Two spats of cyber attacks shut down, though momentarily, websites of major banks and broadcasters of the country, reminding people of similar attacks in 2009 and 2011. The source of the attacks is not clear yet, but they showed that the information infrastructure remains vulnerable to outside attacks.
As Korea is one of the most wired countries in the world with almost all sorts of social services provided over the Internet, any disruption of the information network is particularly detrimental ― it could be the country’s Achilles’ heel. In fact, this is not only Korea’s problem as many countries face a similar threat. The U.S. government recently announced a plan to impose trade restrictions for products to be used for or related to hacking activities overseas.
The core problem that many countries encounter in coping with cyber attacks is how to define them. Is it a law enforcement issue dealing with criminal activity or is it a national security issue dealing with invasion of a territory? Maybe a little bit of both.
This question, however, is critical because an answer to it ultimately determines who is responsible for a cyber attack, and, more importantly, what kind of action is permitted or appropriate in response to such an attack.
More practically, a definition for a particular cyber threat is important because it determines which agency should be in charge. In the absence of such a definition, any agency related to cyber issues ― which, by the way, is almost every agency ― appears on the scene with its own task force or something, causing too much confusion for a prompt, coordinated initial response.
In the recent attacks on March 20, Korea’s police, other law enforcement agencies, military units, intelligence agencies, financial supervisory agencies, information technology agencies and even government-funded research institutions all hurriedly scrambled to the common threat, without knowing who was actually in charge. The less-than-optimal coordination seems to be to blame for the misidentification of the sources of the attack.
A definition of a given situation early on can identify which agency should play the lead to ensure coordination among domestic agencies. Everybody’s problem can be nobody’s problem.
If a given cyber attack is categorized as a trans-boundary criminal activity, a key to solving this problem is to enhance the cooperation among law enforcement agencies of different countries involved ― an issue generally dealt with by mutual legal assistance networks including joint investigations and extradition.
It is a transnational crime, but just occurs in the new territory known as cyber space. If, however, a cyber attack is categorized as a national security threat, a different rule applies. Under these circumstances, the issue is whether the victim country’s right of self-defense can apply, with a focus shifting to the possibility of a unilateral response as opposed to cooperation with other countries.
The traditional concept of self-defense has been applied to the invasion of physical territory, but apparent consensus has been building that an attack on the new territory of cyber space could trigger a similar invocation of self-defense on the part of a victim state.
As the response mode and legal tools are different depending upon how a particular cyber attack situation is understood, it is imperative to make an effort to determine, as early as possible, which of the two categories a given cyber attack falls under.
More importantly, depending upon this critical determination, there is a significant difference in what a government can or cannot do vis-a-vis foreign entities.
Thus, it is not sufficient to simply call it a “cyber attack,” but rather it is necessary to determine which category of cyber attack is suspected.
The omnipresence and intricacy of cyber space do not fit into the traditional profile of governmental work manuals. Cyber threats seem to be located at the confluence of both rivers ― law enforcement and national security.
Nonetheless, an analysis and a decision should be made for an efficient and prompt response to this new threat. The point is, someone or some agency should coordinate a pan-governmental response. Otherwise, people will keep seeing 10 different agencies scramble to fix downed computer servers only, as opposed to formulating a concerted counter-response on a national level.
By Lee Jae-min
Lee Jae-min is a professor of law at the School of Law, Hanyang University, in Seoul. Formerly he practiced law as an associate attorney with Willkie Farr & Gallagher LLP. ― Ed.