ChatGPT, North Koreans, and America's Infrastructure
LLMs and the DPRK come for licensure
Two days ago, twitter user “@browsercookies” broke a story that caught my eye. He’s still tracking and uncovering the network, and so publicly, the claims are as of yet relatively unproven, but I reached out via DM to see what he could share and based on what he provided privately, the story seemed plausible enough to me to serve as a cautionary tale for my audience, many of whom are or employ engineers.
Browsercookies started by uncovering a network of North Korean remote IT workers, mostly through web forensics.
Overall, I wasn’t too surprised to see that the lucrative flows of the global IT sector were being tapped by the DPRK. The Kim regime has suffered under sanctions and as a result is very creative with how they source their money, with lots coming in from crypto scams, ransomware attacks, and cybercrime in general.
These regime sanctioned cyberwarriors are picked from an early age based on their displayed affinity for math or computers, trained in specialized programs at schools like Kim Chaek Univeristy of Technology, Kim Il Sung University, and Moranbong University, and then deployed by the regime as a means of funneling foreign currency into the country. Some have even speculated that they may cross train with CCP and Russian hackers in cities like Shenyang and Vladivostock.
You can think of these cyber warriors as being projects of the Kim regime in a similar way that the USSR’s Olympic athletes were often projects of Soviet cultivation. The difference is that instead of prestige, these hackers seek only cold hard cash.
The Kim regime needs this foreign cash to import goods from outside of DPRK, since no one trusts them enough to accept North Korean fiat as a means of payment. Despite the Juche ideology of extreme self reliance, the DPRK is a country starving for essentials like fuel, fertilizer, machinery and grain.
One new avenue for the DPRK to make this money has been to ride the recent wave of remote work. Browsercookies and others have documented the scale of this system as it pertains to IT, finding that a single remote worker can make the regime up to 300,000 USD/year, of which the regime pocket 90%. No one really knows how many remote workers there are in DPRK, but some estimate it at 8,000-12,000 workers.
If every worker hit those numbers, we’re looking at 3.6 billion USD, or 150% of the value of all other exports from DPRK. And there is definitely room to grow. Even if every one of those workers earns that maximum of 300k, that’s only a very small slice (less than 1%) of the global remote IT market, which weighs in at around 500 billion USD.
And remember, this is just how much they can make by impersonating legitimate workers remotely. The entire time they are doing work on these remote contracts, they are also doubling as cyberspies, building backdoors, collecting information, and laying the groundwork for hacks and ransomware attacks, which bring in even more foreign cash.
So what does this have to do with America’s Infrastructure? Well this is where things get interesting. Turns out, the DPRK hasn’t bounded themselves to the IT industry. Browsercookies recently put out a post tracking a network of these remote workers who have stolen the stamps and seals of professional engineers and are using them to churn out cheap design documents like plans, scopes, and specifications.
These stamps aren’t counterfeit, they’re stolen. Meaning that the DPRK are probably impersonating these engineers remotely, signing contracts in their name, and putting these engineers on the hook for the liability associated with the designs.
As an econ-exposed individual, I have mixed feeling about licensure. There is of course a beauty in the degradation of market barriers. (You can read here about the civil licensure process.) But the stamp is also a contract between the engineer and the public. The trust and responsibility it represents is foundational (literally!) to much of America.
If a bridge falls down and you are the engineer who stamped it, your work will be investigated for negligence, and you will be held personally liable if you are found to have made a mistake. This willingness to put ourselves on the line and the incentive to be sure in our designs is what allows most of society to blindly trust that when they use a bridge, it wont collapse, that when they flip their light switches their homes won’t burn, and that when they drink from the tap, they won’t get sick.
Browsercookies claims that they have found some of the worker’s ChatGPT logs, which they use to write scopes and solve problems.
This is where I feel conflicted. There is of course a contingent in the design industry who is vehemently opposed to LLMs, who are going to have a field day with this story. But there really isn’t anything wrong with using technology to do work like this, and I hope the industry adapts and changes so that we can build abundantly.
The reason this is intolerable and risky is the DPRK isn’t party to the contract that binds engineers to the public good of the society we serve. They probably aren’t checking the results of these models very closely, and they certainly won’t be there to clean it up when things go wrong. Layer on top of that the implications for national security and the whole thing leaves a bad taste in my mouth. Without systems to strictly verify who is doing what work and how, I see this as a big blow to the future of remote design.
What do my readers think of this? If you work at a design firm, how do you decide whether to use remote workers? How might your QAQC process change, knowing that this is a threat? What can Professional Engineers do to protect their stamps?
I’d love to hear from you in the comments. Thanks for reading,
-Connor, OfAllTrades
I'm an architect and have a very small design firm. I don't hire remote but know those who do. One of the main reasons I don't is because I think that ours is an apprenticeship model of gaining expertise. I learned from skilled architects by studying our detail library, developing new details, and working with craftsmen on site. From what I can tell, other architects hire remote foreign workers for construction documents, and keep their local teams focused on schematic details and ideas. I imagine this allows them to bill high rates and make an enormous overhead.
I think it's a disservice to younger architects to limit their work to schematic design while outsourcing the drawings of the ways the things are actually built to people outside the region. I think hiring remote shows a lack of faith and trust in our local communities and I think there's a social obligation as a licensed practitioner to promote local relationships.
(It feels like the difference between calling a telehealth doctor in some other state for a quick prescription vs. having a regular gp.)
Oddly, I wouldn't feel as bad having an AI develop construction details.
I will pass your article around our community because other practitioners do hire remotely and this is something to consider.