Asymmetry In Cyber Security: Responses Of Estonia And South Korea

In this paper the first chapter provides background information about the cyber security in international relations and why this issue is becoming more important for private companies and governments. Cyber attacks are not only conducted within one country. Instead, groups of hackers use the internet to their advantage and launch attacks by using foreign computers, and by having such strategy they are able to stay anonymous, and thus it is harder for businesses and governments to tackle this issue. Moreover, further the definitions of cyber security and cyber attacks are discussed where it is explained that governments and international organizations have their own ways of defining what cyber security involves.The same chapter also provides the research question and information about the cases of South Korea and Estonia, so it is clear that both countries are similar in many ways, they are democracies with high living standards, members of OECD and allies of the US, and more importantly, both are leading states in the usage of information technology. Despite that, each of them had a different response, while Estonia started actively to seek international support and advocate how seriously cyber security should be regarded, South Korea was not so active and instead relied on its own to address the issue, therefore it is necessary to ask why has Estonia been quite active to look for international assistance after one series of attacks, while South Korea, a victim to three series of large scale cyber attacks, has been passive to respond?Lastly, the main argument explains that there have been differences in responses because Estonia has been over attentive to Russia but South Korea has been less attentive to North Korea due to their relative asymmetric relationship. According to the theory of asymmetry, since there exists asymmetrical relationship between states, a smaller state is overattentive to the behavior of a large state, however in return the large state is likely to be less attentive to the small state.The second chapter provides literature review of cyber security in Estonia and South Korea,as well as the theoretical framework that is based on the theory of asymmetry. The first section analyzes the academic literature about cyber attacks against Estonia in 2007. Authors like Valeriano and Maness have argued that these cyber attacks were serious but Estonia definitely overreacted, and in reality the problem cannot be regarded as part of cyber war. However, they have not been able to explain all factors since they did not take into account the relative size ofstate and its resources that determines how a state responds. On the other hand, Kostyuk analyzed the issue between Estonia and Russia by categorizing states by their size but according to her there are only fifteen powerful states in the world, while rest of them are less powerful.Unfortunately, such view is too limited because of a few reasons, namely the status of countries can change and they can become weaker or stronger. Finally, Hansen and Nissenbaum applied the securitization theory to prove how much Estonia achieved by linking cyber security with national security, thus attracting more foreign attention and changing people’s mindset. However,they lack to provide details about the long-term consequences, in other words, their analysis allows to understand how sensitive was the Estonian government, but they do not discuss how Estonia transformed its long term policies and how it continued to pay lots of attention to cyber security even in the following years.Meanwhile, the second section describes the available academic literature about cyber attacks against South Korea, where it appears to be a well-known example because it was a victim of cyber attacks in 2009, 2011 and 2013. Korean scholars have focused more on policy issues to address the problem, and they confirm the fact that South Korea’s perception of cyber security is too narrow and the government needs to find proper definitions to understand it.Furthermore, although the state has already existing government agencies, their jurisdiction overlaps. In other words, research papers written by Korean scholars show that South Korea is reluctant to deal with cyber attacks. Despite these policy papers, other authors have tried to discuss issues of cyber security by analyzing the existing problems as part of asymmetric warfare.In the case of South Korea, North Korea conducts politically motivated attacks because it knows that the South actively uses information technology, so it is possible to disrupt their systems by targeting them. However, this approach cannot be successfully used to explain all attacks, and it does not provide a detailed perspective about the responses of countries.The third section of the second chapter discusses in detail the theory of asymmetry in order to provide theoretical framework for explaining the cyber attacks against Estonia and South Korea. Mostly the ideas by Brantly Womack are described, especially to understand how the theory of asymmetry views the misperception and the behavior among large and small states because of their asymmetrical relationship due to their differences in size of military, economy and population.The third chapter is about the Estonian response to cyber attacks. It talks about the factor that Estonia has a smaller military capacity, economy and less population than Russia, thus Estonia is likely to be more attentive to Russian intentions. However, because of this overattention Estonia has misperception of what Russia really plans to do, so on many occasions Estonians expect that Russia’s actions are a threat to their security. Furthermore, this situation has long-term effects, meaning that Estonia overreacted when the attacks from Russia happened,however it also adopted strategies that started to dictate what kind of cyber security approach they prefer and want to put emphasis on. Such misperception also made Estonia to look for international assistance. This resulted in establishment of NATO Cooperative Cyber Defence Centre of Excellence in Estonia that allows foreign scholars to conduct research and provide training, so it is possible to improve the cyber security of Estonia. This institution also has a role in Estonian higher education. The fact is that after cyber attacks had happened, the Estonian government changed some aspects of higher education system as well, meaning that it was necessary to invest more resources, so Estonia would have more cyber security specialists that could help to prevent attacks in the future.Cyber attacks also affected how the Estonian society view cyber security. In 2006 people were asked what is the most likely threat to Estonia, and they told that it is the environmental pollution, while in 2014 only half of people regarded it the same as before. Instead according to the polls in the same year, almost three fourths of people in Estonia viewed cyber attacks as the most likely threat, thus it shows clearly that situation had rapidly changed.Finally, after the cyber attacks Estonia tried to use its status in the international organizations to get attention from other countries in order to raise awareness of cyber security issues. Since Estonia is a member of the EU, Estonian politicians used the resources of the European Union exactly for this purpose, for example, they cooperated with politicians from other countries in order to persuade the EU to adopt the EU Cyber Security Strategy. And in2008 the president of Estonia called the European Union to recognize cyber attacks as a criminal offense.In the final chapter the South Korean response to cyber attacks is discussed. This country has more population, a larger military capacity, and additionally its GDP is a lot higher compared to North Korea, so the South is less attentive to the cyber attacks conducted by North Korea. It rather pays limited attention because it is more concerned about other security issueslike nuclear and missile tests, so for South Korea this issue may become important only temporarily, but not in the long term, therefore it is slow to improve its defense and the policies are uncoordinated. This can be seen in South Korea’s Defense White Papers where the issue of cyber attacks was addressed only to an extent in 2012, after two series of large-scale cyber attacks had happened, moreover, back then the government stated that the country lacks proper regulations and it is needed to establish new systems. Even in the latest white paper published in2015, they admit that they are in the middle of changing current laws while the national universities will prepare cyber security professionals in 2016.Furthermore, in 2010 only 36.5% of Korean companies told that they have invested in security, but later in 2013 it increased to around 46% of companies, thus still majority of companies had done nothing to improve the information protection. Meanwhile, in 2008 companies were asked if they have any information security policy at all, and 33.4% of them told that they do not have it. However, later in 2013 the number decreased to 20.8%, therefore after the cyber attacks had happened, more organizations actually had no information security policy,so it shows that private companies prefer to avoid addressing security problems.Finally, scholars have expressed opinion that South Korea’s cyber defense is not being treated like a national priority and thus they support the idea that South Korea is passive to deal with cyber security problems. There are countries that recognize cyber security as a significant aspect of their national priorities, while South Korea still views this issue as less important. In order to explain the required attention for this issue, they suggest that Korean cyber security agencies should be reorganized, so they are supervised by people directly appointed by the president.