North Korea’s Evolving Cyber Strategies: Continuity and Change

1 Introduction

Since 2009, North Korea’s cyber operations, organizational structures, and capabilities have evolved with divergent tactics, techniques, and procedures. These include patterns of cyber espionage and distributed denial of service attacks on select political and socioeconomic targets in South Korea, to cyber-enabled information, economic, and political warfare globally. Indeed, since 2014, the trajectory of North Korea’s cyber operations shows an increasing priority on cyber-enabled economic and political warfare, in which North Korean cyber units and state-sponsored hacking groups aim to counter international sanctions, while generating resources for North Korea’s economic and technological development.

North Korean hackers, operating largely outside the country, have spearheaded fraudulent cyber operations to circumvent sanctions, gaining access to the international financial system and illegally forcing the transfer of funds from financial institutions, SWIFT banking networks, and cryptocurrency exchanges worldwide.^[1] At the same time, North Korea also has been able to protect its critical infrastructure from potential reprisals, limiting its access, dependencies, and vulnerabilities on the internet and communication networks by relying instead primarily on China’s internet infrastructure. This has been augmented only recently with a second internet link to Russian networks, and dispersion of its hackers to select countries worldwide, including India, Nepal, Kenya, Mozambique, and Indonesia.^[2]

Consequently, North Korea’s twenty-first-century cyber operations have essentially become weapons of mass effectiveness working alongside the weapons of mass destruction in its nuclear arsenal, together composing a unified asymmetric political strategy designed to pressure the United States and the wider international community to recognize as legitimate Supreme Leader Kim Jong Un’s interpretation of North Korea’s sovereignty and security. As Kim reportedly declared in 2013, “cyberwarfare, along with nuclear weapons and missiles, is an ‘all-purpose sword’ that guarantees our military’s capability to strike relentlessly.”^[3]

Prior to the analysis, a caveat is in order. Any assessment of North Korea’s evolving cyber operations and the strategic rationales underlying them, is a challenging task, not only because attribution is a recurring point of contention but also because of the closed nature of the country’s totalitarian government and society. Accordingly, the available open-source data are limited mainly to threat intelligence reports and investigations by global cybersecurity firms; select statements and publications by the U.S. and ROK governments; select North Korean defectors with partial knowledge of North Korea’s cyber activities; secondary literature such as think tank reports and academic articles; and, ultimately, references in North Korean newspapers and other media outlets. Each source carries internal and external validity risks, including government bias and political agendas, outdated data, and intelligence blind spots.

Varying previous assessments over the years have fueled an ongoing debate on the direction, character, capabilities, and strategic impact of North Korea’s cyber operations. On the one hand, sceptics argue that there are serious limitations to North Korea’s use of cyberspace for political purposes, particularly at the strategic level. According to this view, North Korea’s cyber operations alone do not strengthen its capabilities for coercion or deterrence—to date, these capabilities have not caused any government to back down or change course, nor have they enabled Pyongyang to achieve substantial political, military, or financial gains related to North Korea’s key strategic objectives. Consequently, this line of thinking goes, North Korea’s cyber capabilities do not provide Pyongyang with significant strategic advantages for achieving political aims, nor are they sufficient to degrade U.S. or any other advanced retaliatory capabilities to ensure regime survival.^[4]

The opposing perspective, however, is that North Korea’s cyber capabilities have gradually evolved in scope and sophistication, driven mainly by strategic necessity, giving the regime power and freedom of action in an adversarial strategic environment. Based on this view, Pyongyang’s varying cyber and information operations have provided relatively low-cost asymmetric options for demonstrating power without any visible military commitments, raising hundreds of millions of dollars to support the Kim regime and its nuclear and ballistic missile programs, and, ultimately, enabling Pyongyang to effectively counter stricter economic sanctions under a shroud of plausible deniability.^[5]

North Korean hacker groups have indeed been able to develop a wide variety of tools and asymmetric methods for achieving national goals. In particular, North Korea’s cyber operations reflect at least three distinct characteristics. First, North Korea’s cyber units and hacker groups have shown considerable diversity in terms of their capabilities and experience—from very low-skilled to high-skilled hackers—a range that has made benchmarking their performance solely on such criteria more challenging. At the same time, North Korean hacker groups have been widely dispersed geographically, acting independently or mutually supporting each other based on their specific cyber missions which range from intelligence-driven cyber espionage, information manipulation, and political warfare to offensive and defensive military cyber operations, electronic warfare, and covert financial extortion. Accordingly, the line between low-end and high-end North Korean cyberspace operations frequently has been blurred; North Korea can employ nonstate actors as surrogates, utilize low-cost, off-the-shelf tools that are freely available, and exploit known vulnerabilities and techniques such as denial of service attacks.

At the same time, North Korea may engage in resource-and intelligence-intensive operations that discover vulnerabilities in systems (zero-day exploits) and apply strategies of denial, disruption, destruction, or subversion of information or physical infrastructure. Such operations, whether strategic or tactical, can also range in duration from short to long-term.

North Korea’s cyber strategy and tactics continue to reflect “a holistic effort on information warfare that incorporates all aspects of affecting information such as electronic warfare, cyber warfare, and psychological operations.”^[6] In the long term, North Korea’s converging cyber, nuclear, and conventional strategies will pose new challenges to the U.S.-ROK alliance.

2 North Korea’s Cyber Units and Organizational Structure

A brief look at the origins of North Korea’s cyber operations is a useful starting point. The country’s interest in cyber warfare began in the mid-1990s, when the Korean People’s Army (KPA) studied the “electronic intelligence warfare” concepts formulated by the People’s Liberation Army (PLA) of China, extrapolating the strategic implications of U.S. electronic warfare and cyber operations during the First Gulf War and the North Atlantic Treaty Organization (NATO) campaign in the Balkans.^[7] In 1995, then supreme leader Kim Jong Il issued a directive for the KPA General Staff to develop ‘information warfare’ capabilities.^[8] In September 1998, North Korea established Unit 121 within the Staff Reconnaissance Bureau of the KPA, a unit initially believed to be staffed by between 500 and 1,000 members tasked with research and development of cyberattack techniques, software engineering, cryptography, and networking at top computer science programs in China and Russia, as well as preparing cyber operations from abroad, according to disclosures by two North Korean cybersecurity experts and defectors, Kim Heung Kwang and Jang Se Yul.^[9] Most Unit 121 cadres were selected from North Korea’s top technology-oriented colleges such as Pyongyang University of Automation (previously called Mirim College), the Amrokgang College of Military Engineering, the National Defense University, and the Pyongyang Computer Technology University.^[10] At that time, much of North Korea’s computer infrastructure and many of its related facilities were rudimentary, as was the case for much in the early phases of North Korea’s cyber warfare programs, which experimented with basic cyberattack techniques and first-generation malware. In 2009, U.S. National Intelligence Estimate dismissed North Korea’s cyber capabilities, along with its long-range missile programs, noting that would take years to develop them into a meaningful threat.^[11]

That same year, North Korea unified all of its intelligence and internal security services and initially brought them under the direct control of the National Defense Commission to cement the control of Kim Jong Un as the successor to Kim Jong Il. It merged intelligence organizations and its various cyber departments and bureaus from the Korean Workers’ Party, the Operations Department and Office 35 (foreign operations), and the military intelligence Reconnaissance Bureau of the Korean People’s Army into one Reconnaissance General Bureau (RGB).^[12] The RGB became North Korea’s primary foreign intelligence service as well as headquarters for special and cyber operations.^[13] The RGB, headed by General Kim Yong Chol (2009–2016), integrated Unit 121, increased its size to 3,000 persons, and upgraded its status to that of a “department” also known as Bureau 121 – the Cyberwarfare Guidance Bureau.^[14]

While the exact structure of the RGB’s cyber units has been obscured by secrecy, various cover designations, and internal restructurings over the years, references in open-source literature indicate that Bureau 121 controls Unit 91, Unit 180, and Lab 110, the core cyber-focused components under the RGB and its six bureaus (which include Operations, Reconnaissance, Foreign Intelligence, Inter-Korean Dialogue, Technical, and Rear Services).^[15] In particular, the RGB’s largest cyber unit, Bureau 121, likely has been comprised of offensive and defensive cyber intelligence-gathering and attack subunits and teams based on their responsibilities, skills, and mission-tasking – i. e. the stem analysis team, the attack operations team, the code processing team, the development team, the inspection team, the network analysis team, and the battle planning team.^[16] Collectively, the primary mission of the unit has likely focused on both offensive and defensive cyber operations, including targeting critical information infrastructure – i. e. communications, transportation networks, electricity grids, and aviation systems in ‘unfriendly’ nations – primarily the United States and South Korea. At the same time, Bureau 121 conducts cyber espionage against the government, military, defense industry, and media of other target countries.^[17]

One of the key enablers to Bureau 121’s cyber operations is likely the RGB’s Computer Technology Research Lab – Lab 110 – believed to provide software engineering, technical reconnaissance, infiltration of computer networks, intelligence gathering through hacking, and planting viruses on targeted networks.^[18] While the exact operational relationship and collaboration between Bureau 121 and Lab 110 is not known, it has been reported that Lab 110 analyzes technological configuration and behavior patterns of targets and then develops tailored software and malware, which is then used by cyber-attacks by the Bureau 121.^[19]

Figure 1:

North Korea’s Cyber Organizations in the Reconnaissance General Bureau and the General Staff Department

Sources: Author; Adapted from ROK Defense White Paper 2012; see also Boo et.al. 2013, 94; Boo 2017; Jun/LaFoy/Sohn 2015; Sang-ho Song: North Korea Bolsters Cyberwarfare Capabilities, Korea Herald, July 27, 2014, http://www.koreaherald.com/view.php?ud=20140727000135

In June 2018, the U.S. Justice Department unsealed charges against an alleged hacker for the North Korean government in connection with a series of major cyberattacks including the 2014 assault on Sony Pictures Entertainment and WannaCry ransomware virus, which infected hundreds of thousands of computers in 150 countries and shut down dozens of emergency rooms in U.K. hospitals.^[20] The complaint attributes Park Jin Hyuok as a member of Lab 110 responsible for “a wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of the government of the Democratic People’s Republic of Korea, while located there and in China… the conspiracy targeted computers belonging to entertainment companies, financial institutions, defense contractors, and others for the purpose of causing damage, extracting information, and stealing money, among other reasons.”^[21]

In 2013, the RGB under order of Kim Jong-un, reportedly established Unit 180 consisting of around 500 members from the Bureau 121, specifically tasked with hacking international financial institutions to extract foreign currency in support of North Korea’s nuclear and ballistic missile programs, as well as install malicious backdoors in the software development business in Japan and China, according to interviews by Kim Heung-kwang.^[22] In 2014–15, North Korea reportedly reorganized their cyber divisions – Unit 180 would specialize in targeting cryptocurrency exchanges – for example, in January 2018, South Korea’s intelligence agency NIS flagged the Unit 180 as a likely perpetrator of a $530 million theft of the digital cryptocurrency NEM from the Tokyo exchange operator Coincheck.^[23] Meanwhile, Bureau 121 expanded their cyber operations beyond South Korea, by attacking foreign nation’s infrastructure such as transportation networks, telecommunications, electric and nuclear power grids, and aviation systems.^[24] Part of the 2014/15 cyber revamp also included the elite Unit 91, initially tasked to conduct cyber espionage operations against government, corporate, and citizen targets of South Korea,^[25] but since 2014/15 shifting its focus on “acquiring advanced technologies needed for nuclear development and long-range missiles from developed countries.”^[26] In 2016, all RGB’s cyber units have come under the direct control of the State Affairs Commission (SAC), which replaced the National Defence Commission, as the supreme policy and power organizations of the DPRK Government.^[27]

Parallel to the RGB-led cyber units and operations, it is important to note the military-cyber components of the Korean People’s Army (KPA) and its General Staff Department (GSD) responsible for integrating cyber capabilities into conventional military operations. At its core, the KPA’s conceptions of cyberwarfare seem to have adopted and adapted from China’s People’s Liberation Army (PLA) electronic intelligence warfare (EIW), computer network warfare (CNW), psychological warfare, military deception, and information warfare (IW).^[28] The GSD bureaus such as the Electronic Warfare Bureau and the Enemy Collapse Sabotage Bureau (Unit 204) have been reported to be tasked with varying electronic, information and psychological warfare that leverage cyber operations, primarily to disrupt the ROK – U.S. conventional operations during wartime.^[29] Prior and during wartime, KPA’s integrated cyber operations would likely be used as asymmetric means supporting varying lines of effort such as drone strikes, special force incursions, and ballistic missile attacks, in order to disrupt U.S.-ROK command and control infrastructure, and overall to offset North Korea’s conventional military-technological disadvantages.^[30]

In this context, KPA’s cyber warfare units are embedded in the GSD’s Command Automation Bureau: Unit 31 – responsible for malware development; Unit 32 – responsible for software development for military use; and Unit 56 – responsible for software development for military command and control.^[31] These units arguably provide software engineering/development teams, responsible for developing the tools and capabilities, which are likely also used by the operational bureaus within the RGB.

In 2016, the GSD has established a new department for Command, Control, Communication, Computer, and Intelligence (C4I) in the military, which superseded the now defunct Command Information Bureau.^[32] The likely purpose of the new C4I department is to accelerate the integration of offensive cyber capabilities into conventional operations – i. e. targeting critical infrastructures, and more importantly, enhancing defensive cyber capabilities of the KPA’s command and control systems. These have been reportedly compromised by the U.S. military top secret program to disable North Korea’s ballistic missiles before liftoff (“left of launch”) by means of cyberwarfare, directed energy, and electronic attacks.^[33] To counter such measures, North Korea is reportedly developing a quantum encryption technology in an effort to build a highly secure command and control link between Pyongyang and key missile launching sites such as Wonsan, Tonghae, or Sohae.^[34]

3 North Korea’s Cyber Activity Clusters

Externally, there has been a significant overlap in classifying North Korean cyber groups based on tactics, techniques, and procedures (TTPs) – some sources may refer to RGB’s cyber units as “Lazarus Group” and to any activity attributed to North Korea, while other sources track North Korean clusters or groups such as Bluenoroff, APT37 (Reaper), and APT38 separately. Other sources refer some activity associated with those group names by the RGB’s Lazarus Group.^[35] The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.^[36] Based on open-source government and private cybersecurity threat-intelligence reports, however, one could argue that there are a number of subgroups associated with the RGB, with distinct TTPs that should not be mistaken to be all under or being subgroups of Lazarus group. (See Table 1).

According to a recent analysis of North Korean-attributed malware by McAfee Labs, for example, “the North Koreans have groups with different skills and tools that execute their focused parts of cyber operations while also working in parallel when large campaigns require a mix of skills and tools.”^[37] For example, APT 37 (Reaper), Kimsuky and Sun Team have distinct TTPs specializing in political cyber-espionage, when compared to Lazarus-associated Andariel, APT 38 (Bluenoroff) groups focusing on financial extortion and cybercrime. With the increasing scope and levels of sophistication of TTPs, however, North Korea’s cyber units have progressively developed their resources, assets, malware arsenals and coding capabilities based on their experience and lessons learned from attacking different targets, and collaborating in various attack campaigns by sharing networking infrastructure and continuously adapting malware code in order to avoid detection.

This has been evident since 2007, when global cybersecurity firms began to publicly identify and track North Korean state-sponsored hacking groups,^[38] and major cyber-attacks have been attributed to North Korea. Select North Korean hacker groups are geographically dispersed in China, Russia, Southeast Asia, and even Europe, acting independently or mutually supporting each other based on their specific cyber-missions: from intelligence-driven cyber espionage and information manipulation (APT37, Kimsuky, Sun Team); covert financial extortion (APT38, Andariel); to various disruptive and destructive cyber operations (Lazarus Group).

These begin seriously to emerge in the period from 2007–12 when North Korea developed its first generation of malware – attributed in cyberattacks known as ‘Operation Flame’ and ‘1Mission’ (2007–2012), ‘Operation Troy’ (2009–2012), ‘Ten Days of Rain’ (2011), and ‘Dark Seoul’ (2013)^[39] – principally against military and government targets in South Korea, hacking websites, stealing information, and distributed denial-of-service (DDoS) attacks.^[40] For example, in March, 2011, in an operation named ‘Ten Days of Rain’, a major DDoS attack on 40 South Korean media outlets, critical infrastructures and financial websites, as well as on U.S. military entities in South Korea was attributed to North Korea’s Lazarus Group.^[41] In March 2013, following the passing of UN Security Council Resolution (UNSCR 2087) and B-52 strategic bomber overflights in South Korea, a cyberattacks dubbed ‘Dark Seoul’ attributed to North Korea destroyed computer networks of South Korea’s three major banks and two largest media broadcasters – the Korea Broadcasting System and Munhwa Broadcasting Corporation, infecting them with viruses, stealing and wiping information.^[42] In that year, North Korea intensified its cyber operations against South Korea with cyber espionage campaign (dubbed ‘Kimsuky’) against South Korean think tanks and industries, and various DDoS attacks on South Korean media outlets, government websites, and financial companies.^[43] In 2016, North Korea was attributed with a successful penetration of South Korea’s military networks – hacking into the ROK’s Cyber Command’s Defense Integrated Data Center, and extracting 235 gigabytes of classified military documents, including South Korea-U.S. wartime operational plans.^[44]

During 2014–15, North Korea reportedly reorganized their cyber divisions – with Unit 180 targeting cryptocurrency exchanges, Unit 91 focusing on cyberespionage for technologies needed for the development of North Korea’s nuclear and ballistic missile programs, and Bureau 121 focusing on cyber operations on foreign critical infrastructure – in a transition that expanded the range of cyber targets and operations beyond South Korea. For example, in 2014, North Korean hackers gained global attention in a major cyber-attack on Sony Pictures Entertainment, which destroyed 70 percent of Sony Picture’s laptops and computers, in an attempt to coerce the company not to release the movie “The Interview.”^[45]

In the same year, North Korean hacker groups were attributed with targeting banks connected to SWIFT global financial messaging system, in attempts to transfer $951 million from the Central Bank of Bangladesh to accounts in Sri Lanka and the Philippines; it managed to steal $81 million.^[46] Since then, North Korea has been linked to a series of cyber-attacks specifically aimed for illicit financial gain – in February 2017, for example, several Polish banks have been compromised as well as South Korean cryptocurrency exchange Bithumb, where North Korean Hackers were able to steal USD$7 million.^[47] In December 2017, the United States, United Kingdom and Australia formally asserted that North Korea was behind the WannaCry global ransomware attack, which infected more than 200,000 computers across 150 countries, including computers and devices of the National Health Service hospitals in England and Scotland.^[48] According to the report by the United Nations Panel of Experts on North Korean Sanctions Committee issued in March 2019, North Korea “carried out at least five successful [cyber] attacks against cryptocurrency exchanges in Asia between January 2017 and September 2018, resulting in a total loss of $571 million.” In doing so, the report states, “cyberattacks by [North Korea] to illegally force the transfer of funds have become an important tool in the evasion of sanctions and have grown in sophistication and scale since 2016.”^[49]

At the same time, North Korea has been conducting cyber operations to access and eavesdrop on critical infrastructure in the United States and other countries around the world – for example, in 2018, during the North Korea–United States Singapore Summit, North Korea conducted a cyber-exploitation campaign designed to probe military, financial, energy, telecommunications, healthcare and other networks for potential vulnerabilities.^[50] While North Korea has rejected all accusations that it has been involved in illicit hacking activities, it has been arguably less concerned with attribution either – i. e. using relatively simple false flags such as the “Guardians of Peace” in the wake of the Sony attack or other names such as the “New romantic Cyber Army Team” and the “WhoIs Team” in previous attacks on South Korean targets.^[51] According to the 2014 ROK Defense White Paper, “North Korea currently operates about 6,000 cyber warfare troops and conducts cyber warfare, including the interruption of military operations and attacks against major national infrastructure, to cause psychological and physical paralysis in the South.”^[52]

Source: FBI 2018 https://www.fbi.gov/wanted/cyber/park-jin-hyok

4 Assessment of North Korea’s Cyber Strategies

The above timeline and empirical evidence suggests that North Korea’s cyber units have gradually evolved over the past decade in three distinct phases, parallel with changing political and economic priorities of the regime and available resource allocation. From 2009–11, North Korea’s cyber operations targeted primarily South Korean government offices, financial industry, as well as U.S. military and defense targets; characterized by hacktivist political messages and threats. The highly publicized attack on Sony represented the pinnacle of this activity, marking one of the first times a nation-state targeted a corporate entity for political aims. From 2012–15, North Korea focused on cyber espionage activities – such as APT37 and APT38 groups – targeting South Korean and U.S. government offices, defense contractors, universities and think tanks, as well as North Korean defectors abroad. From 2016–18, North Korean hacker groups began to expand the scope and sophistication of their operations, most likely under increasing pressure from financial sanctions, and increasingly conduct financially motivated cyber operations.^[53] Second, North Korea has gradually demonstrated a resolve for a cyber-escalation – targeting critical infrastructures of other nation states as well as private corporations and banks for varying political motivations – i. e. retaliation, coercion, or covert intelligence gathering, and increasingly also illicit financial gain to bypass stricter international sanctions and generate foreign currency. In doing so, it has been undeterred by international norms. Third, the essential ‘dialectics of North Korea’s cyberspace’ has reflected asymmetry in terms of its functionality and vulnerability – North Korea’s internet infrastructure is isolated from global networks, with the country’s entire Internet traffic channeled through only two providers – China’s Unicom (40 %) and Russia’s TransTeleCom (60 %).^[54] Notwithstanding its growing intranet infrastructure, the country is still by and large unplugged from the global internet, and China’s “Great Firewall” provides an “additional layer of protection, censorship, and surveillance for North Korea’s cyberspace.”^[55] This has reduced North Korea’s dependencies and potential systemic vulnerabilities to retaliatory actions, and more importantly, mitigated risks of attribution.

In the absence of conventional warfare and escalation, future conflicts on the Korean Peninsula will likely increasingly reflect parallel and continuous confrontations in and out of cyber space, and varying cyber-attacks by both state and non-state actors. At the high-end of cyber-enabled information conflict spectrum on the Korean Peninsula might be “existential cyber-attacks” characterized as causing sufficient wide scale damage for a government potentially to lose control of the country, including loss or damage to significant portions of military and critical infrastructure: power generation, communications, fuel and transportation, emergency services, financial services, etc. Such attacks, however, will be proceeded or accompanied by the use of disinformation, concealment, and deception campaigns – aimed to shape target population’s perceptions and beliefs, while gradually pressuring top political leadership to fall into a decision objectively leading to its own defeat – for example by untangling the U.S.-ROK Alliance. Both North and South Korea’s online activities and behavior will therefore have increasingly offline consequences, and vice-versa, blurring distinctions between civil and military domains, state and non-state actors, principal targets and weapons used. In times of crisis, the character of asymmetric cyber-attacks may also increase the propensity for offensive and unrestricted cyber operations given the prevailing perceptions of lesser risks of detection, the lack of accountability, and the resulting low probability of successful deterrence.

5 Policy Recommendations

There are some steps that South Korea must take domestically to integrate cyber operations more holistically into its military posture and doctrine. In 2011, the ROK’s Ministry of Defense published its cyber-defense strategy – the Master Plan for Defense Cyber Policy, which emphasized four key policy directives: adapting South Korea’s laws to enable cyber operations; integrating cyber and physical operations in a military doctrine – the Joint Cyber Operations Manual; establishing ROK Cyber Command under the Joint Chiefs of Staff office; and creating early warning and crisis management mechanisms for responding to cyber crises.^[56] Since then, South Korea has enhanced civil-military cooperation in the cyber domain, including joint programs with the Ministry of Science, IT, and Future Planning and the National Intelligence Service (NIS) to create a possible cyber reserve force, and closer coordination of intelligence border monitoring, joint response to North Korea’s electronic warfare and GPS jamming, and a special warfare-centered combat skills augmentation plan.

Aside from these domestic measures, Seoul should also prioritize joint efforts with the U.S. military to ensure that the alliance leverages cyber operations as effectively as possible. More recently, South Korea’s cyber capabilities have evolved in the strategic framework of the U.S.-ROK alliance with joint programs developing artificial intelligence-based technologies to counter a range of cyber threats.^[57]

The key challenge for the future of the U.S.-ROK Alliance, however, will be able to adapt to potential changes to the character of warfare. Since the early 1990s, South Korea has been undergoing a comprehensive military modernization drive in order to respond to the widening spectrum of North Korean threats, mitigate technological and interoperability gaps with the U.S. forces, and eventually attain self-reliant defense posture. In the process, South Korea’s defense planners have been searching for a new strategic paradigm and operational concepts that would allow greater flexibility, adaptability, and autonomy under conditions of strategic uncertainty. However, with the ambitious scope, required timelines, and relatively high costs, South Korea’s defense reforms have propelled perennial policy debates on the feasibility, affordability, pace, direction, character, and implementation of South Korea’s defense transformation. These policy debates have reflected five key enduring challenges for South Korea’s defense planning: (1) how to balance and prioritize South Korea’s current operational requirements vis-à-vis North Korea and future-oriented and relatively uncertain regional threats; (2) how to ensure budgetary support and sustain projected increase in defense resource allocation required for implementing select defense reforms; (3) how to streamline and reduce the ROK force structure without mitigating its operational readiness and capabilities; (4) when to transfer current wartime operational command control (OPCON) from the U.S. forces to South Korea without mitigating deterrence; and ultimately, (5) how to shape the future strategic template of the U.S.-ROK alliance.^[58]

In other words, the compelling and relatively ambitious character of South Korea’s future-oriented defense reform plans over the past two decades have been in sharp contrast to the prevailing political, strategic, and operational realities such as contrasting calibrations of defense requirements, structural dependence on the U.S.-ROK alliance, static, defensive force posture, and inter-service rivalries in the organizational force structure that have sustained the relevance of traditional security concepts and strategic culture. Arguably, there has not been a major military change within the South Korea’s military. Instead, South Korea has experienced progressive shifts from operational and military-technological emulation to selective capability adaptation in the gradual or evolutionary process of military modernization.

Notwithstanding concerted efforts to resolve existing technological and operational gaps in the context of combined interoperability with U.S. forces, particularly in areas of air power, C4ISR, and cyber operations; as well as joint interoperability among the three distinctly separate ROK services, South Korea’s defense reforms, including the integration of cyberwarfare capabilities, have not significantly changed the “cognitive-template” nor organizational force structure of the ROK military. The ROK forces have not been fully able to align its military-technological potential in their modernization trajectory with the required organizational, conceptual, and operational innovation to utilize advanced technologies, including cyber capabilities, in new ways.^[59] Under these conditions, North Korea has been gradually gaining a strategic advantage by pursuing cyber capabilities in conjunction with nuclear and ballistic missile programs as asymmetric capabilities, which provide relatively low-cost but effective means to exert its influence and provide a capability for political, economic, and military coercion without triggering a major armed conflict.