The risks and rewards of charging state-backed hackers

Catch up quick: Last Wednesday, the Justice Department charged three alleged employees of North Korea’s Reconnaissance General Bureau with undertaking a massive, multiyear hacking spree.

The hackers conducted some activities — such as sending spear-phishing emails aimed at U.S. government employees and contractors — that are examples of workaday nation-state espionage. But they also took actions far outside these bounds that included:

• The 2014 attack on Sony Pictures.
• The creation and use of the destructive WannaCry 2.0 ransomware.
• A series of cyber-enabled bank hijackings across the globe wherein the spies tried to steal over $1.2 billion.
• The theft of cryptocurrency valued at tens of millions of dollars worldwide.

Between the lines: Pointing the finger in cyberspace can often put the U.S. in uncomfortably hypocritical territory, as all major powers (and many minor ones) engage in cyber spying.

• But the U.S. has the unambiguous ethical high ground with this latest indictment: U.S. intelligence agencies don’t hack banks to raise funds for the Treasury Department or seek vengeance over disfavored pieces of popular culture or create malicious cryptocurrency apps to steal from private companies to fund Washington’s weapons programs.
• The fact that the North Korean hackers were behaving, in many instances, like non-state cyber criminals made it easier for the U.S. government to treat them like criminals — and pursue legal action against them.

Context: The North Korea case is an extreme example of other states’ divergent views on the appropriate objectives of cyber operations.

• For instance, many states, including some close U.S. allies, regularly commit cyber-enabled economic espionage and theft of trade secrets to benefit their “national champion” companies.
• American officials insist the U.S. does not engage in economic espionage — making it something of an outlier in the intelligence world.

Be smart: North Korea won’t extradite the hackers, and they’ll presumably never stand trial. Yet the act of naming and shaming these individuals may still hold real value for the U.S.

• It may strengthen the international consensus against aberrant North Korean behavior (like massive bank theft).

• Cyber espionage-related “speaking indictments” also provide a public service, detailing foreign cyber spying operations in an unusually open manner, a benefit to private cybersecurity firms, journalists and the wider interested public.
• And these indictments extract costs on the named operatives, potentially complicating the individuals’ plans to, for instance, live in or visit countries that have extradition treaties with the U.S.

Yes, but: It’s unclear what, if any, deterrent effect these types of indictments actually have on foreign governments.

• North Korea probably won’t stop robbing banks because the U.S. charged three of its intelligence officials. Their cyber operators rob banks because that’s where the money is, and Pyongyang needs it.

There are other risks, too, to criminally charging state-backed cyber operators.

• One danger is that America’s adversaries will respond in kind, burning the identities and activities of U.S. intelligence personnel via criminal charges.
• There’s next to zero possibility a hostile foreign power will successfully prosecute an American cyber operator it has charged, but some U.S. intelligence operatives still shudder at the possibility that they will become pawns, via this type of legal move by Moscow or Beijing, in a great geopolitical game.

The bottom line: Evolving norms around spying cut both ways, and as the saying goes: “The enemy always gets a vote.”