Sketching the Contours of Cyberconflict in Asia
March 27, 2017
This post originally appeared on
We can draw upon twenty years of experience with cyber operations to identify common elements in their use. Countries use cyber operations in a manner consistent with their larger national strategies. Cyber operations are another tool in the portfolio of coercion available to states, but it is one they use with caution to avoid retaliation. Malicious cyber actions follow the larger pattern of relations among states. Where there is competition or hostility, malicious cyber action is likely. Putting cybersecurity in this larger strategic context lets us chart with some accuracy the map of cyber conflict in Asia and from this, begin to map elements of cyber risk that states face and must manage.
As the DPRK’s nuclear and missile capabilities improve, it will be tempted to increase the use of aggressive cyber actions in its coercive diplomacy.
True attacks are rare. There is a substantial gray area when a cyber action
does not fit neatly into the categories of use of force or armed attack
that guide international relations in the physical world. The leading
military powers are developing cyberattack capability for use in armed
conflict, but the most frequent use is to hack opponents for espionage and
sometimes for coercive effect. Cyber espionage is omnipresent. The degree
to which countries engage in cyber espionage is shaped by their larger
interests and by their views of potential competitors and opponents. An
ASEAN country faces few technical or budgetary constraints if it wished to
spy on Iceland, for example, but there is no incentive to do so.
If this is the pattern of behaviour we can observe in state use of cyber operations, we can then map the interrelationships in cyber conflict in Asia using publicly available sources. There are four countries that have used offensive cyber operations in pursuit of national goals – China, Russia, the U.S. and the DPRK. Another four countries– Australia, Singapore, India and the ROK- have or are developing such capabilities (Japan’s cyber operations capabilities are still at a nascent stage). Other countries in the region, particularly ASEAN states, have varying degrees of defensive capabilities, few of which could be considered adequate for national defense.
Russia, although capable and aggressive, has focused its attention on the U.S., Western Europe and the “near abroad.” It is also likely that Russian cyber espionage is directed against China, India, and Japan.
China has made extensive use of cyber operations for espionage purposes, directed against the U.S., Russia, India, Australia, New Zealand, Japan and Korea, as well as dissident groups and countries outside of the region, but it has not used “force” in cyberspace, in the sense of seeking to disrupt services or damage computer resources
The U.S. has, judging from public sources, engaged in extensive espionage operations against China, Russia and the DPRK, and probably others. It has also been charged in the media with using cyber operations to interfere with DPRK missiles tests.
The DPRK has launched disruptive and coercive cyber actions against the U.S. and the ROK, engages in cyber espionage against these countries, and has attempted political influence operations against the ROK. It does not seem to have used cyber operations against other countries (particularly China and Japan, given its interest in maintaining good relations).
While the U.S. and its treaty allies cooperate in defensive actions, the same is not true for the other regional “cyber powers,” creating what might appear to be a kind of free for all in cyberspace but is best seen as a series of overlapping bilateral cyber conflicts that are largely independent of each other.
Russia and the DPRK share involvement in cybercrime – carried out by
government actors in the DPRK and by criminal groups operating with
government support in Russia. The DPRK appears to be moving its
wide-ranging criminal activities into cyberspace and the RGB operates its
cybercrime activities from some of the same southeast Asian countries it
has used for conventional criminal activities. Cybercrime is global in
scope and driven by
(rather than political) motives. A poorly protected bank can be hacked from
anywhere in the world. These criminal activities pose the greatest risk to
Southeast Asian countries, given the potential to disrupt national and
regional financial systems. It is the risk of financial cybercrime more
than anything else that points to the need for a cooperative arrangement in
ASEAN for information sharing and defense.
Leading military powers are integrating cyber operations into their forces and planning. This is inevitable as the growing dependence of modern weapons systems on computer technology creates new vulnerabilities. Opponents routinely probe each other’s weapons systems to find ways to disrupt them, and they will use what they find in combat.
The exception to this is the DPRK. Consistent with its larger strategy of using provocation as part of coercive diplomacy, the North has been less constrained in its use of cyber operations and some of its “attacks,” such as the 2013 data disruption against ROK banks and media, approach the level of the use of force. As the DPRK’s nuclear and missile capabilities improve, it will be tempted to increase the use of aggressive cyber actions in its coercive diplomacy.
Cyber operations create a new avenue for conflict and competition, but that avenue follows the general direction of pre-existing tensions. Given the above mapping of cyber operations, we can identify three sets of activities that would advance the regional cybersecurity agenda: bilateral exchanges among opponents to reduce the risk of miscalculation; regional cooperation to improve defenses against cybercrime; and capacity building not only on technical means but on the ability to create national cybersecurity policies. Progress in these areas has been slow and uncertain, and the region would benefit from more energetic diplomatic efforts, based on a realistic appraisal of risk, to change this.