Building resilience to the North Korean cyber threat: Experts discuss

On October 15, as part of the Asia Transnational Threats Forum, the Center for East Asia Policy Studies at Brookings convened a virtual roundtable on cybersecurity and resilience, focused on North Korean cyber threats and the impact of digital technologies on the region’s security, economy, and political dynamics. The event builds on a series of forums started in 2018, including discussions on cyber issues, counterterrorism, and climate security. Experts examined North Korea’s cyber capabilities, methodologies, strategic objectives, as well as South Korea’s response measures and challenges in combatting North Korean cyber operations.

Stephanie Kleine-Ahlbrandt, a nonresident fellow at the Stimson Center and a former member of the North Korea Panel of Experts at the United Nations Security Council, observed that North Korea has become a sophisticated cyber actor. The regime has been using its cyber capabilities to generate revenue and evade sanctions. Noting that its cybercrimes are an extension of the country’s long-time reliance on various illicit activities to fund regime priorities, Kleine-Ahlbrandt argued that the Kim Jong Un regime’s development of cyber capabilities is also consistent with its military strategy which aims to overcome its relative conventional military inferiority.

North Korea exploits loosely regulated networks of virtual assets servers to convert illicitly obtained virtual assets into fiat currency. Kleine-Ahlbrandt stated that the low cost of entry, potential high yields, difficulties and delay in attribution, and lack of effective deterrence incentivize the North Korean regime to invest in its cyber capabilities. A lack of regulations on brokering services and lack of transparency in cryptocurrency-to-fiat conversion in financial institutions in many countries pose challenges against deterring and punishing Pyongyang for its illicit cyber activities. Kleine-Ahlbrandt anticipates that these actions are likely to continue given their profitability.

Despite U.S. government efforts to deter North Korea’s malicious cyber activities through various policy means and cooperation with likeminded countries, the Cyber Infrastructure Security Agency’s April 2020 advisory outlined the scope and breadth of North Korea’s activities over the years, suggesting the difficulties in curbing North Korea’s illicit activities. Kleine-Ahlbrandt highlighted that deterrence does not work the same way in the cyber realm as it does in conventional and nuclear weapons. One of the biggest problems is that the last sanctions resolution was in 2017, and the Security Council is more divided than ever. In addition, Kleine-Ahlbrandt asserted that several member states are strongly opposed to panels investigating and reporting on this area.

Seungjoo Kim of the School of Cybersecurity at Korea University discussed technical aspects of North Korean cyber operations and South Korean responses. The South Korean government estimates that North Korea’s Reconnaissance General Bureau has dedicated more than 6,000 full-time cyber operatives and support staff who launch disinformation, cybercrime, and espionage operations on a daily basis. Kim observed that North Korean students’ solid foundation in computer science are on par with or superior to that of students at leading universities in the United States. Combined with their knowledge of military operations, North Korean cyber operatives are noted for their well-organized operations, such as the 2014 Sony Picture Entertainment breach and 2015-16 attacks on the SWIFT banking system. As North Korea’s level of training grows more advanced and their operation bases spread throughout the globe, tracking North Korean hacking attempts is becoming more challenging.

Kim described South Korea’s response to North Korean cyber threats as involving a structured command-and-control system to respond to cyber threats; a strong network separation policy that segregates the intranet from the internet; a government-organized cyber threat information-sharing system; and an education and peer-to-peer mentoring program to train cyber experts in public and private sectors. In particular, Kim noted South Korea’s policy to completely disconnect an organization’s intranet from the internet, a more stringent measure than other countries, which compartmentalizes information based on the level of importance.

South Korea still faces challenges despite these moves. The network separation policy, for example, conflicts with Seoul’s fourth industrial revolution policies, which include cloud services and private data transfer. Furthermore, a lack of sufficient incentives for students to pursue a career in cybersecurity makes it challenging to attract and train much-needed industry experts. Finally, Kim echoed Kleine-Ahlbrandt’s comment about the difficulties of responding proportionately to North Korean cyberattacks and enforcing sanctions without the participation of the international community.

During the discussion, the panelists further examined the use of cyberspace for sanction evasion. Kleine-Ahlbrandt noted that while asset freezes apply to cryptocurrency, the lax regulation and enforcement practices make it challenging to monitor crypto exchanges and underground markets, such as the dark web, which has seen a remarkable increase in activities.

Unpacking the technical aspect of attribution, Kim explained that software has traces and patterns that can be analyzed to identify hacking software and code, as well as identify and differentiate actors. However, tracking North Korean malicious activities is harder in the wake of what he believed were open-source intelligence companies’ excessive disclosure of related information, and North Korean hackers’ use of cloud or docker systems to share their own code.

The participants also discussed the possibility of North Korea’s cyberattacks on U.S. and South Korean critical infrastructure. While North Korean cyberattacks have focused on computer systems and financial institutions, the U.S. government and the U.N. warn of the possibility of hacking targeting weapons and automobile systems, as all high-tech systems are hackable. While cyber deterrence is not possible, the experts advised increasing operational cost, as well as disrupting, exposing, and attacking North Korean infrastructures to counter North Korean cyber threats.