The Likelihood of North Korean Cyber Attacks
Under what circumstances would it make sense for North Korea’s Kim regime to begin a war with the United States? The primary goal of any state is survival, and this is even more important for politically fragile regimes that provide immense benefit to the ruling family. An upper limit to North Korean activities is that, though it will use threats and coercive acts to pursue its larger policy goals, it will not do so at the expense of its own survival.
There is some risk that Kim Jong-un could miscalculate when it comes to coercive acts. Shooting missiles over Guam would provoke a reaction, as would an inadvertent impact on Japanese territory of a missile intended to overfly it. But in general, behind the bluster, the Kim regime has been calculating and careful. This is the lens through which we should measure the risk of North Korea launching a cyber attack against the United States.
North Korea is the least capable of our opponents when it comes to cyber attack. It uses cyber techniques for coercive diplomacy, for criminal activities to generate hard currency, and for disruptive actions in the South and against deployed U.S. forces. If war breaks out, the North might also consider cyber attacks against military or symbolic targets in the United States. However, short of armed conflict, disruptive actions here are unlikely.
How disruptive a North Korean cyber attack would be depends on the victim’s weaknesses. North Korean successes depend on relatively basic techniques that exploit vulnerabilities in poorly defended systems. Though the North has used cyber attacks several times against South Korean banks and media outlets, and against Sony in the United States, none of those attacks caused physical destruction or casualties. To be fair, no cyber attack has ever caused casualties, and only three or four resulted in physical damage. North Korea, despite progress in developing its cyber-attack capabilities, does not possess the advanced skills needed to cause physical damage.
What the North can do with cyber operations is disrupt data and online services. A 2011 cyber attack on a South Korean bank left customers unable to use ATMs or online services for several days. The action deleted customer accounts and tried to erase evidence of the attack from the bank’s computers. Similar attacks took place in 2013 against banks and media outlets in Seoul, with data erased and services disrupted. The 2014 attack on Sony Pictures also disrupted services and data and saw leaks of embarrassing e-mails. The most recent North Korean cyber incident used false credentials to steal $81 million from the Bangladesh Central Bank. While these count as successes, they may have also increased North Korea’s caution. If you think you are invisible and suddenly discover that you are not, it dampens your enthusiasm for crime. The ability of the United States to identify North Korea in the Sony incident probably led the North to revise upward the risk of cyber action against U.S. targets.
We can run through one popular scenario to explore how North Korea might think about cyber attacks. Though it is unlikely that North Korea has the ability to cause blackouts in the United States, if it did have the capability and decided to use it, this would not reduce our ability to retaliate militarily. Blackouts do not produce catastrophe or military advantage. A cyber-induced blackout would, however, put the regime’s survival at risk—in diplomatic parlance, this is called poking a bear with a stick. In any event, the notion of cyber catastrophe is wildly exaggerated, reflecting a popular culture prone to exaggerating risk rather than seriously assessing an opponent’s capability and intent.
North Korea uses cyber attacks to advance its policy agenda; none of its actions has been capricious or haphazard. Cyber attacks do not come out of the blue. They are not random acts (and they are not launched by groups with funny names) but are calculated to achieve either political or financial goals.
A decision to launch a cyber attack would be made by Kim Jong-un, and he would consider this in the context of the larger efforts to manipulate decisionmakers and public opinion in the United States, Japan, and South Korea. An attack on critical infrastructure located in the domestic United States would be extremely provocative, and there are plenty of other provocative things the North can do that do not create existential risk for the Kim regime. Kim and his advisers probably know that China and Russia would look unfavorably on a cyber attack against the United States at this tense juncture, and while the North may be ready to ignore its patrons in some matters, starting an armed conflict with the United States is not one of them.
It is commonplace to call Kim crazy, but his decisions are rational in the context of North Korea’s strategic culture. An attack on the United States that the North believes is likely to be detected, that will not produce significant harm, and that could generate a damaging response is unattractive. The goal is to manipulate the United States and its North Asian allies without provoking war, and cyber attacks on the U.S. homeland, catastrophic or otherwise, run counter to this.
The Trump administration is working in a revised cyber-deterrence policy, but if it is worried about possible North Korean cyber attacks against the United States, it could say that any attack will be detected and its source identified and that we will respond forcefully and in damaging ways. This should be enough to change North Korean calculations about risk and benefit and reinforce what is likely to be an already high degree of caution in contemplating a cyber attack against the United States.
James Andrew Lewis is a senior vice president at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2017 by the Center for Strategic and International Studies. All rights reserved.