I’ll admit to having been a skeptic about how long working from home would endure as a mass phenomenon. I’ll also admit to having been wrong about this (so far).
I had not expected this twist (via Axios) either:
North Korean IT workers are posing as Americans to score coveted remote jobs and use the salaries to pay for their country’s missile program. . . .
The workers are linked to the regime’s Munitions Industry Department, which oversees its ballistic missiles and weapons production programs, according to the State Department.
As I see it, the use to which the salaries are being put may matter less than where these North Koreans are allegedly working and what they are really after. In Axios, Sam Sabin reports that federal prosecutors have “charged an Arizona woman and four other people last week with facilitating an elaborate North Korea-linked scheme to help their IT workers pose as U.S. citizens and secure remote tech jobs.”
These jobs included an aerospace manufacturer and a Silicon Valley tech company, among others. Clearly this is not an isolated incident (to its credit, the federal government has been warning about this problem for a couple of years), and Sabin reports that the scam comes with another twist. Many of these North Korean IT workers are based in China and Russia. That leads to the presumption that China, Russia, and who knows who else have been playing this game. It’s easy enough with a VPN and a stolen U.S. identity, and as Sabin points out, AI-generated deepfake technology can make that supposedly American remote worker even more convincing. I’m not an AI doomster, but it’s certainly the case, as Sabin notes, that AI can also help in putting together a credible résumé.
Sabin mainly appears to regard these operations as a new cyber scam (with added ransomware opportunities!), but the implications for sabotage, intellectual property theft, and espionage are obvious — and alarming.
Many of these sorts of workers, as Sabin highlights, may be freelancers working for a company for a short time and therefore limited in the damage they can do. Maybe. It’s also the case that in most organizations an employee won’t rise too far without in-person contact with co-workers. That gives some reassurance, but only some. Once a skilled operative has established an entry point into an organization, even if it’s only remote, he or she will often know how to make the most of it. That’s not good news.
I’m not sure how companies should respond to this threat other than, in the case of certain sectors, to restrict the extent to which they rely on people WFH — especially people they have never met.