File
|
The Invisible Battlefield: The Future of the Cyberspace Force |
| September 16, 2025 |
-
Kwang Sup JooVisiting Research Fellow, Sejong Institute | myjohj1@naver.com
-
In August 2025, the RAND Corporation released a report titled “Getting the Fundamentals of Cyberspace Force Readiness Right,” which noted that even the United States remains most vulnerable in the area of cyberspace force readiness. Despite years of substantial investment, the U.S. military continues to face persistent shortfalls in recruiting and retaining qualified personnel, aligning training with operational deployment, and maintaining adequate equipment and infrastructure. RAND assessed these shortcomings not as matters of management inefficiency but as structural bottlenecks, emphasizing that “the priority should be placed on implementing four foundational initiatives before debating organizational reforms.”1)
Meanwhile, the Russia-Ukraine war, which erupted in 2022, was the first large-scale conflict to show how cyber operations shape modern multi-domain warfare. Russia carried out a range of offensive cyberattacks, including satellite network disruptions, wiper malware, and distributed-denial-of-service (DDoS) campaigns, aiming to undermine Ukraine’s command, control, and communication systems. Yet Ukraine absorbed the initial shock and maintained resilience through support from Western allies, assistance from private technology firms such as Starlink and Microsoft, and the mobilization of volunteer cyber groups.2) The conflict made it clear that cyber operations rarely deliver a decisive blow on their own, but instead act as a force multiplier when synchronized with conventional, psychological, and information operations.
These lessons are also directly relevant to the Korean Peninsula. North Korea has carried out a wide range of sophisticated cyber operations through state-sponsored hacking groups such as Lazarus Group and Kimsuky (also known as Geumseong 121), targeting financial institutions, critical infrastructure, and global positioning systems.3) Over time, North Korea’s cyber capability has evolved into a quintessential low-cost, high-impact asymmetric weapon, exploiting South Korea’s deep digital dependency and openness to endanger both national security and the everyday lives of its citizens.
In this regard, the RAND report’s call for “implementing the foundational initiatives of cyberspace force readiness,” together with the lessons from the war in Ukraine, serves as a crucial guide for the Republic of Korea (ROK) Armed Forces as they face North Korea’s persistent cyber provocations. Building on RAND’s analytical framework, this paper combines insights from the Ukrainian experience and existing research on the ROK military to explore strategic pathways for strengthening South Korea’s cyberspace force readiness and development. -
RAND assesses that despite more than a decade of substantial investment, the U.S. cyberspace force still lacks sufficient readiness. The most prominent challenges are consistently observed across four key areas — training, equipment and infrastructure, employment, and recruitment and retention. Training programs are often excessively long and complex, and in many cases fail to align with the actual competencies required for operational missions. Equipment and infrastructure remain far below mission requirements, limiting the ability of cyber units to perform effectively. Moreover, personnel who have not yet achieved full qualification are frequently deployed prematurely, creating a vicious cycle in which mentorship and certification support cannot keep pace. Recruitment and retention of skilled cyber professionals have also proven difficult, as unclear career pathways and uncompetitive compensation structures have led to significant attrition among high-performing personnel.
RAND did not view these visible problems as simple operational setbacks. Instead, the report identified six underlying structural causes that have hindered the development of cyberspace force readiness.
First, persistent interagency coordination failures were observed among departments and organizations responsible for cyberspace missions.
Second, recurring conflicting priorities emerged between cyberspace and non-cyberspace tasks.
Third, even within the cyberspace domain, there was an absence of a clear prioritization framework to determine which missions and units should be strengthened first.
Fourth, significant deficiencies in personnel management and talent retention systems limited the ability to recruit and maintain skilled cyber professionals.
Fifth, a pronounced capability gap existed between the operational requirements of real missions and the competencies available within cyber units.
Finally, training and operational employment remained misaligned, preventing training outcomes from being effectively integrated into field operations.
Ultimately, RAND concludes that the root of these challenges lies not in a shortage of technology or equipment, but in structural deficiencies across organizational design, personnel systems, training processes, and policy implementation.
Based on this diagnosis, RAND argues that the priority should be to address four foundational initiatives before entering into debates over “whether to establish new organizations.”
First, establish a personnel management system that meets the specific requirements of cyberspace forces. This entails implementing back-to-back tours to ensure continuity in key operational positions, actively employing civilian and reserve expertise, and creating structured career pathways for technical professionals.
Second, standardize the training and qualification systems. Education, certification, and assignment must be streamlined into a single, coherent process to eliminate training programs that are unnecessarily long or disconnected from field realities, thereby ensuring alignment with mission demands.
Third, restore alignment between training and deployment. The principle of “qualification before deployment” should be firmly institutionalized, and dedicated training units should be strengthened to enhance adaptability in real operational environments.
Fourth, establish a unified framework for measuring operational effectiveness. Service-specific evaluation systems should be integrated into common metrics that quantify readiness and directly inform budget allocation and personnel decisions.
As a final analytical consideration, RAND outlined three long-term scenarios for restructuring cyberspace forces.
The first scenario, termed the Current Approach+, involves maintaining the existing service-based management of personnel and equipment while expanding the authority of the U.S. Cyber Command (USCYBERCOM) to strengthen its oversight of training and budgetary resources.
The second scenario, the Centralized Training and Career Management Model, proposes integrating personnel management and training under a centralized system, similar to the organizational structure of the U.S. Special Operations Command.
The third scenario, the Separate Cyber Service, envisions establishing an independent military branch dedicated solely to organizing, training, equipping, and presenting cyberspace forces, similar to the U.S. Space Force.
RAND concludes that in the near term, reinforcing the existing framework through the Current Approach+ represents the most practical solution, while in the medium to long term, a gradual evolution toward a centralized model, and if necessary, the eventual creation of a separate cyber service, constitutes a realistic and sustainable path forward. -
The war in Ukraine served as a real-world demonstration of the “importance of readiness” emphasized by RAND. Cyber warfare exhibited distinct characteristics across different phases of the conflict, from pre-war operations to the initial shock phase and the protracted stage of the war.
1. Pre-war Preparation and Preemptive Cyber Operations
In the months leading up to the invasion, Russia conducted extensive reconnaissance against Ukraine’s government, energy, and communications networks and pre-positioned offensive cyber capabilities. Immediately before the outbreak of war in February 2022, Russian actors launched disruptive attacks targeting more than 70 government websites and deployed destructive malware such as WhisperGate and HermeticWiper5) to create instability. 6) However, Ukraine successfully mitigated much of the impact through foundational cyber defense practices and proactive Western support. U.S. Cyber Command’s Hunt Forward teams7) , along with technical assistance from Microsoft and Google, provided critical pre-war defensive operations, while Ukraine enhanced its resilience by migrating key government data to cloud-based infrastructure.
2. Early Cyber Offensives and Hybrid Operations
On the first day of the invasion, Russia attempted to degrade Ukraine’s command and control by disrupting the Viasat KA-SAT satellite network 8) , while simultaneously targeting the Ministry of Defense, banking systems, and telecommunications networks. This represented a classic case of hybrid operations integrating cyber and kinetic effects. Nonetheless, the overall impact remained localized and short-lived, as Russia’s lack of coordinated execution and Ukraine’s rapid defensive response significantly limited operational effectiveness.
3. Protracted Cyber Warfare
Following the initial phase of the conflict, cyberspace operations transitioned into a protracted form of “cyber trench warfare.” Rather than rapid offensive and defensive exchanges, both sides engaged in sustained campaigns characterized by attrition and resilience. Russia continued to conduct cyberspace operations aimed at supporting occupied territories and amplifying social unrest, while Ukraine, bolstered by continued international assistance, strengthened its defensive and recovery capabilities. This phase demonstrated that cyberspace operations function not as decisive “knockout weapons,” but as components of a broader, enduring competition for operational advantage and stability.
4. Non-State Actors and the Platform Battlespace
The cyber war in Ukraine was, in many respects, a struggle waged by non-state actors and private technology platforms.- Anonymous, along with large volunteer hacker groups estimated at around 300,000 participants, disrupted Russian government and media networks through coordinated cyberattacks, including website defacements and distributed denial-of-service (DDoS) operations.
- Starlink provided essential connectivity for C2 continuity and drone operations, while Microsoft spearheaded Ukraine’s data protection and recovery initiatives.
- Facebook, Google, and YouTube blocked Russian state-controlled media channels, helping shape global public opinion throughout the conflict.
5. Implications
The war in Ukraine has redefined the nature of cyber warfare. Cyber operations do not serve as stand-alone instruments capable of determining the outcome of a conflict. Rather, their effectiveness is maximized when integrated with kinetic operations, international cooperation, and psychological or cognitive campaigns. The war has also demonstrated that the essence of cyber warfare does not lie in a single, decisive “cyber Pearl Harbor” event, but in sustained pressure, adaptive defense, and the ability to maintain resilience over time. -
1. Doctrinal Integration of CEMA (Cyber Electromagnetic Activities)
The Republic of Korea Armed Forces continue to operate cyberspace and electronic warfare as separate domains. However, the United States and the United Kingdom have already adopted the concept of Cyber Electromagnetic Activities (CEMA), integrating the two into a unified operational framework. The ROK military should likewise advance through a phased doctrinal development process encompassing the stages of preparation, development, and advancement.9) To achieve this, it is essential to establish a Joint Chiefs of Staff–led platform for integrated doctrine development and to build a modular doctrinal system that simultaneously incorporates operations, training, and equipment employment.
2. Talent-Based Development of Cyberspace Forces
North Korea operates highly capable, state-sponsored hacking organizations such as the Lazarus Group and Kimsuky (Geumseong 121). To counter these threats, the Republic of Korea Armed Forces must strengthen its human capital as a core component of cyberspace readiness. In the short term, a unified framework for identifying, training, and managing cyber personnel across all services should be established. In the medium to long term, a rotational mechanism linking the military and private sectors is needed to sustain expertise and adaptability. The establishment of a joint Cyber Academy, co-operated by military and civilian institutions, would formalize continuous education and field deployment, ensuring a resilient and mission-ready cyberspace force. 3. Standardized Training and Qualification Systems
The Republic of Korea Armed Forces should integrate the disparate training programs across individual services and adopt models based on the MITRE ATT&CK and D3FEND frameworks10) , institutionalizing the principle of “deployment only after training completion.” A Joint Cyber Training Center should be established to conduct regular combined exercises that involve the military, civilian experts, and allied partners. In this process, challenges related to budget allocation, interservice authority distribution, and regulatory frameworks for civil–military cooperation are likely to arise. Therefore, it is essential to proactively develop a multi-stakeholder governance model that includes participation from the National Assembly, industry, and academia to ensure policy coherence and sustainable implementation.
4. Dedicated Organization for Cognitive Warfare Response
In the Russia–Ukraine war, social media and deepfake technologies played a pivotal role in shaping public opinion. The Republic of Korea Armed Forces must also establish a dedicated organization for cognitive warfare and develop AI-based detection systems.11) In addition, an integrated information platform connecting the National Intelligence Service, the Korea Media and Communications Commission, and media organizations should be established to enable the early identification and timely response to emerging signs of cognitive warfare.
5. Civil–Military–Private Sector Cooperation Network
The Starlink case demonstrates the extent to which modern C2 systems depend on civilian infrastructure during wartime. South Korea should likewise institutionalize a national cyber crisis cooperation framework that links the Ministry of National Defense with key private actors such as KT, Naver, Kakao, and cybersecurity companies. To this end, standardized operating procedures and crisis-response hotlines connecting civilian infrastructure with military networks should be established and regularly exercised during peacetime.
6. Evolving Trilateral Cyber Cooperation Among South Korea, the United States, and Japan
Cyber threats transcend national borders. South Korea should expand its participation in the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)12) , institutionalize the regular conduct of the Cyber Flag joint exercise13) , and promptly establish a trilateral information-sharing framework among South Korea, the United States, and Japan. Furthermore, multilateral cyber crisis management exercises at the Northeast Asia level should be held on a regular basis to strengthen the building of practical trust within the international cooperation network.
“The six strategic tasks outlined above should not remain limited to the responsibilities of the armed forces but must evolve into a comprehensive national cyber defense strategy jointly advanced by all sectors of the state.” -
The RAND report illustrates that even the U.S. military faces structural challenges in maintaining cyberspace force readiness. The war in Ukraine further demonstrated that cyber warfare is not an “exaggerated threat,” but a decisive variable shaped by the degree of civil, military cooperation and allied solidarity.
As North Korea continues to threaten South Korea through diverse means such as financial hacking, GPS interference, and infrastructure attacks, the Republic of Korea Armed Forces must now shift focus from debates over “organizational restructuring” to strengthening the four fundamental pillars of cyber readiness, namely personnel, training, deployment, and evaluation. At the same time, it must advance the integration of the Cyber Electromagnetic Activities (CEMA) doctrine, enhance cognitive warfare capabilities, expand civil–military cooperation, and deepen trilateral coordination with the United States and Japan.
Cyber warfare is no longer an abstract threat. Readiness is survival.
Moving forward, the ROK military should institutionalize a rotational education and training platform connecting the civilian and military sectors, establish an integrated information system for joint training and cognitive warfare response, and build genuine trust within the framework of international cooperation networks. Above all, only by developing a realistic roadmap that accounts for budgetary and political constraints, and by linking it to broader defense reform initiatives, can South Korea fully achieve Cyberspace Force Readiness.
| Introduction
1) RAND Corporation, Getting the Fundamentals of Cyberspace Force Readiness Right, 2025.
2) 부형욱, 「우크라이나 전쟁에서의 사이버전과 한·미·일 사이버안보 협력의 향배」, 『국가전략』 30권 1호, 2024
3) 정동, 「사이버전 양상과 북한의 위협」, 『인문사회21』 13권 6호, 2022
| Core Analysis of the RAND Report4)
4) RAND Corporation, Getting the Fundamentals of Cyberspace Force Readiness Right, 2025.
| Cyber Warfare in the Russia–Ukraine War
5) As cyber weapons employed by Russia in the period immediately before and at the outset of the conflict, WhisperGate functioned as a “preparatory strike” intended to generate psychological and operational disruption, while HermeticWiper was used as a near-prewar “decisive strike” aimed at inducing large-scale infrastructure paralysis. Both tools were therefore intended to prepare the battlefield and sow confusion through cyber means.
6) 송태은, 「현대전면전에서의 사이버전의 역할과 전개양상」, 『국방연구』 65권 3호, 2022
7) A team under USCYBERCOM that deploys directly to the networks of allied or partner nations at their request to detect, analyze, and counter adversary cyber threats on site.
8) Viasat is a U.S.-based satellite communications company, and in Europe, its KA-SAT satellite network was widely used. The Ukrainian military also relied on this network to maintain command and control (C2) communications.
| Implications for the Republic of Korea Armed Forces
9) 유종규·신진, 「한국군의 ‘사이버전자전’ 수행을 위한 전략 분석」, 『한국군사학논집』 77권 3호, 2021
10) It refers to a cyber threat and defense knowledge framework developed by the MITRE Corporation in the United States.
11) 이주환·나승학, 「사이버 전쟁에서의 인지전 전략과 미래 방향성」, 『안보군사학연구』 20권 2호, 2023
12) The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) serves as NATO’s principal hub for cyber defense research and training.
13) A representative U.S.-led cyber defense exercise program that simulates real-world network environments and enables participants to practice defending against cyberattacks in a realistic joint training setting.
| Conclusion
※ The contents published on 'Sejong Focus' are personal opinions of the author and do not represent the official views of Sejong Institue
