Don’t Punish A North Korean Hacker Just For Following Orders

David Maxwell Comment: “This is an interesting argument.  I do feel for the plight of the Korean people living in the north and I agree that most Koreans in the north have to act against their for their own and their family’s survival.  However, it would be a huge mistake and simply wrong not to indict hackers (or anyone conducting criminal activities) by following this argument.
First, if we set this precedent it would be applied to Russia, China, and Iran and others who live under despotic regimes.
Second, if by chance we were ever able to bring Mr. park to trial his lawyers could argue his treatment under the regime could be used in arguments for mitigation and extenuation.  That would be the humanitarian thing to do. But I doubt he will ever be brought to trial.
Third, an indictment helps to send the message to despotic regimes that we are going to use the rule of law against your best and brightest who try to do us harm through illicit activities.  We need to establish a positive precedent for deterrent purposes rather than a negative precedent of not indicting those who live in despotic countries who may be acting against their will.
Fourth, the indictment will hinder Mr. Park’s ability to travel as well as to use the international financial system.
I do not think that we are supporting human rights by following this line of argument.  I think we the only way we will solve the human rights problems and the crimes against humanity that are being committed against the Korean people living in the north is to prosecute the Kim family regime as was called for by the 2014 UN Commission of Inquiry.  That is what we should be focusing on.But I do not think the US government will have blood on its hands.  The highlighted excerpt below is probably true. But if it happens it is because of the nature of the Kim family regime and not because of the actions of the US government.”

Don’t Punish A North Korean Hacker Just For Following Orders

My name is Jake, and I’m a former U.S. government hacker. I eventually quit for a number of reasons that don’t need to be discussed here. But for obvious reasons, I have some strong opinions about the American government criminally charging the hackers of other nations. When considering any criminal charges, context is important.

Charging Park Jin Hyok, (or any North Korean government hacker) as an individual is a human rights issue. Even assuming that the intrusions have been correctly attributed to Park, it’s important to note that Park had no choice in his actions.

First, it’s important to note that many government-sponsored hacking operations around the world are actually performed by military members. Recently indicted Russian hackers support this claim. Previous indictments of members of China’s PLA Unit 61398 for hacking further support this. The U.S.’s own hacking operations have been impacted by leaks reportedly coming from NSA, part of the Department of Defense. Other leaks related to U.S. hacking (Vault7) reportedly came from CIA, which works closely with the DOD as well.

Members of the military (and in many cases Defence Department civilians) face criminal charges for not following the lawful orders of the superiors above them. So what is a lawful order? And perhaps more importantly, whose laws are we measuring the word “lawful” against?

As a real world example, consider Special Forces soldiers who helped find terrorists in a foreign country. They identify a building where a terrorist is located, kick down the door, throw in a flashbang grenade, hold all occupants at gunpoint, and whisk away with the suspected terrorist for interrogation. They were following lawful orders from the U.S. military, but many of their actions are actually criminal in the country where they are operating. The previous example has elements of breaking and entering, vandalism, home invasion, assault and kidnapping.

Am I arguing the U.S. shouldn’t pursue terrorists on foreign soil? Of course not. But it is instructive to consider that military personnel following orders that are lawful to them are often committing crimes in the country where they are operating.

Let’s bring this example back to the cyberworld. Because Park was born and lives in North Korea, there’s no doubt that he was indoctrinated by the state from birth. The fact that North Korean citizens are institutionally brainwashed to unquestioningly follow the orders of the state is not a matter of debate. For those who defy the orders of the state, the penalties are severe—both for the offender and their families. If you doubt this, just Google “three generations of punishment rule” (caution: I can’t mentally prepare you for what you’ll see).

Cyber attribution is difficult when we are attributing an operation to a nation. It’s harder when attributing the operation to a particular group within that nation. Attributing the operation to a particular individual is especially difficult, even under the best of circumstances. Based on what we know publicly about the instrumentation in Sony’s network at the time of the attacks and the fact that the attackers destroyed evidence by wiping machines, this hardly constitutes the best of circumstances.

But even assuming the attribution to Park is correct, remember that Park must comply with orders from the state. Park was sent to school to learn computer science and then was ordered to put his talents to use for the state. Not only did Park have no choice when he was ordered to hack Sony, he may not have even felt like he was doing anything wrong.

How could Park not realize he was committing a crime? First, we need to discuss right and wrong. Definitions of right and wrong are relative to one’s own culture. Even our own definitions of right and wrong in the Western world have changed over time. Like most people living in North Korea, it is safe to conclude that Park was deprived access to news and opinions not expressly approved by the state. Even if Park gained access to outside media as part of his hacking operations, it is doubtful that he could have properly framed it.

The Sony hack that Park allegedly took part in was effectively a censorship operation. Sony was set to release the movie “The Interview,” which depicted North Korea’s leader in a very negative light. The North Korean government hacked Sony and carried out destructive actions in company networks in an attempt to prevent the movie from being released. When viewed through the lens of Western norms, it is obviously wrong for a nation to hack a private company for the purpose of censorship. But government censorship is an everyday part of life in North Korea. The Sony operation falls entirely within the country’s social norms while simultaneously violating our own.

Park will never be extradited to the U.S. to face charges. He won’t be allowed to travel to any country where he’ll ever be extradited to the U.S. The U.S. knows this. These charges then are purely symbolic. Further, Park didn’t wake up one morning and decide to hack Sony (or any other target), he was ordered to.

If the U.S. wants to punish someone, they should focus on the North Korean government, not Park. So why aren’t they? The answer is that the U.S. has poor diplomatic relations with North Korea. Examine the government hackers that have been criminally charged by the U.S. in the last several years. We have hackers from Russia, Iran, China, and now North Korea. What do all these countries have in common? They are countries where the U.S. has strained diplomatic relations. We’ve tried diplomatic channels, sanctions, etc., and nothing is working. It appears the strategy is now to target the actual operators following the lawful orders of their governments.

Carefully consider whether you think that Russia, China, Iran, and North Korea are the only countries that have been caught hacking U.S. networks. I believe that the American government has ample evidence to levy charges against government hackers from many other countries, but doesn’t do so because using diplomatic channels is more effective.

Park will never be brought to justice (whatever that means in this case). He will be killed by his own government before he is turned over to face charges. If he tries to defect in order to turn himself in, his family will be punished or murdered. I don’t say this lightly: if you are involved in charging Park, you have blood on your hands.

When I hacked for the U.S. government, I was following lawful orders in the same way that any other nation’s government hacker is following. I had a choice in my participation in government hacking operations. Those involved in charging Park have a choice about whether to participate in these actions. Park didn’t have a choice. The hacks against Sony (and many others) are definitely wrong, but charging Park (or any other government hacker for that matter) won’t solve the larger problem.

David Maxwell

Senior Fellow

Foundation for Defense of Democracies

Phone: O: 202-207-3700    M: 703-300-8263

Personal Email:

Web Site:

Twitter: @davidmaxwell161

Subscribe to FDD’s new podcast, Foreign Policy

Leave a Reply

Your email address will not be published. Required fields are marked *