North Korea’s Offensive Cyber Program Might Be Good, But Is it Effective?

Ryan C. Maness is an Assistant Professor in the Defense Analysis Department at the Naval Postgraduate School. Brandon Valeriano is the Donald Bren Chair of Armed Politics at the Marine Corps University and a Senior Fellow in Cyber Security as the Niskanen Center. Benjamin Jensen holds a dual appointment as an Associate Professor at Marine Corps University and as a Scholar-in-Residence at American University, School of International Service.

Last week, the New York Times ran a piece portraying North Korea as an emerging cyber power. The Guardian went so far as to call hackers North Korea’s most deadly weapon, which is remarkable considering they have nukes. North Korea’s ability to leverage cyber capabilities for malicious ends is nothing new (see Sony, WannaCry, and other incidents). While North Korea’s basic capabilities are clear, the efficacy of cyber operations is open to debate.

North Korea uses cyber strategies, as it does nuclear posture and ballistic missile tests, to signal resolve and capability in its ongoing crisis with South Korea and the United States. Yet, no North Korea cyber operation has caused a government to back down. Last week in Net Politics, Erica Borghard argued that U.S. signals to North Korea are not sufficiently coercive to compel Pyongyang to change course. So why don’t experts treat North Korea’s cyber-based signals with the same amount of moderation?

Pyongyang keeps hacking because is it cheap and easy. These operations have the added benefit of scouting adversary networks, giving North Korea an idea of just what the United States has in store if conflict erupts. Chris Inglis, former deputy director of the NSA and now at the U.S. Naval Academy, suggests “you could argue they [North Korea] have one of the most successful cyber programs on the planet, not because it is technically sophisticated, but because it has achieved all their aims at a low cost.” While it is undoubtedly true that some cyber programs are low cost when compared to the investments needed to put aircraft carriers in place, there needs to be much more skepticism that that cyber operations help the state achieve their objectives or aims.

Most of North Korea’s cyber actions occur against either South Korea or the United States, usually low-level website defacements or DDoS signaling campaigns that do not escalate. Between 2000 and 2014, we count a total of 16 cyber operations launched against North Korea’s rivals. Exactly zero of these operations are coercive successes against opposition governments.

These operations mostly signal to a rival that North Korea is capable of harm, but the ability to wreak havoc and launch aggressive operations likely to achieve decisive outcomes are two different things. North Korea tends to focus on soft targets, like banking systems, movie companies, and the news media. The recently disclosed 2014 operation against British ITV over displeasure with a documentary is a clear example of a typical North Korean target. The question remains, did the hacks have an impact? It is unclear if the operation forced the company to back down or they simply could not get their financial backers to support the project.

The SWIFT incident is another perfect example. While Pyongyang has been able to steal an estimated $81 million dollars, this money is but a drop in the bucket for a nation-state seeking to fund its operations in the face of crippling sanctions. Furthermore, a nation-state involved in cybercrime speaks more to its financial desperation than as a demonstration of power.

The ability of North Korea to hack other states is not really news. The fact that experts rank Pyongyang so highly is because they are less vulnerable than the opposition. North Korea is not digitally dependent on the internet and communication networks. In fact, when China sought to hamper their ability to hack recently, a Russian firm stepped in to offer more bandwidth. This lack of dependence of traditional infrastructure makes North Korea more dangerous than other states, but there is no evidence it makes them more effective as a cyber power.

North Korea has lots of potential but little actual demonstrated ability to achieve leverage through cyber operations. They might prove the world wrong at some point, as they have on the nuclear front, but there are more pressing issues in the relationship to worry about than North Korea’s ability to achieve coercion in cyberspace. 

The real lesson is that a defender needs to shore up its ability to protect critical infrastructure before launching offensive cyber operations. North Korea does not have similar constraints as the West does and this makes them a dangerous actor in the digital domain. Lacking vulnerabilities creates a form of bargaining power often missed by observers and U.S. policymakers should ensure that U.S. networks are resilient in the face of coming attacks.