Published by The Lawfare Institute
in Cooperation With
The headline accompanying an Oct. 15 piece in the New York Times declared forthrightly that "The World Once Laughed at North Korean Cyberpower. No More." That is, as they say, a bold claim.
In fact, the piece does detail a series of past North Korean cyberattacks that were taken seriously by the U.S. government and authors David Sanger, David Kirkpatrick and Nicole Perlroth would not be the first journalists to be poorly served with a misleading headline. Alas, the body of the story is similarly off-base in its descriptions of how experts have thought about the North Korean cyber threat, how the United States has responded and what can be done in the future.
To hear the authors tell the tale, experts scoffed at the cyber risk posed by the problematic nation, “only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose.” A reader is left to assume that the move to take North Korea seriously as a cyber threat is new. In fact, the U.S. government has been warning about the threat for at least five years, with South Korea issuing warnings about North Korean cyber units back in 2010.
It's certainly true, as the Times notes, that the intelligence community’s 2009 National Intelligence Estimate determined North Korea wouldn’t be a serious cyber threat for some time. Pyongyang had virtually no cyber capabilities before the Iraq War and didn't begin to grow them more seriously until after 2009. But while U.S. intelligence experts failed to be prophetic, they took the North Korean cyber threat very seriously and tracked it intensely once it emerged.
The Times piece also leaves a reader with the impression that nothing more can be accomplished—particularly not through sanctions—to put pressure on North Korean cyber activities. The authors quote Robert P. Silvers, former assistant secretary for cyber policy under former President Barack Obama, who offers the fatalistic assessment that we are "already sanctioning anything and everything we can."
But testifying in early September at a Senate banking committee hearing on North Korean sanctions, Obama’s Treasury Department sanctions chief, Adam Szubin, asserted that we’d need to put more sanctions pressure on Kim Jong Un to change his behavior. That testimony came two weeks before President Donald Trump’s most recent executive order on North Korea. Even with the newest E.O. in place, the United States still has room to implement sanctions even further when it comes to cybersecurity.
It's important to understand how sanctions could impact North Korean cyber capabilities. The Times piece outlines North Korean efforts to rely on internet infrastructure abroad, which exposes new vulnerabilities. For instance, a major Russian telecommunications company is providing internet infrastructure to North Korea as a backup to Chinese support, and the Times article asserts that North Korean cyber hackers are operating on Indian soil. The United States recently has been willing to implement secondary sanctions that, for example, sanction banks in another state in order to prevent that state from facilitating certain North Korean activities. That demonstrates how sanctions can be used to leverage third-party states to constrain Pyongyang's cyber efforts. For example, the United States could—but thus far, has not—implement sanctions on a state like India for failing to crack down on a North Korean hacker group known to be acting on its soil.
The bottom line is that United States has options, both in terms of sanctions and in offensive cyber action. We have been rightfully cautious about employing either. The government could still move, via diplomatic pressure or sanctions, to prevent any state that allows North Korean cyber actors to act on its soil from accessing the U.S. markets. The United States also could deploy its own offensive cyber weapons that it surely has in place.
There are a variety of reasons to choose not to do so in the immediate future—such as not wanting to escalate the conflict or wanting to keep our cyber capabilities concealed. But in general, judicious responses to cyberattacks should be lauded.