Sketching the Contours of Cyberconflict in Asia

Photo: Adobe Stock
This post originally appeared on
IAPS Dialogue
.
We can draw upon twenty years of experience with cyber operations to
identify common elements in their use. Countries use cyber operations in a
manner consistent with their larger national strategies. Cyber operations
are another tool in the portfolio of coercion available to states, but it
is one they use with caution to avoid retaliation. Malicious cyber actions
follow the larger pattern of relations among states. Where there is
competition or hostility, malicious cyber action is likely. Putting
cybersecurity in this larger strategic context lets us chart with some
accuracy the map of cyber conflict in Asia and from this, begin to map
elements of cyber risk that states face and must manage.
As the DPRK’s nuclear and missile capabilities improve, it will be tempted to increase the use of aggressive cyber actions in its coercive diplomacy.
True attacks are rare. There is a substantial gray area when a cyber action
does not fit neatly into the categories of use of force or armed attack
that guide international relations in the physical world. The leading
military powers are developing cyberattack capability for use in armed
conflict, but the most frequent use is to hack opponents for espionage and
sometimes for coercive effect. Cyber espionage is omnipresent. The degree
to which countries engage in cyber espionage is shaped by their larger
interests and by their views of potential competitors and opponents. An
ASEAN country faces few technical or budgetary constraints if it wished to
spy on Iceland, for example, but there is no incentive to do so.
If this is the pattern of behaviour we can observe in state use of cyber
operations, we can then map the interrelationships in cyber conflict in
Asia using publicly available sources. There are four countries that have
used offensive cyber operations in pursuit of national goals – China,
Russia, the U.S. and the DPRK. Another four countries– Australia,
Singapore, India and the ROK- have or are developing such capabilities
(Japan’s cyber operations capabilities are still at a nascent stage). Other
countries in the region, particularly ASEAN states, have varying degrees of
defensive capabilities, few of which could be considered adequate for
national defense.
Russia, although capable and aggressive, has focused its attention on the
U.S., Western Europe and the “near abroad.” It is also likely that Russian
cyber espionage is directed against China, India, and Japan.
-
China has made extensive use of cyber operations for espionage purposes, directed against the U.S., Russia, India, Australia, New Zealand, Japan and Korea, as well as dissident groups and countries outside of the region, but it has not used “force” in cyberspace, in the sense of seeking to disrupt services or damage computer resources
-
The U.S. has, judging from public sources, engaged in extensive espionage operations against China, Russia and the DPRK, and probably others. It has also been charged in the media with using cyber operations to interfere with DPRK missiles tests.
-
The DPRK has launched disruptive and coercive cyber actions against the U.S. and the ROK, engages in cyber espionage against these countries, and has attempted political influence operations against the ROK. It does not seem to have used cyber operations against other countries (particularly China and Japan, given its interest in maintaining good relations).
-
While the U.S. and its treaty allies cooperate in defensive actions, the same is not true for the other regional “cyber powers,” creating what might appear to be a kind of free for all in cyberspace but is best seen as a series of overlapping bilateral cyber conflicts that are largely independent of each other.
Russia and the DPRK share involvement in cybercrime – carried out by
government actors in the DPRK and by criminal groups operating with
government support in Russia. The DPRK appears to be moving its
wide-ranging criminal activities into cyberspace and the RGB operates its
cybercrime activities from some of the same southeast Asian countries it
has used for conventional criminal activities. Cybercrime is global in
scope and driven by
financial
(rather than political) motives. A poorly protected bank can be hacked from
anywhere in the world. These criminal activities pose the greatest risk to
Southeast Asian countries, given the potential to disrupt national and
regional financial systems. It is the risk of financial cybercrime more
than anything else that points to the need for a cooperative arrangement in
ASEAN for information sharing and defense.
Leading military powers are integrating cyber operations into their forces
and planning. This is inevitable as the growing dependence of modern
weapons systems on computer technology creates new vulnerabilities.
Opponents routinely probe each other’s weapons systems to find ways to
disrupt them, and they will use what they find in combat.
The exception to this is the DPRK. Consistent with its larger strategy of
using provocation as part of coercive diplomacy, the North has been less
constrained in its use of cyber operations and some of its “attacks,” such
as the
2013 data disruption
against ROK banks and media, approach the level of the use of force. As the
DPRK’s nuclear and missile capabilities improve, it will be tempted to
increase the use of aggressive cyber actions in its coercive diplomacy.
Cyber operations create a new avenue for conflict and competition, but that
avenue follows the general direction of pre-existing tensions. Given the
above mapping of cyber operations, we can identify three sets of activities
that would advance the regional cybersecurity agenda: bilateral exchanges
among opponents to reduce the risk of miscalculation; regional cooperation
to improve defenses against cybercrime; and capacity building not only on
technical means but on the ability to create national cybersecurity
policies. Progress in these areas has been slow and uncertain, and the
region would benefit from more energetic diplomatic efforts, based on a
realistic appraisal of risk, to change this.