Twitter had some great commented threads on the North Korean government hacker (PARK) who was criminally indicted by the United States. The main point in the threads that I read revolved around whether or not the NK hacker should have been indicted as he was ‘only following orders’.

If we assume the attribution of PARK is correct, in that the US correctly identified a specific person that hacked Sony (and other things), then the question is “What does a country do?”

My opinion

1. Criminally charge the hacker, set a court date, and wait...or
2. Sneak in, grab him, drag him to court, and/or
3. Sony sues him.
4. Go to war against NK.

As to these choices..

#4 is extreme with too many consequences

#3 will go nowhere.

#2 might start a war without declaring war

#1 shows the enemy that we can/ WILL find them without going to war

I vote for #1.

The affidavit

Right off the bat, the affidavit lays out the crimes committed. This is par for the course for any (all) affidavits. You have to spell out the crimes. But the point I make is that “crimes” were detailed, not military actions. Meaning, a crime committed results in a crime being charged.

The issue on Twitter was that since PARK was a only government hacker just doing his job, the USA should not criminally indict him because it would result in unintended consequences of USA hackers being potentially criminally charged by doing the same thing to foreign countries. This would be like, ‘hey, don’t criminally charge burglars because I am a burglar too and I don’t want to be criminally charged for when I burgle homes.”

Now to “duress”...

Firstly, duress does not relieve someone of culpability, meaning, even if a gun is to your head to put a gun to someone else’s head, that doesn’t relieve you of being responsible for what YOU do.  Yes, some argued that under duress, you don’t have a choice, but seriously, you do have a choice of ‘bad choice #1’ and ‘bad choice #2’.  Your morals tend to guide your decision, so those who say PARK had no choice but to do what he did must also believe that choosing to victimize a totally innocent person because you don’t want to be a victim yourself, exonerates the person from the crime. Not in my book. Or in any law book that I heard of.

As to PARK’s specific ‘duress’, only PARK knows, and for that reason alone, you can’t excuse his actions based on assumptions of duress to him or threats of harm to his family. 

A more relevant example of duress not being an excuse to committing a crime is that NK/PARK sent threatening messages to Sony demanding that Sony employees sign a statement against Sony or that the employee families will be at risk of harm from North Korea.  So here goes the rationale that doesn’t work for duress.  NK government threatens PARK to hack Sony or face harm to his family, then PARK emails Sony employees and threatens to harm their families if they don’t sign a statement against Sony.  If a Sony employee then did something illegal, is he immune because PARK told him to do it or his family suffers? And PARK only did it because his family would suffer, and PARK’s immediate supervisor only told PARK because..and on and on. The line is drawn at the actor.

THE BIGGER POINT: What about the USA government hackers?

Again, my opinion is that there is no difference between the USA criminally charging an in individual as in the PARK case than a foreign country charging a USA citizen in the same type of circumstance.  The legal authority given by one country does not and cannot be extended to any other country.  Laws don’t work that way. Cyber might appear different because (1) it’s fairly new and (2) you don’t have to physically HALO into a country to do damage.

There are exceptions, which are too deep to get into here, but the exceptions are basically having approval to ‘operate’ in a foreign country with the explicit approval of the foreign country.  This applies to any foreign national in another country operating under a government’s orders (such as a military service member or government employee, like a spy or diplomat). 

A personal law enforcement example I can give is that one country authorized me to work a case in their country as an undercover officer, but did NOT authorize me to carry a gun (Canadians......).  However another country did authorize me to carry a firearm while working undercover in their country.  Now, if I went into Canada to work a case with Canadian authority BUT brought my gun and said that my government gave me authority....that would not have been legal.  Laws are specific to the country and the granted authority is specific.

I have another LE example of getting authority to operate in a hostile environment and authority to do so. My partner and I (she’s probably reading this, and will remember well), asked for the Sgt of Arms permission to enter an OMG club meeting. By OMG, I don’t mean O My God, but rather Outlaw Motorcycle Gang.  The permission was reluctant, and we would have went in anyway (with the entire PD...), but with his permission, we walked right in, said hello, made some introductions to key decision-makers, and left. Given 100:1 odds, permission was the better route than calling in the world for support for what we wanted to do. The point being, we had legal authority to enter (it was a public-private venue) but the authority of the OMG would certainly be violated without at least asking to come in.

This leads me not the part of the story that says everyone who volunteers for the military is at risk of committing crimes in foreign countries, even when given the authority by their government.  Wars are usually fought in enemy countries, in which the enemy is not going to grant authority for an invasion. If the enemy wins, expect criminal trials of individuals for following the orders of their government.

Hacking foreign nations was done/is done with the false perception of immunity from prosecution.  Doesn’t work that way. Spies know this too.  How many have been arrested outside of their country and either convicted of crimes or traded between countries? Or killed? No difference between slithering into a country to kill a military leader in an enemy state than it is to hack into the computing systems operated by an enemy state.

DO NOT take this to mean that I believe USA govt hackers are criminals, or that they should be arrested. Totally inaccurate. I’m all for freedom in the world and against oppression of people. To the USA government hackers, I say, “Go for it and do a good job.”  For the nation-state hackers damaging the USA, I say, “We are going to find you and if we can grab you, we will.”

The big negatives for government employees are that for the rest of your life, you must live under the assumption that there is an enemy country somewhere that wants to arrest or kill you, and that even when you leave your job, the risk remains. Like, forever.  They may have you on a hit list if you ever leave your country or even have plans to take you out while you are in your own country. This is not spy fiction, but reality. 

For more perspective, and on a different scale, law enforcement works with the same premise.  LE has government authority to do things, like exceed the speed limit and arrest criminals. But consider the criminals as foreign nations.  When a police officer makes an arrest, organized crime and criminals do not see that LE is immune to their justice. An informant will be (has been) tortured and/killed as much as a CIA asset can be (has been). Undercover cops can be (have been) tortured or killed for legally operating under government authority, but not under authority of the criminal element.  The only thing preventing this from happening is that the ‘other side’ chooses not to do it in most instances.

These are the things to know before taking cool and important jobs. It’s like knowing that sharks can eat you. You may not agree with a shark biting your leg off, but it is reality.  You just have to be careful where you swim, and if you do have to swim with the sharks, you run the risk of getting eaten. 

An easy decision making tree :)

1. Are you in your own country?
   1. Yes
      1. Do you have authority to operate in your country?
         1. Yes - No crime
         2. No - Crime
   2. No
      1. Do you have authority from your country AND host country?
         1. Yes - No crime
         2. No - Possibly a crime

I hate to do this....

But, I’ve been called out with a Twitter DM on not knowing anything about this topic by someone who said they know everything about it.  So, a short baseline of my perspectives on USA operations outside of the USA (and NK specifically) is:  I’ve been deployed all over Asia (including Korea) for a few years in military service, did police work after that and was assigned to a federal task force that investigated Asian organized crime, I operated as an undercover officer outside the USA, and I have lived in an Asian culture for 30+ years to the extent that both my kids speak 2 different Asian languages (one even degreed in Chinese..), and I taught Asian OC investigations to a few hundred investigators over the years. In other words, Asian culture and North Korean history is not new to me, nor is operating in foreign countries.