurity concerns, starting with South Korea’s cyber defense measures. Professor Jong-in Lim of Korea University, who was the former Blue House special advisor on cybersecurity, raised the ineffectiveness of South Korea’s policies and measures in deterring North Korea. He said there is a lack of information sharing across government institutions. Without proper institutional and legal structures, the various government agencies—including the National Intelligence Service and Ministry of Defense—are reluctant to share information on cyber issues as each vies for influence. In light of improved relations between the two Koreas, Lim suggested that a possible peace treaty should also include an agreement on cyber issues. Such an agreement, he envisions, would incorporate a punishment mechanism to be developed in conjunction with China, Russia, and the United States to ensure that North Korea would unequivocally cease its illicit cyber activities toward South Korea.
James Baker, visiting fellow in the Brookings Governance Studies program, moderated the conversation that followed, asking the panelists for their views on the common challenges that countries face in cyberspace. According to Katherine Charlet from the Carnegie Endowment for International Peace, the lack of an incentive structure, time, money, and the sheer complexity of the issue all contribute to the difficulty in developing a robust cyber defense system. Adding to this difficulty is the fact that cyber actors have lately been more disruptive in their operations while further testing the limits of the international community. Despite this increased boldness in testing the waters, she acknowledged that cyber actors refrain from launching a globally destabilizing threat, which is also partly influenced by governments’ growing willingness to publicly attribute an attack to a specific group or country:
Michael Sulmeyer, director of the Cybersecurity Project at Harvard University’s Belfer Center, expressed his concern about the serious consequences that states could face when offensive cyber capabilities are combined with new technologies. As more states are able to acquire offensive capabilities with relative ease, there is the risk of crossing a new threshold when these capabilities are executed through the “internet of bodies,” which not only include smartphones, but implants in our bodies. He believes that more than the complexity and sophistication of offensive capabilities, the core challenge lies in the negligence and slowness of our defensive posture. In that regard, he urged increased accountability from government and the private sector. On the question of whether cyber deterrence exists, Sulmeyer strongly asserted that it does not at the moment:
For more on this event, click here.