Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council. You can follow his tweets @Jason_Healey.
The recent cyberattacks on South Korea highlight four truths of cyberconflicts as they have actually been fought. The implications of three of them are obvious, the fourth not yet so. Such conflicts are disruptive, but far from warfare. And cyberconflicts are both easier to predict than popular myth has it and the nation responsible is often perfectly obvious. However, to stop such asymmetric attacks, sometimes you have to use a traditional approach.
In March 2013, computers in South Korean financial, media and energy sectors suffered a sophisticated attack which took ATMs and websites offline. The attacks initially appeared to be a typical denial of service attack, in which the networks were simply swamped with traffic, making them unreachable.
Even very large DDoS attacks are easy to launch, as the requisite capability can simply be rented by the hour from criminal groups; no "cyberwarriors" are necessary. However, it soon became clear the attacks had a more interesting and dangerous component, as computers had their hard drives wiped, destroying all the data.
Even so, the disruption was ultimately neither lethal nor long-lasting, as systems were back up in days, even hours. In fact, this is the rule for cyberconflicts, not the exception.
A study by the Atlantic Council and Cyber Conflict Studies Association on the history of cyberconflict, has not found a single instance where anyone has ever died from a cyberattack. Cyberconflicts can be relatively easy to launch, but have been quite easy to bounce back from. All that is affected are bytes and silicon, both of which are quickly replaced. As such, cyberconflicts may be worse than nuisances but they are almost never "terrorism," much less "war."
The second truth contradicts the idea that cyberattacks come from out of the blue. The attacks on South Korea are just the latest in a series dating back to 2009, a trend which made them not just entirely predictable, but actually predicted.
In the history of cyberconflict there is a strong link between geo-political crises in the "real" world and subsequent cyberattacks. For example, whenever there is dustup between fishing boats of China and another claimant for disputed islands, expect there to be patriotic hacking from China. Accordingly, as soon as the North Koreans renounced the armistice with the South in mid-March, I and others raised the alarm that cyberattacks were likely.
The attacks were predictable because of North Korean tantrums, and the international community must hold that nation primarily responsible for them, unless there is exculpatory evidence. This link cannot be proven, but the truth is that cyberconflict need be no different than other national security mysteries.
When the Cheonan, a South Korean naval corvette, was sunk in 2010, with the loss of 26 sailors, it could also not be proven that the North was responsible, but the authorship of the explosion was clear enough. The attack, like the subsequent shelling of a South Korean island that killed two marines and two civilians, is helping to feed a new Chinese determination to chide and hopefully restrain its unruly client.
This hints at the fourth truth. When it comes to preventing the regime of Kim Jong Un from lashing out with cyberattacks, the path must begin not in Pyongyang but Beijing.
This is not the initial response of many in the cyber community, whose first instinct is to look for technical responses. These might help defend against future disruptions, but will not help with the underlying North Korean behavior.
The international community will also find few new "cyber" levers of power to de-escalate this crisis. North Korea is simply too isolated, with only the most tenuous connection to cyberspace. Fortunately, there is no need to look for new cybersolutions as cyberconflicts cannot be solved if isolated from their underlying national security dynamics.
The international community does not have a North Korea cyber problem, it simply has a North Korea problem. The cyberattacks are simply one facet of this larger dilemma. The Chinese leadership is already increasingly and publicly frustrated with Kim’s truculence and each new tantrum takes away Chinese face, further embarrassing its leadership. South Korean and American diplomats must add each new disruption to the list of outrages for which Beijing needs to answer and not treat each as a separate issue.
Still, China and others may try to divert attention by claiming there is insufficient evidence of North Korea authorship. The United States and South Korea should not treat cyber as anything different and respond the same way they did after the sinking of the Cheonan. Then, a group of international experts examined the evidence and published a well-documented smoking-gun report which "let North Korea and the international community know that even the most covert attack leaves evidence."
A commission, perhaps empanelled by the United Nations or the governments involved, should similarly review the forensic evidence and national security context to develop conclusions about which group or nation was responsible. As with the Cheonan report, there will still be detractors, but a full and public reckoning will bring needed clarity and help set the baseline for new international norms.
North Korean cyberattacks have not caused casualties or serious disruption yet. But North Korea has learned to press its military confrontations; cyberattacks will get worse and could someday cross those thresholds. The international community must treat these cyber attacks like they would any other North Korean use of force and press the Chinese leadership to rein in their unruly neighbor.