Today, even as it attempts to develop long-range weapons that could reach American targets, North Korea is no match for the United States militarily. It is truly a David vs. Goliath scenario as North Korea lacks the modern-day equivalent of a sling that can inflict comparative conventional physical damage on its enemies – but Pyongyang has developed a digital version of David’s sling via cyber warfare.
It is believed this weapon have been used already.
North Korea is suspected of the 2013 cyber attack that targeted South Korean computer systems at two broadcast media companies and three banks. A year later, North Korea was the likely state actor behind an attack on Sony Picture Entertainment, where gigabytes of internal data and communications were leaked online.
These attacks are just recent examples of how a small nation-state, without taking lives or destroying physical property, can deliver serious digital harm to more powerful adversaries.
“This is what scares the hell out of everyone,” warned Dr. Sasha Romanosky, policy researcher at the RAND Corporation. “With cyber, you can draw a comparison to nuclear in how far this can escalate.”
One difference, however, is that there is a lot of investment needed to launch a nuclear weapons program, whereas cyber has a low barrier of entry.
“We see today that even a kid can find and exploit and cause some type of devastation,” added Romanosky. “That is what has people freaking out.”
The situation on this battlefield is likely to only get worse.
“The cost of entry is lower and lower each year,” explained Ron Schlecht, founder and managing partner at BTB Security. “Over the next 10 years, we could see actors that have very little actual computer knowledge and they’ll be able to launch fairly sophisticated attacks. The problem is that there are pieces of malware on the dark web that can be bought and sold and used in such attacks.”
No Clear Rules of Engagement
One of the great dangers is that the rules of engagement in conventional conflicts are somewhat clear, but these lines blur in the digital environment.
“A rogue state could launch an attack that cripples critical infrastructure far worse than a bomb,” said Romanosky. “This can take down water treatment, sewage, electrical systems and financial networks. Very bad things can happen in such an attack.”
While retaliatory actions are generally clear after a bomb is dropped, answering the attack can be far less clear following cyber operations.
“Response should generally be proportional but it doesn’t have to be asymmetric. Cyber could be even be used as a response to a conventional attack,” added Romanosky.
Since 9/11 there have been efforts to secure physical borders, but Romanosky said critical digital infrastructure isn’t protected nearly so well.
“One of the greatest mistakes we made was that so much was connected to the Internet long before it should have been,” he added.
These systems are very difficult to harden now as we’ve come to rely on this accessibility, which opens the door to potential attacks. The ease of paying bills or sharing data with colleagues opens pathways that hackers can exploit. Apart from so-called air-gapped systems that aren’t connected to the Internet in any way, experts warn that all systems are at risk.
Small State Players
Cyber doesn’t have to be employed just as an offensive tool by rogue states but could serve as a deterrent. It could potentially ensure that today’s small nation-states aren’t so easily subjugated by their respective larger neighbors. In 1940 the Baltic states of Estonia, Latvia and Lithuania were annexed by the Soviet Union after having previously been part of Imperial Russia. Now these tiny nations have sought ways of ensuring that it won’t happen again.
This has included increased military expenditures but, more importantly, these states have the potential to create a “digital Hanseatic League,” a type of ad hoc alliance suggested in 2015 by Parag Khanna, a senior research fellow at the Centre on Asia and Globalisation at the Lee Kuan Yew School of Public Policy in Singapore.
“The digital Hanseatic League has become a robust marketplace of innovative knowledge sharing. There are countless examples already of how leading city-states directly adopt lessons and practices from each other’s recent experience,” Khanna wrote in a CNN op-ed.
Another example of David vs. potential Goliaths would, fittingly, be the biblical David’s homeland. Israel continues to dominate in cyber security just as it had developed its own arms industry. It has since 1948 been surrounded by potential enemies and saw early the dangers that cyber could present as well.
Israel is far from the only state to see how cyber can be used as a deterrent or a force multiplier. Yet, nation-states also don’t need to have dedicated cyber warfare teams, such as those known to exist in China or Iran, but could instead farm out the work.
“Just like any other business, there are those who will work for someone else, and there will be actors who will meet the demand,” explained Schlecht.
Building a Better Defense
The final consideration is what must be done to harden the defenses against such an attack. While governments have generally been the one to protect its people, in this case the private sector is there to provide support. This, too, is where the U.S. and other western nations could take a cue from Israel, as many of its cyber companies have been born out of its military.
“We need to look at where the government has failed and find ways to solve the problem through other means,” suggested Schlecht. “We can’t wait for the government to be the white knight. We need to have the private and public sectors work together to make sure we are doing the right thing. Unfortunately, right now, the talent isn’t patriotic enough to take the salary cut to be the ones to serve the country.”