All the hubub on North Korea hacking Sony got me thinking about the impact this might have on the private sector. To date, most of the North Korea & hacking discussion has focused on cyber-attacks on big, predictable targets like the US Defense Department or South Korean Ministry of National Defense. But targeting a private sector firm, especially a big,well-known one like Sony strikes me as a major expansion. Now for-profit entities with far fewer resources, especially intelligence, have been put on notice. That’s gotta make a lot of foreign companies who are thinking of operating in Korea think twice. Who wants to accidentally anger the Norks for who knows what by opening a store in Daejon or something? Best to just steer away. At least that is what I would be thinking, or more correctly fearing, if I were South Korean commercial officials.

So if you are major foreign firm operating in the Korean space, you’ve been warned. The Sony hack is meant to put you on notice. Hopefully you do the right thing: pulling investment or chilling creativity because of totalitarian threats would be a terrible outcome.

This essay was first published at the Lowy Interpreter and then picked up by The National Interest. It starts after the jump:

 

The recent cyber-attack on Sony Pictures by North Korea in response to the film ‘The Interview’ comes after a series of previous North Korean hacks of institutions in South Korea as well. It appears that North Korea is improving its cyber capabilities and widening its target list. The decision to strike the private sector outside of South Korea is a new development with disturbing ramifications for foreign firms that operate in the Korean space. The film itself is fairly ridiculous with mediocre reviews, but the likely cause of all the global attention to ‘The Interview’ case is Pyongyang’s new willingness to target high-profile, non-Korean private companies. All this raises major questions about Pyongyang’s asymmetric efforts against the South, and now for foreign firms in Korea.

There remains some disagreement over whether it was in fact North Korea that hacked Sony. Recently, the director of the US Federal Bureau of Investigation (FBI) felt compelled to come forward with greater evidence in support of the US government claim, and President Obama has repeatedly spoken with great confidence that North Korea was the perpetrator. Furthermore, it is scarcely disputed that hacks of South Korean institutions, such as the nuclear power industry, banks, and broadcasters, were performed by North Korea.

Cyber as a space for North Korea to contend with its opponents – South Korea, Japan, and the United States, and now perhaps, their firms – is a new development. For much of the internet age, North Korea has been so far behind South Korea and others technologically, that cyber was not an area in which North Korea was expected to thrive. Indeed, it may be that North Korea contracts out its hacking requests to specialist, third-party ‘hacktivist’ groups like the Lizard Squad or Anonymous. Yet Pyongyang has repeatedly surprised observers with its technological leaps. North Korea beat South Korea in drone development, and of course, it has developed nuclear weapons and ballistic missiles. It therefore seems likely that cyber is an emerging arena, in which both governments and now business, as the Sony hack demonstrates, will be forced to defend themselves against North Korean action.

Indeed, cyber is an ideal arena for North Korea for many reasons. It is a twilight space with few agreed rules, and much room for plausible deniability. Predictably, Pyongyang immediately disavowed the Sony hack, and many have questioned the US evidence. But unlike easily recognizable traditional aggression in the physical world, it is hard for non-experts to grasp virtual ‘aggression.’ Laymen could see the sunken South Korean destroyer Cheonan in 2010 and make the reasonable conjecture that North Korea torpedoed it. But few have the ability to understand the nuances and details of cyber-hacking. It is not immediately evident, as with physical violence, that hacking is even ‘aggression.’ Are leaking private photos and emails, or knocking out a bank website for a few hours, an attack, which would suggest a defensive, perhaps military, response? Or is this industrial espionage?

Similarly, cyberspace attacks allow North Korea to wreak havoc, but virtually, with only oblique links between its action and real-world consequences such as injury or property damage. For example, if a person dies in a hospital whose power was cut in a hack, whose fault is that? Perhaps the hospital should have had stronger redundancy systems or better trained staff, because power failures do otherwise happen anyway.

There are no good answers yet to questions such as these, which also explains why Chinese hacking of US institutions has meet such a confused policy response. Traditional international law and organizations cover ‘real world’ conflict issues, such as rules of war, war crimes, or the treatment of prisoners of war. But given the sheer novelty of ‘net-war’ – if that is even the appropriate term of art – there are no clear norms for what constitutes aggression, defense, proportional response, and so on. In short, the vague, hard-to-attribute, poorly regulated, twilight character of cyber provocation is likely methodologically very attractive to Pyongyang.

Finally, cyber-hacking fits longstanding North Korean preferences for both the asymmetric harassment of South Korea and criminal activity. North Korea (probably) cannot win an open conflict with South Korea. This is well-known, even to Pyongyang elites, who have consistently stepped back from the abyss of their own rhetoric, such as in the 2013 spring war crisis. But North Korea is built around an enemy image of South Korea and anti-Americanism. These are central tenets of its post-communist, nationalist ideology. Regular tension with the South, and the US and Japan, helps justify why North Korea exists despite the end of the Cold War, and why unification – ostensibly the regime’s stated goal – never occurs.

The dilemma then for Pyongyang is how to gin up enough tension to justify North Korea’s existence as a separate, poorer Korean state, but not produce so much that war breaks out. Here again, cyber is a great fit. Its twilight nature allows regular action against the South and US, but without the clear-cut fallout which might provide a casus belli. ‘The Interview,’ which mocks the leadership that North Korean propaganda treats as semi-divine, is an ideal target for such action.

Finally, hacking is a congenial choice for a regime already steeped in criminal gangsterism. North Korea produces methamphetamines, counterfeits dollars and RMB, proliferates military technology, engages in insurance fraud, and so on. As a rogue state that already rejects the basic rules of the global economy, cyber-hacking is likely just another technique. Both the governments and businesses in the South Korea, Japan, and the West will have to prepare for North Korean cyber-harassment and debate the manner of response.

Filed under: Uncategorized