How to Make Sense of Offensive US Cyber Operations Against North Korean Military Intelligence

Recent Features


How to Make Sense of Offensive US Cyber Operations Against North Korean Military Intelligence

U.S. offensive cyber operations against North Korean military intelligence are significant.

How to Make Sense of Offensive US Cyber Operations Against North Korean Military Intelligence
Credit: U.S. Navy photo by Petty Officer 2nd Class Joshua J. Wahl

The Washington Post broke an important story on Saturday: U.S. Cyber Command has been engaged in offensive cyber operations against North Korea’s Reconnaissance General Bureau (RGB), the country’s military espionage arm. The action was authorized by U.S. President Donald Trump shortly after North Korea’s first ballistic missile launches of the year in February and March, following the conclusion of the administration’s policy review on North Korea. The Post‘s account outlines the scope of the operation:

The Cyber Command operation, which was due to end Saturday, was part of the overall campaign set in motion many months ago. The effects were temporary and not destructive, officials said. Nonetheless, some North Korean hackers griped that lack of access to the Internet was interfering with their work, according to another U.S. official, who also spoke on the condition of anonymity to discuss a secret operation.

One U.S. government source with knowledge of the operation confirmed to The Diplomat that it began on September 22. That means that the operation was initiated amid an increasingly tense war of words between Trump and North Korean Supreme Leader Kim Jong-un, who’d released an unusual statement that same day, attacking Trump as “mentally deranged,” a “dotard” and a “frightened dog” for his threats to destroy the country before the United Nations General Assembly a week earlier.

As the Post‘s account makes clear, the operation was limited in scope, disrupting the RGB’s network access. It may have been justified as a retaliatory use of U.S. military cyber capabilities; though unconfirmed publicly, North Korea-based actors may have been responsible for the WannaCry ransomware attack earlier this year (attribution of cyber attacks remains difficult, even for U.S. intelligence).

The story has a few other implications. First, the operation might fall under what U.S. Defense Secretary Jim Mattis cryptically alluded were U.S. military options that do not put Seoul at risk. Mattis did not go into details and did not clarify if those operations would involve the use of kinetic U.S. capabilities. Offensive cyber attacks against foreign actor networks carried out by Cyber Command would be classified as a military option. That the United States decided to proceed with the operation also suggests that Washington assesses North Korea would not escalate conventionally for limited offensive cyber operations.

Second, it’s notable that this attack does appear to have had a limited effect on the RGB’s networks and capabilities. It is not the equivalent of a disarming offensive first strike in the cyber realm. Rather, Cyber Command has chosen to deliberately use relatively unsophisticated tools—a denial-of-service attack—to take the cyber equivalent of a shot across North Korea’s bow, presumably signaling that it has the requisite access to North Korean networks to deliver considerably more significant damage in wartime.

It’s also not surprising that Cyber Command would choose to withhold use of more sophisticated methods outside of a crisis, potentially revealing them to North Korea and allowing the RGB to patch up those vulnerabilities. For now, the benefits of this operation will outweigh the costs for the United States. North Korea’s RGB has likely suspected a U.S. cyber capability against its networks for some times.

Even though that’s now confirmed with the Post‘s story, the costs for North Korea of rearchitecting its networks will likely be prohibitive. RGB’s own operators can continue to execute attacks against a range of targets, but they will now be doing so with full knowledge that U.S. Cyber Command could retaliate at will.

Finally, it’s worth underlining that the offensive cyber operations discussed in the Post‘s article are not the same thing as the so-called left-of-launch operations that the New York Times suggested earlier this year were causing problems for North Korea’s ballistic missiles. Those capabilities remain largely impotent and overstated as North Korea’s fortunes with its Hwasong-12 and Hwasong-14 ballistic missiles this year makes clear.

Make no mistake, though: the public confirmation of offensive U.S. cyber operations against North Korean state actors is deeply significant. For now, it at least confirms that the Trump administration, despite the president’s rhetorical threats to “totally destroy” the country, is restricting itself to non-kinetic offensive options that likely won’t elicit conventional retaliation.

The risk, however, is that these operations can’t be viewed in isolation. They must be understood in context of the ongoing war-of-words between Trump and Kim, the increasingly adventurous B-1B strategic bomber fights near North Korea’s Military Boundary Zone, and the confusing messaging out of the Trump administration’s top officials.

To North Korea, these offensive cyber operations could indicate that the Trump administration is more risk acceptant. While it has chosen to exercise non-kinetic options so far, Pyongyang will factor that risk acceptance into every future B-1B flight, wondering if the United States will finally make good on Trump’s threats.