The Peninsula

The Implications of the United States' First Response to the Sony Cyber Hack

By Troy Stangarone

In its first public response to North Korea’s suspected cyber attack on Sony, the Obama Administration announced new financial sanctions on three North Korean entities and ten individuals related to North Korea’s defense industry. While the sanctions may have some short-to-medium term impact on North Korea financially, they are only likely a first step in a U.S. response designed to deter North Korea from engaging in similar action in the future.

In utilizing financial sanctions, the Obama Administration chose to respond to the Sony hack by targeting North Korea’s defense industry and arms trade and seems to have judged that an acceptable proportional response is to respond to the financial harm inflicted on Sony rather than responding with a cyber attack. Given North Korea’s limited cyber infrastructure and minimal use of the internet for commerce, financial sanctions are a more appropriate response than to primarily rely on a cyber response.

In this case the three entities placed under sanction, the Reconnaissance General Bureau (RGB), the Korea Mining Development Company (KOMID), and the Korea Tangun Trading Corporation (KTTC), are all involved in North Korea’s defense industry and its arms trade, while the RGB is also involved in North Korean cyber operations, giving the sanctions a small veneer of being related to cyber activities. In going after North Korea’s defense industry, the Administration is targeting one of North Korea’s key revenue streams and taking steps to inhibit North Korea’s arms proliferation. Additionally, by sanctioning North Korean government officials working as KOMID representatives in Iran, Syria, Russia, Sudan, and Namibia, along with a representative of the KTTC in China, the Administration is targeting individuals in key trading partners for North Korea’s arms network.

While the sanctions might have a short-to-medium term effect, in the long-run they will likely be more symbolic. KOMID and the KTTC were already subject to previous sanctions, and the Reconnaissance General Bureau’s arms trafficking activities were subject to interdiction under the Proliferation Security initiative, limiting the impact of the new sanctions. Additionally, much as North Korea changed its pattern after the U.S. sanctioned Banco Delta Asia (BDA) in 2007, North Korea will likely set up new trading companies and shell companies to get around the current set of sanctions in the long-run. Having a longer-term effect on North Korea would require the Administration to utilize additional sanctions in the future as suspected new shell companies or names for existing companies became known.

However, there are potential drawbacks to the U.S. use of financial sanctions to respond to the Sony hack that might preclude some future measures. By utilizing sanctions for a cyber attack, the United States risks potentially exposing some of its intelligence sources. North Korea has now been tipped to some of the United States’ knowledge of its networks and will likely work to identify what methods the United States utilized in order to counter them. Clearly the Administration judged that was a risk worth taking to deter North Korea from future cyber attacks, though a longer term strategy as noted previously would increase the likelihood of exposing U.S. intelligence sources. It is also questionable how much support there would be internationally for a longer term strategy of sanctioning North Korea over something President Obama has referred to as “cyber vandalism.”

Which raises the question about what comes next? In the Obama Administration’s announcement, they also suggested that this was just the United States’ first step in its response. One possibility that has been discussed is returning North Korea to the State Sponsors of Terrorism list. However, it is unclear if an act of cyber vandalism meets the threshold for state sponsored terrorism. However, additional sanctions against North Korean economic interests do seem likely, particularly as the new Republican-controlled Senate may be more sympathetic to legislation passed by the House of Representatives last summer to strengthen sanctions against North Korea.

Another option would be a cyber related response to North Korea. While speculation has suggested that the United States has already taken this route with the recent disruption of the internet in North Korea, this may not be the case. The United States has neither confirmed nor denied its involvement in the attack. This may be plausible for a series of reasons. The attack on North Korea was likely the work of hacktivists and does not fit the profile of a government sponsored response. It was also potentially a higher profile and blunter response than one would have expected. In addition, while shutting down North Korea’s internet might provide a demonstration effect, it is not clear that limiting access to the internet and information globally is in the long-term interest of the United States in encouraging reforms within the regime in North Korea. However, in either case, it is not in the United States interest to confirm or deny that it engaged in the attack.

The challenge the United States faces in developing a proportional response is designing one that deters North Korea from engaging in future cyber attacks on U.S. companies. The United States is also setting precedents in how other states will respond to cyber attacks in the future, likely cautioning its own response.

In the case of North Korea, the United States faces an asymmetric target that is not nearly as dependent upon the internet or technology. This means that any response must be designed to provide a deterrent effect, but one that does so in a realm other than cyber and that utilizes a weakness in North Korea’s own system. Targeting North Korea’s defense industry aims for an area that is important for the regime, but perhaps not as sensitive as the sanctions on BDA were. Developing a viable deterrence strategy in the cyber realm is a new and potentially difficult, but the initial sanctions on North Korea are likely how a cyber deterrence strategy would work in the future.

Troy Stangarone is the Senior Director for Congressional Affairs and Trade at the Korea Economic Institute of America. The views expressed here are the author’s alone.

Photo from Chris Price’s photostream on flickr Creative Commons.