State-Sponsored Attacks Against Private Companies: Explaining Differences in Government Responses of the U.S. and South Korea

Abstract

In July 2012, NSA Director General Keith Alexander stated that there had been a 17-fold increase in cyber attacks at American infrastructure companies between 2009 and 2011. In particular, state-sponsored cyber attacks on private companies, including both critical infrastructure and non-critical infrastructure entities, are on the rise. These cyber attacks have raised questions about what governments should do to respond to cyber attacks operated by state actors targeting their corporate-nationals. The following research question drives my research: how and why do the governments of the United States and South Korea react differently to state-sponsored cyber attacks targeting private companies? Case studies of seven incidents of cyber attacks targeting private companies in which a particular foreign nation was speculated or officially attributed in operating the attacks have shown that the U.S. and South Korean governments vary in the attack. These include Operation Ababil, the JPMorgan hack of 2014, a series cyber espionage operations by Chinese military hackers, and the Sony hack in the United States. For cases in South Korea, I observe all three incidents of statesponsored attacks targeting South Korean corporation that were allegedly launched by North Korea. Therefore, this thesis is organized around two comparisons: 1) comparisons of the overall responses to state-sponsored cyber attacks made by U.S. and South Korean governments and 2) the variations within each country between responses to different attacks from different sources. I use the framework of John Kingdon’s theory of agendasetting and policy-making to look for possible explanations for the variations in the U.S. and South Korean government responses to state-sponsored cyber attacks targeting private companies. I examine the influence of three elements – problem recognition, policies stream, and politics stream in the theory on government responses to the attacks. My main argument is that agenda-setting and policy windows influence how the U.S. and South Korean governments respond to state-sponsored cyber attacks. Policy actions concerning state-sponsored cyber attacks arise when 1) government officials who recognize the impact of undergoing private injuries caused by state-sponsored cyber attacks take the issue within the private sector out to the governmental agenda, 2) there are existing policy proposals that policy makers can select from, and 3) the flow of political events builds consensus that government action in response to state-sponsored cyber operations must be prioritized. The qualitative analysis of my case studies shows that governments have been responding to cases of state-sponsored cyber attacks against private companies even if they fail to create a visible effect on the U.S. and South Korean stock markets. The occurrences of the attacks themselves were sufficient in catching the attention of the incumbent administration of each country. Furthermore, past policy proposals and the existing framework on cybersecurity shaped government responses to particular cyber incidents. Most importantly, policy-making in the area of cybersecurity was to be largely dependent on the politics stream – facts such as the identity of the victims and the attacker, frequency, and amount of economic damage are important, but exerts little influence in policy-making if the stream of past political events prevented governments from responding to state-sponsored cyber attacks against private companies.