South Korea’s Capacity Building against North Korean Cyberthreats

What is South Korea’s cybersecurity policy toward North Korea, and how effective has its response to North Korean cyberattacks been?

For over twenty years, South Korea has been subject to various forms of cyberattack originating from North Korea. One of the prominent features of South Korea’s approach has been its emphasis on strengthening capabilities in prevention and detection, with the goal of minimizing external cyberthreats. Nevertheless, in cases where incidents occur and result in damage, measures have been established to respond promptly and minimize the impact. Although extensive efforts have been dedicated to minimizing the likelihood of breaches, achieving a state of “no incident at all” is not entirely feasible.

Initially, the formulation of major policies was predominantly influenced by technical expertise rather than individuals with a background in social science. However, this approach underwent a shift following the Seoul Cyberspace Conference in 2013.

I believe that the responses from South Korea have been successful, even though we are now facing new kinds of challenges in a distributed financial environment. With North Korea expanding the targets and scope of its cyberattacks worldwide, South Korea has assumed a greater responsibility in sharing information and knowledge capabilities with a global audience.

The Yoon administration announced plans to enact the National Cyber Security Act and initiated the Cyber Cooperation Working Group with the United States on North Korean cyberthreats. In what ways do such steps enhance South Korea’s cyber capabilities, and what changes can we expect to see?

Since 2006, South Korea has made continuous efforts toward enacting legislation; however, a cybersecurity law has not yet been established. In the National Security Strategy, President Yoon Suk-yeol has clearly indicated his intention to enact cybersecurity legislation, and it is imperative to observe the outcomes stemming from this declaration.

Following the 2022 summit between South Korea and the United States, the Cybersecurity Working Group was promptly established. To my knowledge, the working group has convened for more than four meetings, including closed sessions, engaging in highly active collaborations. This is a pioneering initiative for responding to cyberthreats posed by North Korea. Discussions have encompassed various facets of cybersecurity, such as devising responses to North Korean cryptocurrency theft, understanding its operational mechanisms, and formulating reactive strategies.

Additionally, deliberations have extended to the conduct of North Korean IT professionals working abroad who diligently send remittances to North Korea. These funds contribute to upholding political stability within North Korea and supporting the country’s missile programs. In response, joint efforts between South Korea and the United States have yielded advisory papers, exemplifying their proactive stance. Moreover, as North Korean tactics evolve toward more sophisticated malevolent activities, collaborative approaches have been embraced. Joint statements, advisory releases, and targeted sanctions against individuals or entities have been key outcomes of cooperation between South Korea and the United States.

One significant result of such cooperation is that North Korea has encountered difficulties in converting stolen virtual assets into cash. Recently, there has been a shift in the destination of cashing out these assets to countries like Vietnam, China, and Russia. This is believed to stem from the collaborative efforts of allied nations, including South Korea and the United States, to hinder the conversion of pilfered funds into cash. Yet, as North Korea grows closer to Russia, its ability to utilize Chinese or Russian service providers to continue cashing out the pilfered funds is considered an area requiring future attention.

What would a “proactive response” against North Korean cyberattacks look like, and how should the South Korean government more actively respond to North Korean cyberthreats?

The 2019 National Cybersecurity Strategy is presently undergoing review for potential revisions. The forthcoming National Cybersecurity Strategy is expected to adopt a more proactive approach than previous strategies.

Recent collaborative efforts between the United States and South Korea have led to the imposition of sanctions, indictments, and the joint publication of crucial information—an approach not previously common in South Korea. For instance, during the 2018 PyeongChang Winter Olympic Games, a cyberattack occurred during the opening ceremony. Despite possessing substantial evidence, the South Korean government refrained from publicly naming and shaming the attacker. This caution stemmed from the necessity of establishing procedural methods to respond in a more proactive manner. Following this event, the South Korean government initiated the development of a new deterrence strategy at the National Security Council level, although this strategy has not been made public yet.

There is speculation that securing active capabilities to counter intensifying influence operations, such as the proliferation of fake news, will also become a major focus of the revised strategy.

Cryptocurrency theft has been a big part of North Korean cybercrime. What current mechanisms exist to stop North Korea from stealing cryptocurrency, and what further efforts need to be made?

Despite the notable success in deterring malicious activities, particularly concerning cryptocurrency theft, certain vulnerabilities persist. North Korea is transitioning its service providers away from Western or South Korean entities to those based in Vietnam, China, or Russia. Consequently, achieving complete cooperation to prevent the conversion of North Korean cryptocurrencies into cash has become challenging. There is a pressing need for enhanced collaboration on this issue—specifically, to increase cooperation with service providers and formulate responsive strategies.

Furthermore, as a researcher, I am deeply intrigued by the question of the effectiveness of sanctions or joint actions in deterring or impeding malicious activities. This issue is currently underexplored due to the limited time that has passed since the implementation of these measures. While further time is necessary for a comprehensive assessment, it will be imperative to evaluate the effectiveness of sanctions in the context of a malicious cyber environment.

As the domain of cyberspace becomes increasingly critical to national security, what challenges lie ahead that are different from traditional security issues regarding land, sea, and air?

When I started my career twenty years ago, cybersecurity was not considered an integral component of national security. It was not until around 2013 and 2014 that this changed. Presently, it is imperative to recognize that cybersecurity is not merely a facet of national security. Instead, it constitutes the fundamental framework of national security, given our heavy reliance on information and communications technology. This necessitates a paradigm shift by broadening the concept of cybersecurity itself. Unlike the land, sea, or air domain, cybersecurity lacks tangible visibility of outcomes, processes, or operations. Consequently, our approach should encompass not only physical infrastructure but also the domains of state cyberspace and data. Their interplay should be integral to policymaking considerations.

Furthermore, the human element is pivotal. In the context of South Korea, most policymakers possess a technical background. However, integrating social scientific perspectives into processes for formulating cybersecurity policy remains a priority. Every agency is striving to augment both manpower and authority dedicated to cybersecurity, and ongoing efforts are being made in this direction.

So Jeong Kim is Director of Emerging Security Studies and a Senior Research Fellow at the Institute for National Security Strategy. She is also an adjunct fellow (nonresident) with the Center for Strategic and International Studies and an adviser to the Korea-U.S. Cyber Security Working Group.

This interview was conducted by Dain Choi while a Korea Foundation Research Fellow in the Political and Security Affairs group at NBR.