Generals always fight the last war.
Ever heard this saying? Turns out this adage, dating back to at least 1929, describes not only the famously disastrous French Maginot Line defenses in World War II, but it also refers to the contemporary use of antiquated policies in a rapidly changing world. In applying economic sanctions to financially motivated malicious North Korean cyber groups, U.S. policymakers display a shocking failure to understand strategic realities in the cyber domain, essentially fighting the last war.
Despite the U.S. government’s best efforts to deter malicious cyber activity, the threat from both state-sponsored and financially-motivated groups has persisted, and in some cases, grown. By 2018, North Korean state-sponsored cyber groups had attempted to steal over a billion dollars, which is worth almost three percent of that nation’s GDP, and they actually walked away with over a hundred million dollars. According to leading cyber security firm FireEye, one of the most prolific North Korean groups, known as APT38, “remains active and dangerous to financial institutions worldwide.” Similarly, the firm predicted that FIN7, a North Korean criminal organization known to have targeted over 100 organizations across 14 sectors for monetary gain by 2018, will likely adapt its tactics and continue its activity, despite the arrest of three individuals within the group’s leadership. The prediction rang true, as security researchers soon discovered new attacks by the FIN7 group and indicated it had likely “extended the number of groups operating under its umbrella,” and had even “increased the sophistication of its methods” to target at least 130 companies by the end of 2018.
In some cases the use or threat of sanctions may have a deterrent effect. Indeed, it may have contributed to the 2015 Obama-Xi “common understanding,” to not condone or support cyber espionage or intellectual property theft for commercial gain. Similar attempts to sanction and deter North Korea’s financially motivated cyber operations, however, are likely to fall short. Why?
First, the United States simply does not have the necessary economic leverage for sanctions to achieve their desired deterrent effect on North Korean cyber activity. While the economic cost of sanctions to China in 2015 would simply have been too great, existing economic and financial sanctions have already made North Korea into one of the world’s most isolated nations. Sanctions are therefore unlikely to raise much additional concern in Pyongyang. The new sanctions target Lazarus Group, Bluenoroff, and Andariel, three groups known to conduct cybercrime operations on behalf of the North Korean regime to generate revenue. How the designation of these groups—likely located in Pyongyang and already facing limited options to leave the country—will affect their operational capacity is unclear, yet the impact is likely to be minimal.
Indeed, through these sanctions, the U.S. seems to be playing a game of whack-a-mole that it is bound to lose. A 2019 United Nations report found that North Korean cyber operations use complicit foreign nationals and front companies to obfuscate money laundering activities, and targeting these entities may prove one of few ways left to further hurt the regime. The U.S. Department of Treasury recognizes as much, stating that persons engaging in “certain transactions with the entities designated today may themselves be exposed to designation.” Additionally, foreign financial institutions that knowingly facilitate transactions or provide financial services for any of these entities “could be subject to U.S. correspondent account or payable-through sanctions.” Indeed, U.S. authorities have previously attempted to seize funds from “cooperating companies” in Singapore, Hong Kong, and China. Yet, the pace at which North Korea may replace those complicit foreign nationals and cooperating companies, if caught, and set up new front companies will likely continue to outpace U.S. law enforcement initiatives. Here, too, sanctions will do little to change North Korean behavior.
Second, on a diplomatic level, and beyond the North Korean case, the lack of agreement on norms of state behavior in the cyber domain limits the potential for the international community to constrain states’ malicious cyber operations. The United Nations Group of Governmental Experts has long sought to create the necessary consensus, but disagreements over the basic meanings of “cybersecurity” and “information security” have repeatedly proven too difficult to overcome. Proposals for international agreements, such as a ‘Digital Geneva Convention’, are therefore unlikely to materialize into a regulating force of state behavior. Even if the broader international community accepted a similar proposal, one would be naïve to expect rogue and isolated states such as North Korea to comply with any of its provisions. Sanctions will have no bearing on this larger reality, either.
The general challenge to military cyber operations is the difficulty of uncovering an adversary’s cyber capabilities and the improbability of preventing their successful use.
If economic sanctions and international diplomatic avenues fall short, perhaps a military contribution can provide a short-term solution. The general challenge to military cyber operations is the difficulty of uncovering an adversary’s cyber capabilities and the improbability of preventing their successful use. The 2018 DoD Cyber Strategy announced a policy of defending forward—that is, engaging the adversary in its own networks—which may enable visibility into North Korean cyber capabilities. Under this strategy the United States covertly tracks the planning and development processes of North Korea’s financially motivated cyber operations; however, disrupting execution of a campaign would require use of the U.S.’ own cyber capabilities. Disruption or denial of adversaries’ networks may sacrifice access to them, and may also risk inadvertent escalation, or exposure of U.S. capabilities or ‘bridges’ into these networks. North Korean cyber groups would certainly attempt to kick intruders out of their networks. Is deterring cybercrime operations worth flaring tensions?
U.S. Cyber Command (CYBERCOM) could alternately focus on bolstering the nation’s defenses rather than on deterrence. By sharing malware samples discovered on its networks or through forward defense with the broader cyber security industry, CYBERCOM can help boost the defensive postures of the financial sector. Yet, even if network defenders in the United States have prior access to, or knowledge of, North Korean cyber capabilities and operations, a larger information-sharing initiative within the global financial system would still be needed to thwart North Korea’s cyber criminality. Such an initiative would need to operate across alliances and would require the participation of a large majority of the international community to be even remotely effective.
While these approaches may initially appear contradictory the former constituting offensive operations and the latter prescribing a defensive focus, they are not mutually exclusive. To reconcile the challenge of safeguarding intelligence gathering methods and sources with the need to protect the financial sector, CYBERCOM may opt for either approach, depending on the urgency of given circumstances. Passive monitoring of an adversary’s network may provide occasional new samples that can be shared with relevant parties and the security community — and can build a public-private trust relationship in the process. If CYBERCOM were to uncover operational planning for a large-scale financial heist about to occur, however, it may choose instead to sacrifice some of its own capabilities to disrupt an impending campaign. This option would buy time for the financial sector—or any other relevant potential target—to harden its networks against new cyberweapons, which CYBERCOM would, in an ideal case, then also expose. The 2018 National Defense Authorization Act provides CYBERCOM with exactly this type of operational discretion.
The North Korean regime does not care about additional economic sanctions, and its cyber operations will surely continue unabated. The United States should leverage the full weight of its economic, diplomatic, and military options, if it is serious about deterring this threat. What precise approach will curtail North Korea’s operational successes remains unclear, but repurposing yesterday’s policies to meet today’s challenges surely will not do.
Emiel Haeghebaert is a Belgian American Educational Foundation Fellow and a Master’s Candidate in the Security Studies Program at Georgetown University’s Walsh School of Foreign Service. He currently holds a threat intelligence analyst position in FireEye’s Cyber Espionage Analysis team, where he conducts research on nation-state threats. The views expressed in this article are those of the author and do not necessarily reflect those of the U.S. Army War College, the U.S. Army, or the Department of Defense.
Photo Credit: Courtesy of pexels.com/Negative Space