The North Korean Hacker Charges: Line-Drawing as a Necessary but not Sufficient Part of Deterrence

In an article at Daily Beast a few days ago, Jake Williams (who previously worked for NSA) criticized the U.S. government for charging a North Korean hacker in connection with the 2014 operation that caused extensive damage to Sony Pictures. In Jake’s account, the criminal complaint crossed a problematic line, both because it increases prosecutorial risk for soldiers in general and because it jeopardizes this particular soldier’s life at hands of his own regime. These are admirable but misplaced concerns. The charges are a step in the (too-slow) process of establishing redlines for hostile cyber operations, and thus a contribution to the larger (too-slow) project of building a deterrence architecture.

Intelligence activities as criminal activities: Why we don’t normally prosecute but sometimes should

As an initial matter, there’s nothing truly novel about these charges. I don’t mean simply that we’ve charged state-sponsored hackers before, though we have done so (with China and with Russia). Rather, I mean to make a more general point about espionage and covert action, whether cyber-enabled or not.

Espionage and covert action invariably violate the local criminal laws of the countries in which they take place. This is a well-understood fact of life for intelligence activities, entailing a degree of risk. Normally that risk does not actually materialize for individual officers, for states have other modes of response available (expulsions, attempts to flip someone, attempts to manipulate them, sanctions directed at the institutional or government level, etc.) and there are policy incentives (especially considerations of reciprocity) that typically favor reliance on those other means. But it is by no means unprecedented to decide to prosecute instead.

Several factors favor the prosecution approach in this unusual instance. First, the activity in question was not a run-of-the-mill intelligence activity of the sort that the United States itself routinely engages in. It targeted a purely private entity with no real connection to the U.S. government (let alone to U.S. military, intelligence, or other security-related functions), and it aimed (quite successfully) to cause massive economic harm to that entity. And it did so in a (partially successful) attempt to silence unwelcome expression within the United States and elsewhere around the world. This leads to the second point: Insofar as we think it is important to signal that Pyongyang crossed a line in this respect, the U.S. response has to be visible. Third, the usual options for a visible response are of little use in this case. Most notably, the option of imposing sanctions directed at the institutional or government levels already has been largely exhausted by the preexisting counterproliferation program directed at North Korea. And other forms of visible response might seem unduly risky from an escalation perspective, given the precarious state of military affairs on the Korean peninsula.

Bearing all that in mind, a prosecution is a reasonably attractive option. It poses a low risk of military escalation, yet it also is visible in a way that tends to emphasize the extent to which the North Korean operation against Sony arguably crossed the lines described above. That helps with the important, but difficult and gradual, process of building norms regarding hostile computer-network operations that occur outside the context of war.

The point is not that such norms themselves deter adversaries, but rather than they provide increasingly clear guideposts for U.S. policymakers as they determine whether and when to bring various instruments of power to bear in response to future provocations. In this respect, the charges play a role not unlike that played by cyber-operation authorization language in the John S. McCain National Defense Authorization Act (which I describe here). If and when such guideposts are matched with the political will to act on them, we may begin to see more progress in establishing a useful deterrent posture in cyberspace.

Is turn-about-fair-play?

Does this approach run the risk that other states—say Russia or China—will begin charging our hackers, citing our actions as precedent? As an initial matter, the “precedent” won’t actually fit unless the foreign government is alleging that our personnel have taken actions that intentionally wreaked economic havoc on a private enterprise. I’m aware of no evidence we have conducted or are likely to conduct such an operation, and were we to do it then—frankly—prosecution is just one of the many risks we’d plainly be incurring by doing so.

Of course, another country might disregard the particular limiting consideration I have been emphasizing here, and still cite the North Korea charges as (an inapt) precedent for prosecuting our personnel for far-more defensible cyber operations, such as run-of-the-mill espionage or covert action targeting a military or other security-relevant target. As noted above, this is already a notional risk with almost all intelligence activities. And though of course a foreign government might make a point of zinging us by referencing the North Korea prosecution as if it were a real trailblazer in this area, I’m doubtful that its existence would ever be actually-determinative in a foreign government’s decision to bring charges against our hackers; it would be referenced as window-dressing, not because it made an actual difference.

What about the impact on soldiers in particular?

Jake’s article expresses particular concern for the quandary this approach may put a foreign soldier in and, by extension, the possibility that we risk a prosecutorial spiral for soldiers more generally. It is another admirable sentiment, but I do not think the concern is warranted here.

Soldiers should be immune from ordinary criminal prosecution by the opposing state during armed conflict, so long as they are acting consistently with the law of armed conflict. And, indeed, they are. If and when servicemembers are participating in an actual armed conflict, the law of armed conflict includes the principle of combat immunity (or, as some prefer, combatant immunity or belligerent immunity). Pursuant to that rule, a soldier fighting for the regular armed forces of a state party is immune from prosecution under ordinary criminal laws for their actions. (This immunity of course does not extend to war crimes.) This applies just as well to computer-network operations, though again only if we have a relevant state of armed conflict to begin with and only if the operation is compliant with the law of armed conflict.

So what does all that mean for the North Korean hacker the Justice Department just charged? We do not have a current context of actual armed conflict between the United States and North Korea, and in any event the law of armed conflict certainly does not authorize attacks on civilian objects like the computer systems of Sony Pictures. The North Korean operation against Sony neither should be nor is immunized. The fact that this unlawful activity was carried out by soldiers rather than civilians does not and should not change this.

But what about the risk to this particular soldier?

The punchiest part of Jake’s article is the suggestion that Justice Department prosecutors may end up with “blood on their hands,” based on the prospect that North Korean authorities would kill this defendant before extraditing him. I have no doubt that DPRK authorities are capable of killing their own people, including this individual. But if that happens, it won’t be because they need to kill him as an alternative to extradition. There is no U.S.-North Korea extradition treaty, and there is no prospect whatsoever that Pyongyang would feel in any way compelled to turn him over to the United States.