Erica D. Borghard is the author of this blog post. You can follow her @eborghard.
Two weeks ago, the Washington Post reported that President Trump authorized United States Cyber Command to conduct a sustained Distributed Denial of Service (DDOS) attack against North Korea’s Reconnaissance General Bureau (RGB). In an environment where activity often occurs covertly, this case provides an opportunity to explore the dynamics of signaling and coercion in cyberspace. In particular, what was the Trump administration seeking to achieve by leaking this operation to the media? And, what might it accomplish?
In all likelihood, the DDOS attack against North Korea’s intelligence agency, coupled with a leak of its occurrence and a post-hoc claim of responsibility by the U.S. government, represented an attempt by the Trump administration to send a costly signal of resolve to Pyongyang. There were similar efforts under the Obama administration to use the media to self-attribute cyberattacks against American adversaries after the fact, such as Vice President Biden’s cagey statement in October 2016 hinting at a cyber response to Russian efforts to interfere in the presidential election.
Signaling is an essential and routine part of coercive diplomacy. States need to credibly convey the intent and capability to carry out a threat when attempting to deter an adversary or compel it do something. There’s a large academic literature that explains the dynamics and challenges of signaling in the offline world. Signaling in cyberspace is even more complicated for two primary reasons: the inherent role played by secrecy, and the challenge of sending a costly signal.
Secrecy is essential to any successful cyber operation. Revealing information about the vulnerabilities to be exploited or the tools deployed against a target gives the defender the ability to prepare and patch vulnerabilities, rendering the attack moot. This may account for why a member of the Trump administration chose to leak information about a DDOS attack, rather than a more costly attack that would require the United States to maintain persistent access North Korean networks. Revealing the latter would more likely result in lost intelligence assets and compromise operations. The secrecy requirement is one of the factors that hampers effective coercion in cyberspace; articulating a clear “if X, then Y” threat to an adversary may help the adversary to take actions to thwart the coercer’s implementation of the threat.
Secrecy also has other implications for how states operate. The virtual nature of cyberspace allows states to conduct attacks while obfuscating attribution, making it difficult for the target of a cyber signal to ascertain with confidence the identity of the sender. Even as attribution capabilities improve, it is still difficult to identify who gave the order to conduct a cyberattack and, therefore, the entity politically responsible. Finally, depending on the nature of the signal, the sheer volume of cyber activity may mean that a target may be incapable of distinguishing a signal from the noise.
If a state is seeking to send a signal via cyber means, how can it ensure the signal is received by the adversary and properly attributed? It could couple a cyber signal with other instruments of power, especially private diplomatic channels or public statements. This may account for the Trump administration’s “leak”—it is possible that it was intentional to ensure that North Korea was able to attribute the DDOS attack, after the fact, to the United States. The leak could also serve an additional purpose of facilitating attribution of potential forthcoming cyberattacks against North Korean infrastructure. Even so, this particular leak could only assist with attribution; it did not convey much in the way of content of the signal itself.
A second problematic aspect of signaling in cyberspace is generating sufficient costs. If talk is cheap, governments need to find ways to convey to an adversary that they actually mean what they say. This requires sending a signal that is costly enough such that an unresolved actor would not be willing to send it.
Sending costly signals is difficult in cyberspace. First, there are technical limitations associated with cost generation. Truly destructive attacks—those that produce physical effects and those targeting critical infrastructure—are difficult to carry out successfully. Access-dependent cyberattacks, for instance, require that a state maintains persistent access against a specific target over an indeterminate period of time so that it could deploy highly-tailored tool against that target at the precise time of its choosing. However, the recent North Korean DDOS attack, which was disruptive rather than destructive, did not require access to North Korean networks. These types of attacks may disrupt system functioning for a period of time, but do not create permanent effects; they are also not as costly to develop nor particularly costly for the target to absorb.
An implication of this is that states may sometimes signal with the cyber capabilities they have, rather than those that would be sufficiently costly to send a true signal of resolve. In the North Korean case, DDOSing North Korean intelligence is not very costly and, at most, caused a time-limited disruption of the functioning of RGB networks. The signal the United States was trying to send could also have been confused by President Trump’s verbal bluster on Twitter threatening war. This kind of confused signaling could be more dangerous than no signal at all because it is difficult to interpret and makes leaders prone to miscalculation.
Second, there is a unique psychological dimension to cyberwarfare stemming from its virtual nature. Virtual damage may be perceived differently from physical damage and seen to be less costly. For instance, the North Korean hack of Sony in 2014 would likely have prompted a radically different response had North Korean landed commandos on American soil and physically gained access to Sony headquarters, even if the effect were comparable. On the one hand, this could be a net positive for escalation dynamics because it may contribute to dampening the risk of dangerous spirals. On the other hand, it could impede costly signaling to change an adversary’s calculus.
Taken together, this suggests that skepticism is warranted regarding the effectiveness of the recent cyber signal to North Korea. Of course, there is the caveat that, given the covert nature of state cyber operations, there are almost certainly things the public doesn’t know, necessitating reasoned hypothesizing about this case. That said, the available evidence suggests that this was a poor attempt at cyber signaling. Even beyond the inherent difficulties associated with signaling in cyberspace, the difference between the President’s tweets and DDOS could only muddy the waters. This example only confirms that cyber is not an ideal signaling tool, and this particular signal may have done more harm than good.