When President Donald Trump meets with Kim Jong Un in Singapore next month, he will have a perfect opportunity to confront the North Korean leader about his country’s aggressive hacking strategy and the emerging risk it poses to the United States.
But the summit’s intense focus on North Korea’s nuclear ambitions may leave the cyber threat unaddressed, something some lawmakers say could be a missed opportunity.
Kim’s isolated country has marshaled its limited resources to become a notable cyber power, launching online bank robberies, ransomware attacks and strikes such as the 2014 trashing of Sony Pictures. That makes North Korea one of the United States’ top digital adversaries, along with Russia, China and Iran — leading some experts to press the president to address it during the leaders’ planned summit June 12.
“I hope it’s not just a summit to turn a blind eye to other malign activities of North Korea,” said Sen. Cory Gardner (R-Colo.), who chairs a subcommittee overseeing East Asia and international cybersecurity, and sponsored a 2016 law providing economic penalties for the regime’s online attacks. “I think you’ve got an opportunity to do some good things here.”
Rhode Island Sen. Jack Reed, the top Democrat on the Senate Armed Services Committee, warned against assuming that even a hard-won nuclear deal means “you’ve solved the problem, when [Kim] can switch to an alternate form of conflict, moving from nuclear missile technology to sophisticated cyber.”
Senate Foreign Relations Chairman Bob Corker (R-Tenn.) said he would expect the topic to come up at the summit. “I’ve got to believe that’s going to be one of the things they talk about,” he told POLITICO.
The White House has not spelled out the full range of topics Trump plans to discuss with Kim. A National Security Council spokesperson said the council did not want to “get ahead of the president on the summit.”
Cyber diplomacy has worked before with the United States’ digital adversaries, most famously in the 2015 agreement that then-President Barack Obama struck with Chinese President Xi Jinping in which the two countries agreed to end the hacking of private companies for commercial gain. At the time, tensions on cyber issues between the two global powers ran high, with researchers estimating that Chinese theft of American intellectual property was costing the U.S. hundreds of billions of dollars each year.
In the months following the agreement, China’s digital pilfering noticeably dipped, according to observers. And while both government and private sector researchers say the activity hasn’t completely ceased, the arrangement allowed the two sides to end a yearslong freeze on any discussions of cyber norms.
Then again, China is not North Korea, and Obama and Xi hadn’t been exchanging threats of nuclear war when they formed their cyber pact.
Some security experts were skeptical of broadening the Trump-Kim summit to include hacking, saying a deal on denuclearizing the Korean peninsula is a fraught enough topic all by itself.
“We’re talking about nuclear weapons here, and someone wants Trump to talk about Sony or [the Bangladesh bank hack]?” said Jason Healey, a cyber conflict researcher at Columbia University who served in the George W. Bush administration as the head of cyber infrastructure protection. “Please, those are issues we can manage with so many other tools at our disposal, whereas dealing with nuclear issues has pretty much either negotiation or death, perhaps of millions.”
Senate Intelligence Chairman Richard Burr (R-N.C.) likewise warned against bogging down the summit’s to-do list with issues like cybersecurity.
“I’m not opposed to it going on the agenda,” he told POLITICO. “The question is, how many things can you ask them to eliminate in one negotiation?”
House Foreign Affairs Chairman Ed Royce (R-Calif.) said in a statement that the summit’s “primary focus must be North Korea’s nuclear weapons program.”
“But yes, I do hope the full range of the regime’s dangerous activities will be addressed.”
Before 2014, businesses and government officials were not concerned about North Korea’s digital army. The country exists largely off the grid — it has nearly 25,000 people for every internet connection, compared with neighboring South Korea, where each person averages two internet connections.
But in recent years, Pyongyang’s online warriors have pulled off a remarkable string of digital hits.
It started with the devastating 2014 breach at Sony, which spilled more than a terabyte of the studio’s most valuable secrets and dominated discussions on Capitol Hill for weeks. The FBI swiftly blamed the hack on North Korea, marking the first time the U.S. had blamed a foreign government for a major cyberattack.
Since then, Pyongyang’s cyber army has become infamous for a steady stream of digital heists and extortion schemes designed to fill the reclusive government’s coffers and blunt the impact of punishing international sanctions.
Most notably, government leaders blamed North Korea for the WannaCry ransomware virus, which raced around the world in May 2017, holding tens of thousands of computer systems hostage in least 150 countries. Britain’s health system was briefly paralyzed. FedEx, Maersk, the Russian interior ministry and Spanish telecom and natural gas companies were also hit. Although the virus was designed to extort victims into paying to regain access to their digital files, the malware appeared to have been released prematurely and only netted the country tens of thousands of dollars.
Far more lucratively, Kim’s hackers are believed to be responsible for a brazen digital theft that exploited an international payment transfer system to swipe $81 million from the Bangladesh central bank in February 2016. Pyongyang also appears to have used its hacking prowess to create a stockpile of virtual coins, hijacking foreign computers to mine cryptocurrency and shuttle it back to North Korea, as well as breaking into cryptocurrency exchanges to steal hundreds of millions of dollars in digital money.
Separately, security researchers have blamed North Korea for hacking banks in Taiwan and the Philippines. And last February, cyber firm Symantec said that Pyongyang was likely behind a string of cyberattacks on major banks in 31 countries.
“North Korea has acted especially badly, largely unchecked, for more than a decade,” said Tom Bossert, then the White House homeland security adviser, when pinning the WannaCry attack on Pyongyang. “Its malicious behavior is growing more egregious.”
Congress has so far held been largely silent in pushing for any of this to be on the agenda when Trump and Kim meet, in part because the administration was without a top diplomat after the president fired former Secretary of State Rex Tillerson. But in April the Senate confirmed Tillerson’s replacement, ex-CIA Director Mike Pompeo, who subsequently flew to North Korea to meet with Kim this month and secured the release of three American prisoners, in a dramatic diplomatic victory for Trump.The president’s poll numbers on his handling of the North Korea issue have risen, and the White House is promising he’ll pursue “tough negotiations” if the summit happens — despite recent threats by Kim’s government to cancel the meeting.
Still, some cyber watchers aren’t holding out too much hope for a significant U.S.-North Korea hacking deal.
Sue Mi Terry, a former CIA senior analyst focused on Korea, predicted that Trump and his team will address hacking with Kim “in a general sense.”
“They’ll bring it up, but it’s not going to be part of any kind of a deal,” said Terry, who is now a senior fellow for Korea at the Center for Strategic and International Studies.
She also echoed other experts in expressing skepticism: Even if the president’s team makes it clear the U.S. is monitoring North Korea’s cyber activities, Terry said, it probably won’t change Pyongyang’s online behavior.
“They’re going to do what they’re going to do,” she said.