How much have sanctions affected PUST? Not enough, apparently.

Chan-Mo Park, the Chancellor of the Pyongyang University of Science and Technology, or PUST, and a U.S. citizen, is blaming South Korean bilateral sanctions for his difficulties recruiting new academic talent.

He told VOA on Wednesday, “We want to recruit South Korean professors, but the May 24 measure blocks it.”

He was referring to trade and exchange sanctions South Korea made against North Korea on May 24, 2010. The sanctions came after South Korea accused the North of sinking one of its naval boats and claiming the lives of 46 sailors. [VOA]

But just as another North Korean ballistic missile test has failed, Park’s plea may not draw much sympathy  in Seoul.

North Korea’s nuclear and missile tests earlier this year have further isolated the country. In March, a United Nations Security Council resolution placed further restrictions on North Korea’s financial activity.

The school chancellor says that despite international tensions, the university is growing. It is largely supported by Western-based Evangelical Christians. It currently hosts about 500 enrolled students and 100 professors. Some are U.S. citizens. [VOA]

This isn’t the only recent report that PUST has been having difficulties, although other reports have attributed those difficulties to other reasons. In April, South Korea’s No-Cut News reported that donations to PUST from American and South Korean donors had fallen, reducing its monthly budget from $100,000 to $50,000. The same report also claimed that North Korean authorities were trying to force founder and U.S. citizen Kim Chin-kyung out of the PUST leadership, for unexplained reasons. The North Korean government has also failed to follow through with previous commitments for a loan to PUST, and to build an electrical transformer for the campus.

By contrast, U.N. and U.S. sanctions have largely spared PUST thus far. The newest U.N. sanctions resolution bans the provision of “technical training, advice, services or assistance related to the provision, manufacture, maintenance or use” of nuclear, missile, and other WMD-related technology to North Korea, but not technology that could be used for cyberattacks.

PUST continues to export potentially sensitive technology from the U.S. to North Korea under licenses previously granted by the U.S. Department of Commerce.

But if sanctions have largely spared PUST’s computer and cyber-related training programs, it’s worth asking whether they should have. Last December, two North Korean defectors, including one from North Korea’s electronic warfare command, claimed that Pyongyang was recruiting PUST graduates for cyber warfare, and was sending elite recruits for its military and internal security forces to PUST for scientific and technological training. The claim certainly sounds plausible. Topics taught at PUST include “computer hardware systems, wireless communications, data communications and networks, digital communications, pattern recognition (linked to robotics and industrial automation courses), artificial intelligence, data structures, algorithm design, web programming and object-oriented programming.” 

This isn’t the only occasion on which North Korea has been accused of misusing “engagement” programs that transfer technology to North Korea. In January, I raised the question — still unanswered — about whether Syracuse University’s program (unrelated to PUST) to teach North Korea digital watermarking had been used to trace and identify readers of censored content. Last year, this post at 38 North accused North Korea of using a Swiss-funded bioinsecticide program to build an anthrax factory.

Lately, it seems that each week brings a new story of North Korea being blamed for hacking something. This week, it’s a South Korean cybersecurity firm. Last week, it was accused of hacking SWIFT, the postal system for the entire international financial system, to steal $100 million. The week before that, it was a South Korean defense contractor. And so on. North Korea has been implicated in some of these attacks because of the similarity of the malware to that used to hack Sony Pictures in 2014, an attack that effectively terrorized Hollywood out of making any new films about North Korea and made our own freedom of expression significantly less free. And let’s not forget about Pyongyang’s alleged hackings of the Seoul subway system or a string of nuclear power plants in South Korea, either.

PUST, naturally, denies that it is training North Korean hackers, but does not explain how it could possibly know this. Does PUST keep records of which students go on to join Unit 121, the Reconnaissance General Bureau, the Ministry of People’s Security, or the North Korean military? If PUST’s denials are difficult to credit, then the next-best question may be whether the skills PUST teaches young North Koreans could be used by hackers. NK News asked a technical expert, and this was his answer:

But while none of the courses were “hacking” courses per se, a Seoul-based computer engineering professor said that learning how to hack was an essential part of learning computer engineering. The professor, speaking on condition of anonymity, said that students needed to learn hacking for defensive purposes, but indicated this information could be put to use for other purposes.

“Yes they do, not only for North Korea but in U.S. and in (my university) we teach theory on hacking as a required subject,” he said. “One must learn the theory of hacking to excel in defending data from the attacks of hackers. So to make that possible, any computer engineering would teach the theory of hacking.” [NK News]

Whatever role PUST plays in training North Korean hackers, it’s probably not exclusive. A 2014 report by Hewlett Packard names Kim Il-sung University, Kim Chaek University of Technology, and the Command Automation University (or Mirim University), as places where Pyongyang trains its hackers. HP’s report does not name PUST. (In this regard, HP’s report is more directly damning for the Syracuse University exchange program; Kim Chaek University of Technology is its partner.)

But unless one assumes that HP knows everything about where Pyongyang trains its hackers, it’s likely that it trains them different skills at different schools. Foundational training and more advanced training probably take place in different facilities. Given what PUST is known to teach its students, the defectors’ allegations that PUST is at least one of those facilities makes sense. That means that some Americans may well be teaching North Koreans to hack other Americans (and South Koreans, and Europeans, and everyone else). And if they are, they’re doing it all with a license from our own Commerce Department.

It’s fair to point out that PUST also provides medical training to North Korean students. Although some medical technology is also sensitive for purposes of export controls, training doctors, dentists, and nurses does not carry the obvious risks that IT training does. Commerce need not summarily revoke all of PUST’s licenses to mitigate the risk that it’s training hackers. Instead, it should review those licenses individually. When North Korea’s increasingly brazen hacking poses a rising threat to our freedom, our security, and our economy, PUST’s IT-related training poses an unacceptable risk of misuse.

Of course, weighed against these risks, PUST says it’s advancing U.S. national interests by teaching its students about hip-hop music. So maybe in 40 years, some AP reporter can hail the arrival of the beat box in North Korea’s capital. Which, hopefully, won’t be Seoul.