State-Sanctioned Hacks: Is there ever any justice?

Late last week, the United States Department of Justice officially filed charges in the 2014 Sony Hack. Sony Corporation was hacked on November 25th, 2014 by an organization calling itself the Guardians of Peace (GOP). The GOP stole employee Social Security numbers, confidential emails, and unreleased films. The GOP then released the emails and films online where the films were downloaded over a hundred thousand times.

At the time of the hack, the FBI suspected that North Korean was to blame. The theory was that North Korea hacked Sony as a preventative measure to deter Sony from releasing the film, “The Interview”. “The Interview” followed the story of “two celebrity TV hosts [who got] a chance to interview Kim Jong-un. Before heading to North Korea, the[] hosts are asked by the C.I.A. to assassinate [the North Korean leader].” Despite its comedic effect, “North Korea . . . stated that if the movie were released, they would consider it an ‘act of war’”. When asked if it were behind the attack, North Korean officials stated that the U.S. should “wait and see”. In response to the troubling accusation, President Barack Obama imposed sanctions on several individuals and entities associated with the North Korean government.

In addition to those sanctions, the United States government charged Park Jin Hyok with conspiracy to commit wire fraud. He is the first individual to be formally charged in connection with this crime and likely will not be prosecuted in any American court. U.S. Officials believe that Park resides in North Korea but do not expect the regime to extradite him. This unsurprising reality raises questions about the role of justice in state sanctioned cyber-attacks. 

Advocates and critics alike realize the complicated nature of cyber warfare. On one hand, the United States wants to display strength and must adequately respond to state sanctioned attacks. While on the other hand, the United States does not want to escalate tensions between major world powers. Be that as it may, many argue that the United States’ response to cyber-attacks has never been, and will never be, sufficient.

Critics argue that economic sanctions on countries like North Korea and Russia woefully fail to deter and punish those officials for their actions. Because these countries have such independent economies, U.S. sanctions tend to amount to nothing more than diplomatic gestures that simply make the American people feel good. Critics further argue that when the United States attempts to respond in proportion to the harm done, it risks facing legal battles like it did with the Stuxnet hack. Furthermore, critics argue that the unprecedented charges against Park will fail to materialize and lead to but one conclusion – that there will never be real penalties for state-sanctioned hacks.

Advocates however, are optimistic about the future of cyber-warfare and the government’s ability to hold state actors accountable. A white house spokesman stated that the Sony hack is a “national security matter”. A cybersecurity expert noted that “Things will never get better unless there are penalties”. And Senate intelligence committee Vice Chairman, Mark Warner, remarked that Park’s criminal charges are “an important step in making clear to our adversaries that these kinds of criminal activities are unacceptable”.

Given that the U.S. government has formally charged an individual for crimes connected to the Sony hack in conjunction with the novelty of this act, one might reasonably conclude that, one day soon, there will be real penalties for state sanction hackers. However, only time will tell, but, if history shows us anything, it’s that we ought to be skeptical of such a possibility.