Don't Punish A North Korean Hacker Just For Following Orders
Charging Park Jin Hyok (or any North Korean government hacker) as an individual is a human rights issue. It’s important to note that Park had no choice in his actions.
My name is Jake, and I’m a former U.S. government hacker. I eventually quit for a number of reasons that don’t need to be discussed here. But for obvious reasons, I have some strong opinions about the American government criminally charging the hackers of other nations. When considering any criminal charges, context is important.
Charging Park Jin Hyok, (or any North Korean government hacker) as an individual is a human rights issue. Even assuming that the intrusions have been correctly attributed to Park, it’s important to note that Park had no choice in his actions.
First, it’s important to note that many government-sponsored hacking operations around the world are actually performed by military members. Recently indicted Russian hackers support this claim. Previous indictments of members of China’s PLA Unit 61398 for hacking further support this. The U.S.’s own hacking operations have been impacted by leaks reportedly coming from NSA, part of the Department of Defense. Other leaks related to U.S. hacking (Vault7) reportedly came from the CIA, which works closely with the DOD as well.
Members of the military (and in many cases Defense Department civilians) face criminal charges for not following the lawful orders of the superiors above them. So what is a lawful order? And perhaps more importantly, whose laws are we measuring the word “lawful” against?
As a real world example, consider Special Forces soldiers who help find terrorists in a foreign country. They identify a building where a terrorist is located, kick down the door, throw in a flashbang grenade, hold all occupants at gunpoint, and whisk away with the suspected terrorist for interrogation. They are following lawful orders from the U.S. military, but many of their actions are actually criminal in the country where they are operating. The previous example has elements of breaking and entering, vandalism, home invasion, assault and kidnapping.
Am I arguing the U.S. shouldn’t pursue terrorists on foreign soil? Of course not. But it is instructive to consider that military personnel following orders that are lawful to them are often committing crimes in the country where they are operating.
Let’s bring this example back to the cyberworld. Because Park was born and lives in North Korea, there’s no doubt that he was indoctrinated by the state from birth. The fact that North Korean citizens are institutionally brainwashed to unquestioningly follow the orders of the state is not a matter of debate. For those who defy the orders of the state, the penalties are severe—both for the offender and their families. If you doubt this, just Google “three generations of punishment rule” (caution: I can’t mentally prepare you for what you’ll see).
Cyberhacking attribution is difficult when we are attributing an operation to a nation. It’s harder when attributing the operation to a particular group within that nation. Attributing the operation to a particular individual is especially difficult, even under the best of circumstances. Based on what we know publicly about the instrumentation in Sony’s network at the time of the attacks and the fact that the attackers destroyed evidence by wiping machines, this hardly constitutes the best of circumstances.
But even assuming the attribution to Park is correct, remember that Park must comply with orders from the state. Park was sent to school to learn computer science and then was ordered to put his talents to use for the state. Not only did Park have no choice when he was ordered to hack Sony, he may not have even felt like he was doing anything wrong.
How could Park not realize he was committing a crime? First, we need to discuss right and wrong. Definitions of right and wrong are relative to one’s own culture. Even our own definitions of right and wrong in the Western world have changed over time. Like most people living in North Korea, it is safe to conclude that Park was deprived access to news and opinions not expressly approved by the state. Even if Park gained access to outside media as part of his hacking operations, it is doubtful that he could have properly framed it.
The Sony hack that Park allegedly took part in was effectively a censorship operation. Sony was set to release the movie “The Interview,” which depicted North Korea’s leader in a very negative light. The North Korean government hacked Sony and carried out destructive actions in company networks in an attempt to prevent the movie from being released. When viewed through the lens of Western norms, it is obviously wrong for a nation to hack a private company for the purpose of censorship. But government censorship is an everyday part of life in North Korea. The Sony operation falls entirely within the country’s social norms while simultaneously violating our own.
Park will never be extradited to the U.S. to face charges. He won’t be allowed to travel to any country where he’ll ever be extradited to the U.S. The U.S. knows this. These charges then are purely symbolic. Further, Park didn’t wake up one morning and decide to hack Sony (or any other target), he was ordered to.
If the U.S. wants to punish someone, they should focus on the North Korean government, not Park. So why aren’t they? The answer is that the U.S. has poor diplomatic relations with North Korea. Examine the government hackers that have been criminally charged by the U.S. in the last several years. We have hackers from Russia, Iran, China, and now North Korea. What do all these countries have in common? They are countries where the U.S. has strained diplomatic relations. We’ve tried diplomatic channels, sanctions, etc., and nothing is working. It appears the strategy is now to target the actual operators following the lawful orders of their governments.
Carefully consider whether you think that Russia, China, Iran, and North Korea are the only countries that have been caught hacking U.S. networks. I believe that the American government has ample evidence to levy charges against government hackers from many other countries, but doesn’t do so because using diplomatic channels is more effective.
Park will never be brought to justice (whatever that means in this case). He will be killed by his own government before he is turned over to face charges. If he tries to defect in order to turn himself in, his family will be punished or murdered. I don't say this lightly: if you are involved in charging Park, you have blood on your hands.
When I hacked for the U.S. government, I was following lawful orders in the same way that any other nation’s government hacker is following. I had a choice in my participation in government hacking operations. Those involved in charging Park have a choice about whether to participate in these actions. Park didn’t have a choice. The hacks against Sony (and many others) are definitely wrong, but charging Park (or any other government hacker for that matter) won’t solve the larger problem.