October 10, 2013

Cybersecurity in the Context of the U.S.-ROK Alliance

By Andrew Kwon

Source: Korean Economic Institute

Journalist(s) Jara Jung-min Kim, Gyeong-eun Kim

As cyberspace becomes a critical frontier in the international security landscape, it will no doubt emerge as a challenging dynamic for alliances built on pre-existing global paradigms. Perhaps the most sensitive to these changes, U.S. allies must now consider what unknown long-term ramifications cybersecurity will pose to both the relevance and cohesion of their partnerships with the United States. This brings our attention to the upcoming Conference on Cyberspace to be held in Seoul later this month. The ROK, as both an important ally to the U.S. and as a major IT innovator, is no doubt at the forefront of insuring its alliance with the U.S. remains a high-quality and cohesive partnership ready to confront not only threats in cyberspace, but the other uncertainties to come in the 21st century. 

Where is there structural convergence?

When comparing both the U.S. and ROK governmental approaches to cybersecurity, there are considerable similarities. Firstly, at a superficial level, both the ROK and the United States maintain a similar hierarchal structure. In 2009, the Obama Administration made clear its intent that the White House would serve as the central hub for all governmental cybersecurity efforts with the appointment of Howard Schimdt as the White House Cybersecurity Coordinator or “Cyber Czar”. Upon closer inspection, it becomes clear that this move was part of a larger attempt to tie together a highly decentralized government approach to cybersecurity. Divided not only along the lines of threat perception, the government’s disparate attempts are further fractured along intra and inter-departmental lines. To help demonstrate this decentralization is the complex cross-agency interaction necessary to authorize new best practices for cybersecurity. Whilst the Department of Homeland Security (DHS) serves as the primary civil-sector cybersecurity agency, the drafting of its own guidelines and standard is the responsibility of the Department of Commerce. In turn, the draft standards must be sent to the White House Office of Management and Budget for approval, which includes consultation with the Department of Justice (as the principal enforcer of cybersecurity laws) in order to consider the effects of new guidelines on enforcement procedure. Following consultation and redrafting, this new draft is sent to DHS for further review and the process repeated till necessary changes are adopted.

As mentioned earlier, the ROK maintains a very similar structure. When considering the unveiling of the 2013 Comprehensive National Cybersecurity Plan by the ROK Office of the President, it would appear that the Park administration also seeks to centralize the government’s disparate cybersecurity approaches similar to the Obama administration. The ROK similarly deals with a relatively diffuse governmental cybersecurity framework. What highlights this are again the various actors involved in cybersecurity. As dictated by the 2013 National Information Security White Paper, the Korean Communications Commission (KCC), the Ministry of Security and Public Administration, the Ministry of Knowledge Economy and the National Intelligence Service (NIS) were all identified as the responsible government agencies for both ‘public’ and ‘private’ sector cybersecurity. However, given the effusive nature of cyberspace and the relative lack of clarity, there is uncertainty as to how and where the lines are drawn to make a distinction between the two spheres.

Beyond the governmental structure, the similarities in legal frameworks should also be noted. Both the ROK and U.S. lack a comprehensive legal framework and maintain legal coverage and jurisdiction based on an ad hoc combination of legislation. To demonstrate, the U.S. has approximately 49 statutes and the ROK, in turn, has approximately 35 that cover various areas pertaining to cybersecurity that ranges from domestic hacking and identity theft to non-state and state sponsored cyberattacks on critical infrastructure.

Are there issues and what does this mean within the context of the U.S.-ROK Alliance?

While it can be argued that the conscious (or unconscious) decision of the ROK to mirror the U.S. in its approach to cybersecurity is based on a rationale to optimize interoperability, it may not be enough. That is not to say that interoperability is not an important part of maintaining the alliance, but there are other considerations to make. To demonstrate, besides the near term concerns related to adopting a cybersecurity framework that has had  issues in the past, the adoption may also lead to the unintended consequence of misleading many to believe the alliance structure as is will be sufficient in preparing contingencies and mechanisms against future possibilities.

Current challenges like DPRK-sponsored cyber-terrorism and even transnational criminal networks warrant the need for unity of purpose to be translated into actual operationalization. However, in the context of the alliance’s strategic sustainability, the effectiveness of long term interoperability will not be determined by how effective the partners work together in the face of problems present within the current environment, but by the foresight to prepare for the uncertainties of tomorrow.

In an ideal world, both the ROK and U.S. would face an identical array of cyberthreats (and to a certain extent they will), but cyberspace not only represents potential for increased cooperation but also a realm of vast possibilities. In order to work towards a truly 21st century alliance, the ROK would benefit the most from dual investment in the identification of its unique future challenges as well as in interoperable mechanisms.

Though this may seem counter-intuitive and a needless distribution of resources, it may in fact be the best option to sustain the long term coherence of the alliance. Rather than seeking to bend the alliance to fit the circumstances, a willingness to step outside the bounds of certainty and placing faith in a partner by building them into critical response mechanisms could serve to strengthen the alliance. This could provide a transformational moment for the alliance, preparing it into a more effective partnership that is ready to face the uncertainties of a new century.

Andrew Kwon, Jara Jung-min Kim and Gyeong-eun Kim were formerly interns at the Korea Economic Institute of America. The views expressed here represent the views of the authors alone.

  • Andrew Kwon