The United States should prepare for "higher-intensity" cyber attacks from North Korea by developing stronger policy to respond to attacks, according to a new report.
Current U.S. policy is insufficient to respond to cyber attacks from North Korea and discourage future attacks, according to the report from the Center for Strategic International Studies on North Korea’s cyber operations. As a result, current policy puts the United States "in the position of being repeatedly assailed by [low-intensity] attacks without concrete mechanisms to effectively respond."
These low-intensity attacks, the report warns, could cost the U.S. government and private companies millions of dollars and degrade public confidence in the country’s ability to deter such attacks.
The paper, drawn from a study that began in March 2014, cites the November 2014 cyber attack on Sony Pictures Entertainment and earlier attacks on South Korean institutions as evidence that North Korea is "capable of conducting damaging and disruptive cyber attacks" and is also "heavily invested" in expanding its cyber capabilities for political and military ends.
The Obama administration imposed new sanctions on North Korea early last year after the FBI concluded that it had orchestrated the computer hack at Sony Pictures, the movie studio that produced a film, The Interview, that comically depicted the assassination of North Korean leader Kim Jong Un. At the time, Republicans argued that the administration’s response was not strong enough.
"We need to step up and target those financial institutions in Asia and beyond that are supporting the brutal and dangerous North Korean regime," Rep. Ed Royce (R., Calif.), chair of the House Foreign Affairs Committee, said last January. "Such sanctions have crippled North Korea in the past, leaving the regime unable to buy the loyalty of its generals."
According to the 100-page CSIS report—one of the first comprehensive U.S. studies on North Korea’s cyber operations—cyber attacks from North Korea will likely continue to be "low intensity," though the United States should prepare for the "worst-case scenario" of higher-intensity assaults.
"North Korea may be emboldened, either from past success or a miscalculation of its capabilities and adversary resolve, and elevate the intensity of its cyber attacks. This could lead to crossing of the use of force threshold and an escalation of conflict with the United States and ROK," the study concludes, using an acronym for the Republic of Korea, or South Korea.
"While the lower-intensity options are more probable because continued small provocations are less likely to risk an escalatory response from the U.S. and ROK, planners should prepare for scenarios of spikes in intensity based on a history of unexpected provocations by North Korea," the report states.
CSIS researchers warn that North Korea could further integrate cyber capabilities into its military force to strengthen military operations.
They offer several recommendations to strengthen the Obama administration’s response to cyber attacks, including implementing further sanctions, pushing for stronger international laws on state obligations in cyberspace, and developing a declared policy on counter-measures for attacks.
"In response to the cyber attack against Sony in November 2014, policymakers did not have an established menu of proportional response options, thus hindering the ability of the United States to respond quickly and send a clear signal. Establishing a declared policy allows for more timely responses and may have deterrent effects," the report reads.
The researchers warn the U.S. government against assuming that North Korea is incapable of developing its technology and computer systems, citing the country’s "technical base" for the development of hardware and software and its history of improving its technology.
The United States should also be aware that its current response to cyber attacks has not deterred North Korea from launching new attacks, the report says.
"So far, responses from U.S. or South Korean governments after suffering cyber attacks from North Korea did not seem to convince North Korea that relying on cyber means for provocations was a bad idea, and may have actually convinced North Korea that cyber means are excellent asymmetric tools."