9 December 2018

North Korea, US 'Left of Launch' Cyber Capabilities, and Deterrence

By Ankit Panda

U.S. “left of launch” cyber capabilities may have unexpected and undesirable consequences on crisis stability.

North Korea today is a de facto nuclear state. The diplomatic process that has been running throughout 2018 between North Korea and the United States has, with the exception of a few cosmetic steps, revealed a pathway to Pyongyang’s disarmament.

If North Korea’s disarmament remains a possibility, it is not a realistic one in the short-term. What is, however, real in the short-term is the nature of the threat posed by Pyongyang’s nuclear arsenal to the United States and its Northeast Asian allies.

Fortunately, the basic logic of deterrence that has prevailed with North Korea since the 1953 armistice to end the Cold War remains largely in place. Pyongyang understands that nuclear employment in a conflict would be costly and possibly trigger the very regime change its nuclear weapons were designed to prevent.


Today, having demonstrated the foundations of a real intercontinental-range ballistic missile (ICBM) capability, North Korea operationalizes an escalatory nuclear strategy: one that relies on first-use in Northeast Asia against U.S. and allied military targets to deter and preempt a probable invasion of its territory.

Aware of its conventional inferiority against the United States and its allies, North Korea would use its short-, medium-, and intermediate-range weapons to repel such an invasion, while holding its ICBM force in reserve to deter the United States from pushing forward with an invasion anyways. Until 2017, North Korea had no way to credibly flesh out the latter part of this strategy; its successful initial flight-testing of the Hwasong-14 and Hwasong-15 ICBMs helped render that strategy capable.

The United States, with its homeland now held at risk with some nonzero probability by North Korean nuclear weapons, has been focused on mitigation and damage limitation strategies. Of course, U.S. investment into these capabilities has pre-dated North Korea’s acquisition of an ICBM capabilities.

In 2002, the United States withdrew from the 1972 Anti-Ballistic Missile Treaty largely around the pretext of developing a national missile defense program to defend against threats from rogue states like North Korea, which U.S. intelligence assessments had long seen as being interested in an ICBM capability.

The mitigation toolkit has broadened for the United States in recent years. As I discussed at length in a recent Foreign Affairs article, the U.S. has reportedly turned to cyber-enabled “left of launch” methods to disable and disrupt North Korea’s missiles. These capabilities may include everything from tampering with the production supply chain for the serial production of missiles in North Korea to tampering with and jamming computers or nuclear command and control systems.

While the exact nature of U.S. capabilities are classified and not understood in the public domain, their employment can prove destabilizing in the kinds of choices it might encourage North Korea to take. For instance, given the already aggressive nature of North Korean nuclear strategy, the United States should not give North Korean leader Kim Jong Un any reason to predelegate use authority. (North Korea has repeatedly made clear that only the supreme leader has the authority to issue a valid order to use nuclear weapons.)

One of the major concerns in the United States deploying cyber capabilities in an offensive way is that cyber weapons, in addition to potentially prompting dangerous choices by the North Korean leadership in peacetime, are inherently problematic for deterrence in a way that kinetic weapons are not.

Even as North Korea and the United States may misunderstand each other’s intentions and military doctrines, they have a relatively good idea about each other’s military capabilities. North Korea certainly pays considerable attention to kinds of U.S. military assets deployed on and around the Korean Peninsula, given its repeated complaints about events like U.S. bomber flights and carrier deployments to the Sea of Japan.

With physical capabilities, each side is able to convey to the other the risks associated with escalation, making clear which capabilities could be brought to bear. The core logic of deterrence relies on conveying to an adversary that if they undertake actions that you perceive to be harmful to your interests, you might react by imposing costs on them greater than the benefits they would derive from said action. The credibility of that conveyances rests on the capabilities at your disposal.

In my Foreign Affairs article, I propose that the United States offer some additional clarity — at least on the policy level, if not technical — regarding the kinds of circumstances under which it might use offensive cyber capabilities against North Korea. U.S. officials, however, are loathe to discuss in any specific terms cyber capabilities.

This is largely because cyber weapons — or rather, specific offensive cyber capabilities — are based on exploiting systems gaps. While precision and clarity on capabilities with physical weapons can augment deterrence, the same can undermine it in the cyber realm. Any cyber threat that is specific, instead of becoming credible, is prone to give an adversary an opportunity to “patch” a vulnerability. This is especially true of so-called zero-day exploits, which by their very nature derive their value from being undisclosed to a target until it is used.

The core concern that motivated my Foreign Affairs article stands, however. Given the reasons to believe that North Korea has an itchy trigger finger with its nuclear arsenal and the country’s longstanding sense of insecurity, the deterrent and crisis stability benefits of U.S. “left of launch” capabilities are likely insufficiently high.

This represents a dangerous source of nuclear dangers today as the United States and North Korea both work to understand the nature of their newly transformed deterrent relationship, with both sides held at the risk of the other’s nuclear weapons. If the ongoing diplomacy can yield anything productive short of North Korea’s total and unlikely unilateral disarmament, it would be some means for the two sides to engage in military-to-military contacts to better understand each other’s doctrines and intentions.

Short of that, the United States should carefully consider the undesirable and unintended consequences of deploying offensive cyber weapons, lest it become too late in a crisis with North Korea.

No comments: