August 15, 2022
The 5×5—The US-Japan-South Korea trilateral cybersecurity relationship
On July 27, Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger wrapped up a three-day visit to South Korea aimed at bolstering the United States’ cyber cooperation with the country and its new government in Seoul under President Yoon Suk-yeol. The United States and South Korea have shared interests in cyberspace, ranging from international norm setting to defending critical infrastructure from state-sponsored attacks and countering cybercrime. The visit represents the latest effort by the United States and South Korea to increase connectivity on cybersecurity issues, after South Korea’s National Intelligence Service joined the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the Alliance’s cyber defense unit, as a contributing participant in May 2022.
Japan, which joined NATO CCDCOE back in 2018, is another vital pillar in the United States’ Indo-Pacific strategy. The country, however, shares a bitter history with South Korea that affects bilateral cooperation between the two US allies to this day. Given the common cyber threats facing all three countries, which emanate from China, Russia, North Korea, as well as from non-state actors, increased cooperation would bolster cybersecurity across the trilateral relationship.
We brought together five experts with insights on cybersecurity and the US-Japan-South Korea relationship to share their perspectives on the future of trilateral cyber cooperation.
#1 What are the most pressing cyber threats facing the United States, Japan, and South Korea that warrant a joint approach?
Jason Bartlett, research associate, Energy, Economics, and Security Program, Center for a New American Security:
“The United States, Japan, and South Korea are three economically and technologically advanced countries that routinely experience state-sponsored cyber threats from countries like China, Russia, and North Korea. Pyongyang, in particular, has leveraged its offensive cyber capabilities to target the global financial market with a notable shift from traditional financial institutions, such as banks, to non-traditional entities like cryptocurrency exchanges and decentralized finance (DeFi) platforms in recent years. This calls for greater integration of cybercrime-related information sharing and capacity building within partnership frameworks among Washington, Tokyo, and Seoul.”
Jenny Jun, fellow, Cyber Statecraft Initiative, Digital Forensic Research Lab (DFRLab), Atlantic Council; PhD candidate, Department of Political Science, Columbia University:
“North Korean cybercrime, especially cryptocurrency theft and extortion, merits a joint approach. But the United States, Japan, and South Korea also need cooperation from other countries in Southeast Asia to curb the illicit networks that facilitate the cashing-out process. The three countries can also potentially talk about supply chain security. Military-to-military cyber cooperation is also important, especially considering the possibility of a future crisis in the region.”
June Lee, consultant, Booz Allen Hamilton:
The responses to these questions were prepared by the contributor in her personal capacity. The views and opinions expressed are those of the contributor and do not necessarily reflect the official policy, opinion, or position of her employer.
“The three countries share an interest in combatting cyber threats from North Korea, including cybercrime, cryptocurrency theft, and cyber-enabled money laundering. North Korea’s illicit cyber activity not only targets systems in the United States, Japan, and South Korea, but revenue earned through cybercriminal schemes funds the regime’s continued development of weapons of mass destruction (the regime allegedly stole $400 million worth of cryptocurrency in 2021). The recent surge in North Korean missile tests reinforces the risks to regional security and the need for a joint approach to cut off its illicit sources of revenue.”
Adam Segal, Ira A. Lipman Chair, director, Digital and Cyberspace Policy Program, Council on Foreign Relations:
“The three countries share the threat of state-backed hackers from North Korea and China, as well as ransomware groups and other non-state actors. Chinese cyberespionage groups target US, Japanese, and South Korean public and private sector networks, and North Korean hackers help the Kim Jong-un regime avoid sanctions and fund weapons programs by conducting financially motivated attacks on banks, online games, cryptocurrency exchanges, and other financial platforms. The US, Japanese, and South Korean militaries also want to prepare for more disruptive and destructive attacks in case there is a conflict on the Korean Peninsula, in the East China Sea, or across the Taiwan Strait.”
Benjamin Young, assistant professor, Homeland Security & Emergency Preparedness Program, Virginia Commonwealth University:
“North Korea’s cyber capabilities should not be underestimated. The rise of North Korea’s hacker army and its technical assistance from the Chinese government is a joint issue for the US, Japanese, and South Korean governments.”
#2 What are the considerations for US Cyber Command in evaluating a “Hunt Forward” approach to Indo-Pacific cyber defense?
Bartlett: “Incorporating “Hunt Forward” operations within US cyber strategy with allies in the Indo-Pacific will most likely agitate already sensitive ties between Southeast Asia and China, but the United States needs to increase its cyber presence in the region due to its constant exposure to illicit cyber activity. Numerous state-sponsored hackers, especially from North Korea, have operated from within Southeast Asia and other regions in the Indo-Pacific for years with little punitive backlash from local and national governments. In particular, securing cyber partnerships with Singapore and Malaysia would be crucial to ensuring a successful and long-lasting US cyber presence in the region.”
Jun: “US Cyber Command “Hunt Forward” missions are likely to be against state-sponsored cyber threats from China, and to a lesser extent North Korea, in geopolitical hotspots in the Indo-Pacific region. While such missions have had successes in the past, it is still important not to overgeneralize from such cases to expand the scope and scale of the missions without regard for its implications. States have yet to come to an unambiguous, mutual understanding as to how certain actions in cyberspace are supposed to be interpreted, and such sources of misunderstandings may be especially dangerous during a crisis. For example, if rival states maintained access to portions of each other’s critical infrastructure to dissuade each from creating destructive effects on it, and one side chose to unilaterally kick out adversary access without explanation, especially during a crisis, the interpretation of that action from the adversary’s perspective is far from unambiguous, even if the other swears it was only for defensive purposes.”
Lee: “US Cyber Command must ensure that any “Hunt Forward” operations in the Indo-Pacific are backed by sustained diplomacy and careful coordination with its counterparts in Seoul and Tokyo. More streamlined information sharing will ensure South Korea and Japan, and other regional partners, are able to rapidly act on any “indications and warnings” of adversary activity in their networks.”
Segal: “The biggest risks—stepping on or working at cross purposes with a friend’s cyber operations, blowback from public opinion in friendly countries if US Cyber Command operations are revealed, and inadvertent escalation—appear to being taken into consideration. Host countries invite US Cyber Command to conduct “Hunt Forward” missions on their networks, helping address the first two concerns, and what little is known about the actual operations suggests they are non-escalatory, fairly restrained, and often focused on revealing adversaries’ exploits.”
Young: “Well, Hunt Forward is something that has been done with Lithuania and this cyber partnership approach could also yield benefits for Indo-Pacific cyber defense as well. The problem is that Japan-South Korea relations are historically fraught with tension and mistrust.”
#3 Where does US involvement make cybersecurity more difficult for Japan and South Korea?
Bartlett: “Compared to Seoul and Tokyo, Washington tends to adopt a more publicly hawkish approach towards illicit behavior from Beijing, including cybercrime. However, both Japan and South Korea are prime targets of Chinese hackers that are looking to steal technology and industry-related information. Due to fear of economic retaliation from China, currently the largest trading partner of both Japan and South Korea, the two countries will likely prefer to adopt a more “closed door” approach towards responding to Chinese cyber intrusions.”
Jun: “China. China has used economic coercion on several occasions to imposes costs on South Korea and Japan for pursuing policies it deems unfavorable, such as the placement of THAAD missile defense systems and AN/TPY-2 radars. A formal and public deepening and broadening of cybersecurity cooperation among the three countries, for example increased joint cyber defense exercises and joint attribution of Chinese state-sponsored threats, may invite Chinese responses to impose costs on South Korea and Japan. China has already expressed discomfort in South Korea joining NATO CCDCOE this year. While this should not be necessarily a hindrance to trilateral cooperation, policymakers should be mindful of the uneven distribution of risks associated with such cooperation during negotiations.”
Lee: “US involvement could complicate Japanese or South Korean efforts to strengthen cybersecurity when cooperation is framed as part of the United States’ competition with China or regional coalition building. Such framing needlessly politicizes cooperation and could cause Seoul or Tokyo to be more hesitant to sign on to potentially beneficial cooperative measures.”
Segal: “Washington’s tendency to frame most digital issues as a competition between democratic and authoritarian systems is likely to alienate many of Tokyo’s and Seoul’s regional partners. Southeast Asian countries, for example, are more focused on workforce development and capacity building than choosing any side in the conflict between the United States and China.”
Young: “If anything, US involvement makes it easier for the two to get along and share cyber knowhow on how to confront Russian, Chinese, and North Korean cyber threats. Even in cyber operations, the legacy of colonialism makes the South Korean-Japanese relationship tense.”
More from the Cyber Statecraft Initiative:
#4 How can the United States facilitate constructive interactions between Japan and South Korea in cybersecurity?
Bartlett: “Both South Korea and Japan are common targets for North Korean, Chinese, and Russian-backed hacking groups, and the United States can help play a mediator role by strengthening joint cybersecurity operations and information sharing within the existing US-South Korea-Japan defense partnership.”
Jun: “This is a question that involves bigger discussions in the overall diplomatic relationship between Japan and South Korea, including discussions to “normalize” General Security of Military Information Agreement (GSOMIA), a military intelligence sharing agreement between the two countries. The current Yoon administration favors deepening bilateral cooperation on defense and security issues. This may also mean that the United States, Japan, and South Korea may have a window of opportunity to pursue increased cyber threat intelligence sharing. Aside from information sharing, it may be practical to start small by pursuing cooperation in specific issue areas where the problem is well defined and constrained, such as better law enforcement cooperation on cryptocurrency-based cybercrime.”
Lee: “The United States can facilitate cooperation by extending areas of shared interest and trilateral cooperation to the cyber realm. For instance, senior officials frequently reference the countries’ shared interest in upholding international law in the region, bolstering engagement with the Association of Southeast Asian Nations (ASEAN), and collaborating on workforce development. In future trilateral engagements, the three governments can accordingly reaffirm the application of international law to state activity in cyberspace, collaborate in cyber capacity building efforts with ASEAN states, and discuss strategies for growing their cyber workforces. Washington could also consider expanding bilateral (US-South Korea, US-Japan) efforts to combat cybercrime or conduct military to military cybersecurity cooperation to the trilateral context. Finally, regional groups such as the Quad-plus (including South Korea) could lead efforts to strengthen regional cybersecurity, creating a forum for Japanese and South Korean officials to engage constructively.”
Segal: “The United States should do what it can to help the two sides to address the sensitive political and historical issues that have interrupted intelligence sharing, but in the short term, Washington can facilitate people-to-people exchanges among cybersecurity experts and private cybersecurity firms in the three countries.”
Young: “I think the United States can do so by expressing a confirmation that it will be a reliable partner in the Indo-Pacific for the foreseeable future and by stressing that cyberattacks from foreign adversaries impact their markets and democratic systems. Shared supply chains and the close economic ties between the three countries highlight why sharing cybersecurity insights is necessary in the digital age.”
#5 What are some of the different opportunities and challenges in US-Japan-South Korea cooperation vis-à-vis threats from states versus those from non-state actors?
Bartlett: “State-sponsored cyber threats pose a more complicated set of challenges because they do not lack government funding and support. Non-state actors often rely on fundraising efforts and other piecemeal activities to generate revenue, whereas state-sponsored actors such as North Korean hackers receive training, funding, and legal protection directly from their government. This also impacts the ability of targeted countries to successfully seek justice against these criminals because foreign governments will not likely punish or extradite state-backed hackers.”
Jun: “It is often said that that United States-South Korea alliance is the “linchpin” of peace, security, and prosperity in the region. There is potentially an opportunity for the alliance to assume a similar strategic vision for cybersecurity in the region. There are challenges—much depends on the leadership of the three countries and the appropriate alignment of interests, and the three countries must navigate a potentially hostile response from China. At the same time, it could be an opportunity to further mature concepts such as “Hunt Forward” missions, engage in more active cyber diplomacy and norm development, and broaden cybersecurity cooperation to more countries in the Indo-Pacific region.”
Lee: “The distinction of cyber threats from state versus non-state actors is an interesting one in the Asia Pacific, particularly as North Korean state-sponsored hackers engage in cybercriminal activities that would typically be associated with non-state criminals. The three countries’ shared concern about the North Korean cyber threat and existing information sharing networks create momentum and channels for expanded cooperation. Yet differences in the three countries’ legal frameworks for cybercrime, as well as secrecy within South Korea’s National Intelligence Service (NIS) on any matters relating to North Korea, complicate fluid coordination to address the threat from North Korean hackers.”
Segal: “There is some degree of overlap, especially when it comes to North Korean ransomware actors, but with state-backed operations, the United States, Japan, and South Korea can work on developing a shared process on attribution and sanctions as well as norms development in regional fora. The cooperation on non-state actors will be more tactical and operational, focused on botnet takedowns and the tracking and recovery of ransom paid in cryptocurrency.”
Young: “The biggest challenge is that Japan-South Korea relations are ridden with nationalistic tensions and the two governments tend to not trust each other. For example, if a North Korean cyberattack takes down the electrical grid of a Japanese city, how will Japan respond? Given the historical tensions, would South Korea share cyber knowhow with Japan on how to respond effectively to a North Korean cyberattack?”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
Image: Asia at night from space with city lights showing human activity in China, Japan, South Korea, Hong Kong, Taiwan and other countries, 3d rendering of planet Earth, elements from NASA. Credit: iStock/NicoElNino