“The loss of industrial information and intellectual property through cyber espionage constitutes the ‘greatest transfer of wealth in history,’” said Gen. Keith Alexander—at the time, the nation’s top cyber warrior.
In recent years, the problem of countries, companies, and individuals misappropriating the trade secrets of U.S. companies has only become bigger, more insidious, and more expensive to address, and lawyers and business executives have no choice but to deal with this increasingly complex problem. According to the U.S. Department of Commerce, intellectual property (IP) accounted for $5.06 trillion in value added, or 34.8 percent of U.S. GDP in 2010. IP alone accounts for over 40 million U.S. jobs and over 60 percent of all U.S. exports. U.S. companies have a lot to lose.
Economic espionage (sometimes called industrial espionage) is a major drain on competitive advantage, unique IP, and market share. Not only are U.S. companies directly hurt by the theft of their IP, but they may end up competing against their own technology advanced by the IP thief. Susan Brewer & Anthony Crescenzi, State-Sponsored Crime: The Futility of the Economic Espionage Act, Hous. J. of Int’l L. (Summer 2016). For example, “American oil and gas firms are frequently targeted and subject to theft of trade secret, business plans, exploration bids and geological data.” Blake Clayton & Adam Segal, Addressing Cyber Threats to Oil and Gas Suppliers, Council on Foreign Relations (June 2013).
Economic espionage is not new. What is new is the way IP is stolen. Cyber attacks are the most used method that other nations, companies, and criminals employ to root out and steal your IP and other valuable or sensitive information. It is our increased dependency on IT systems and networks that creates vulnerabilities, even though there are such obvious benefits and uses to them.
In May 2013, the Commission on the Theft of American Intellectual Property released a report that concluded that the scale of international theft of American intellectual property is . . . roughly $300 billion per year and 2.1 million additional jobs now in our economy. While China is not the only actor targeting U.S. IP and technology, it is the only nation that considers acquiring foreign science and technology a national growth strategy.
U.S. Congressional Committee on Energy and Commerce Hearing, Cyber Espionage and the Theft of U.S. Intellectual Property and Technology (July 3, 2013). So, depending on how you calculate the impact of economic espionage to U.S. businesses, it can mean a loss of roughly a billion dollars a day or more.
Did the September Agreement between China and the United States Address the Problem?
By some accounts, U.S. cyber espionage concerns subsided on September 25, 2015, when China unexpectedly agreed with the United States (and, later, other countries) to refrain from cyber economic espionage. It remains to be seen whether China ceases its governmental involvement in cyber economic espionage, although there is good reason to be skeptical. The “understanding” did not cover other forms of economic espionage, only the cyber variety. According to Reuters:
There were clear limits to Friday’s deal. A White House statement said the two leaders agreed that neither government would knowingly support cyber theft of corporate secrets or business information. But the agreement stopped short of any promise to refrain from traditional government-to-government cyber spying for intelligence purposes. That could include the massive hack of the federal government’s personnel office this year that compromised the data of more than 20 million people. U.S. officials have traced that back to China, but have not said whether they believe the government was responsible.
Given the increasing complexity of the way cyber attacks are carried out and the challenges of attribution or “pinning” an information heist on one person or organization, perhaps the Chinese merely were placating the United States. In other words, the Chinese can say they will cease cyber economic espionage because verification of the true identity of the thief is nearly impossible. Thus, it is difficult to know exactly whether anything really has changed.
Furthermore, as reported by the FBI in April of 2016, the “FBI’s number of investigations into possible economic espionage on U.S. businesses has increased by 53% within the past year.” Although the list of Justice Department cases do not differentiate between cyber and in-person theft, the list of active criminal cases involving trade secret theft is sizable.
Going Public May Be the Law, but It Does Not Look Good
Sizing up the problem is further compounded by the fact that, although reporting requirements mandate the disclosure of events that have a material impact to a publicly traded company, there are strong disincentives to disclose a successful IP theft. Not only does such a theft raise questions about management not doing its job or IT leadership failing to keep the bad guys out, but it also tells other bad guys that your company has inadequate security and could invite further cyber attacks.
On December 18, 2015, the Cyber Information Sharing Act became law. The law was designed to create a voluntary cybersecurity information sharing process to encourage public and private entities to share cyber threat information while protecting classified information, intelligence sources, privacy, and more.
It remains to be seen whether the law will address the reluctance of companies to come forward.
The Law Cannot Really Solve the Problem
In-house lawyers play several roles that can help mitigate the effect of economic espionage on their individual company. From negotiating better security software agreements, to legally protecting IT, to aggressively going after IP thieves, lawyers increasingly play an important role. For the most part, however, lawmakers have been hamstrung in finding an effective legal solution to the theft of company trade secrets.
In this regard, it is important to differentiate between cyber economic espionage and in-person theft. In the case of cyber economic espionage, the “theft” is almost always done remotely and outside the United States by operators that go to great lengths to obfuscate their identity and whereabouts.
The issue is so great that new laws are needed to stem the flow of U.S. ingenuity. For example, the Cyber Economic Espionage Accountability Act was proposed to take aim at foreigners present in the United States and stealing IP.
Although the Economic Espionage Act of 1996 (EEA), 18 U.S.C. § 1832, is the major criminal law on which perpetrators of economic espionage are prosecuted, it may be ripe for reworking. David P. Fidler, Economic Cyber Espionage and International Law: Controversies Involving Government Acquisition of Trade Secrets Through Cyber Technologies, 17 ASIL Insights 10 (Mar. 20, 2013). In U.S. v. Hanjuan Jin, the defendant was convicted of trade-secret theft, but was acquitted of charges under the EEA because there was insufficient evidence of the China connection.
Economic Espionage Act
The Economic Espionage Act details the legal framework for theft of trade secrets:
(a) Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly—
(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization;
(4) attempts to commit any offense described in paragraphs (1) through (3); or
(5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy, shall, except as provided in subsection (b), be fined under this title or imprisoned not more than 10 years, or both.
(b) Any organization that commits any offense described in subsection (a) shall be fined not more than the greater of $5,000,000 or 3 times the value of the stolen trade secret to the organization, including expenses for research and design and other costs of reproducing the trade secret that the organization has thereby avoided.
There have been several convictions under the EEA, but the true effectiveness of the law as a deterrent is questionable. The EEA has already been amended to increase penalties from a conviction, but still it seems like a drop in the bucket given the volume of IP theft. The EEA may be more effective if amended to allow for a private right of action, letting companies sue for the harm caused from theft of their IP.
On the international stage, agreements, treaties, and organizations exist but may be of limited usefulness in addressing IP theft. For some countries, economic espionage is no different than regular espionage and is considered “fair game.” With few laws to convict the criminals and many practical limitations, understanding how trade-secret crimes are perpetrated today may make more sense to preempt or mitigate harm or to protect your company’s information crown jewels before the theft has transpired than expecting real economic redress through any legal channels.
10 Shocking Ways They Are Stealing Your IP and Corporate Mojo
The world of economic espionage has become rather sophisticated, and in-person theft is very different than cyber theft. When your corporate value may be in jeopardy, it is prudent to assess the risk and attempt to mitigate the issues that create the greatest risk. For example, if your organization needs engineers and hires from abroad, conducting deep background checks, and even hiring judiciously from countries that pose the greatest risk, are prudent courses of action.
If the cyber assault on your IT infrastructure suggests that the bad actors are state entities trying to exploit a weak perimeter, different fixes are needed. In that regard, IT security, although good, will never keep out all the bad actors all of the time. No matter how much money and effort you exert to solve the problem, if they want it badly enough, the cyber thieves will find a way.
What follows are the things that your company is doing wrong and the frankly shocking and brazen nature of how your people and systems are assaulted.
1. The Internet of Things (IoT) Is Awesome and Scary
The IoT involves smart devices (i.e., devices embedded with software and sensors such as copiers, medical devices, refrigerators, sports monitors, TVs, cars, music devices, etc.) that are connected to the Internet and collect and transmit information, sometimes without your knowledge. They continue to make everything interconnected and accessible, but often have limited security, making your information even more vulnerable to cyber attacks, and making it harder to calculate risk.
The prediction is an explosion of IoT and smarter and more connected devices over the next decade, which does not bode well for stemming the tide of theft of trade secrets. In other words, the IoT may be a way your trade secrets are exposed, exploited, and exfiltrated.
2. Economic Espionage as a Service
You can buy almost anything on the “dark web” that you cannot buy on the mainstream web, such as stolen credit-card numbers, stolen IP, and even IP thieves themselves. “Economic espionage attacks can be aided by espionage-as-a-service offerings that are readily available in cybercriminal underground forums and markets and the Deep Web. Attackers can easily buy the tools they need to spy on and exfiltrate highly confidential corporate data or “company crown jewels” from rivals. They can even hire hackers to do the actual spying for them,” according to Trend Micro.
In addition to state actors, IP theft is now increasingly perpetrated by sophisticated cyber mercenaries. Lawyers can help address the new threats by ensuring that heightened security functionality is part of new technology purchases when negotiating contracts on behalf of their company, mandating that company information is stored only in hyper-secure, compliance-driven Clouds, and that policy dictates that information is encrypted when “inflight” or “at rest.”
3. Beware of the Never-Ending Assault of Malware
Malware is malicious software that seeks to get in and grab data, spy, lie in wait to do something nefarious in the future, disrupt IT, and more. Although there are sophisticated attacks on IT security systems, many cyber attacks are successful because they bombard organizations with thousands, or even millions, of cyber assaults just to find a way into company computers. There are endless examples of hacks on U.S. companies that have caused major harm. Persistence combined with greater sophistication means cyber attacks will continue seemingly unabated.
What lawyers can do is help IT professionals combat persistence with compliance. Compliance methodology must be applied to IT and information-security policies and practices. Compliance methodology tends to institutional vigilance and “good” corporate behavior, which helps employees get it right and helps insulate the company if all else fails, as the built-in rigor manifests reasonableness. In other words, the company cares and tries, and institutionalized caring matters to shareholders, markets, the court of public opinion, courts, regulators, and the bottom line. Randolph Kahn, Information Nation: Seven Keys to Information Management Compliance Second Edition (Wiley Press, 2009).
4. Grabbing Treasure Troves Undetected Has Become Easier
More and more data fits in smaller storage devices, which makes stealing more and more valuable data that much easier. Further, sending the information outside the firewall via e-mail and the IoT has been effective as well. The CIA and NSA hacks are just recent examples. Organizations are not “risk profiling” their information so that they can apply the necessary protections. The fact is that not all information is equal in value, and organizations are woefully negligent at managing to that reality. The problem is that, as information volumes increase (and they are already massive for most big companies), being vigilant about everything is impractical.
Most companies have policies that require encryption of company trade-secret information and protection of any confidential information sent outside the protected firewall. Too often, however, information travels freely without any protection or encryption outside the company. In other words, policies are not followed, which leads to exposed IP.
However, the place to start to address the issue is knowing which information deserves protection. Large companies usually have information-security classification regimes that are underutilized or improperly utilized by employees, and technology that can apply the rules “automatically” too often is not harnessed either. To protect information and IP, it must be classified as a trade secret. In any event, the law requires that reasonable steps be taken to protect IP if you want to be able to assert your legal rights, and that begins with classification as well.
Lawyers can help reinvigorate classification regimes, simplify and redraft existing classification policies, and insist on the use of encryption technology. Once again, compliance methodology can help institutionalize vigilance.
5. Demanding Code and Information and Exploiting Legally Mandated “Backdoors”
One way some countries are gaining access to U.S. IP is by requiring the transfer of your company’s information (i.e., trade secrets), including computer code, to be allowed to do business in their country. Indeed, some countries even legislate the result, according to the World Economic Forum, which stated that “China, for instance, has joined Russia in tightening the requirements placed on foreign companies to store information within national borders.”
Another way IP is extracted is by providing access to IP and computer code through “backdoors” to encryption technology. In other words, the locked door protecting your trade secrets is now unlocked. From the hearing before the U.S.-China Economic and Security Review Commission: “Recently the government in Beijing has proposed a series of regulatory provisions that would require U.S. tech companies and their foreign customers, especially financial institutions and banks, to turn over source code and encryption software, effectively creating backdoor entry points into otherwise secure networks, all being done, of course, under the guise of cybersecurity.”
Before sharing a company’s secret sauce, its lawyers must advise their clients on how to proceed, if at all, with maximum protections in place.
6. Cyber Thieves Are Successfully Exploiting Laziness and the Lack of Understanding
The Office of Personnel Management (OPM) hack and so many others were successful because proper authentication to gain access is not effectuated. Many cyber hackers are successful because IT security is unimpressive at best. That is the reality, in part because there is a misunderstanding of how to keep cyber hackers away from your data, as well as a lack of vigilance in doing it. One easy solution to secure important information is to use better authentication techniques.
Two-factor authentication is the very least your company should be using. Passwords alone are not sufficient, as real hackers have technology that will crack your password in no time. Good passwords today are about concepts or ideas, not words. So instead of using “Fluffy123,” the better password is “MyLastDogAte5Shoes.” Still, that is only the first layer and not enough by itself. Every archive containing company “trade secrets” needs at least two-factor authentication, and there is confusion about what two- and three-factor authentication is, so the following is provided to clear it up:
- one-factor authentication is a unique something the employee knows, such as a strong password;
- two-factor authentication is the first factor plus something the employee possesses, such as a company ID card and security code, a security fob that generates a unique code, etc.;
- three-factor authentication adds to the above something the employee is, such as a voice scan, fingerprint, eye scan, etc.
Lawyers must revisit these information-security company policies and gather audit and compliance groups to focus greater scrutiny on how databases and repositories are managed. It may have prevented 20 million Americans from having their personal information stolen.
7. New Techniques and Never-Ending Attacks of Spear Phishing, Ransomware, and Zero-Day Malware Will Catch Someone Off-Guard
Cyber thieves are using more sophisticated ways to breach company security, including spear- phishing, ransomware, and zero-day malware attacks. Unlike phishing, which uses an e-mail and a malicious code attached from an organization with which you were not expecting to communicate, spear phishing is a communication from a trusted individual or organization and one with whom you are likely to engage. This far more targeted and sophisticated approach scams even technically sophisticated people. According to Trend Micro:
Using the intel gathered during reconnaissance, the attackers typically send contextually relevant malware-laden spear-phishing emails to the chosen high-ranking corporate official. This helps ensure they get the credentials with the highest level of access required to infiltrate systems where company crown jewels are stored. Network command and control (C&C) is then established aided by backdoors, remote access Trojans (RATs), or other malware. Attackers then move laterally across the network to seek out top-secret data. The data is then exfiltrated to a site that only the attackers have access to for selling to the highest bidders or delivery to the individual or company that hired them.
Ransomware is even more malicious. It is a special type of malware that secretly installs on a computer and then either holds data hostage, or is a sophisticated leakware that threatens to publish the data. It works by locking the system or even encrypting the files until a ransom is paid.
Finally, unlike in years past, organized entities are now seeking to harvest information or company trade secrets using zero-day malware that got its name because it is so new that no commercial anti-virus software exists yet to eradicate the harm.
8. Exploiting the Slow-Reacting Security Team
The hack of OPM, which has been linked to China, is a perfect example of breaching security and trolling for information. In that case, the bad guys made off with the most extensive collection of personal information about U.S. government employees, past and present, ever.
Shockingly, the OPM IT security team had watched and monitored the bad guys moving throughout their IT systems for months before the information was extracted. Had the IT staff reacted in a timely manner, they likely would have been able to protect the trove of information that ultimately was stolen.
Assuming the bad guys will get in from time to time, it is worthwhile walling off data and setting up “honey pots” in your archives. Honey pots are information troves marked “M&A targets,” “products specs,” or other valuable targets to attract the criminals to a specific location. That misinformation sends the bad guys in the wrong direction.
Lawyers can help customize the honey pots to deal with the various possible assaults on select pools of data depending upon the target country of the thieves, given that certain countries are after money and pricing information, while others are after M&A targets and product designs.
9. Exploiting Your Relationships and Joint Ventures
During negotiations between Westinghouse Electric and a Chinese state-owned nuclear power company, the companies began to cooperate more closely, and the Chinese partner “stole from Westinghouse’s computers, among other things, proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing within the nuclear power plants that Westinghouse was contracted to build, as well as internal Westinghouse communications concerning the company’s strategy for doing business,” according to the Wang Dong Indictment.
For all relationships with partners doing business outside the United States, local lawyers will be essential to guide the transaction. Equally as important is limiting access to trade secrets and IP not part of the transactions. That may mean limiting access to facilities and systems where such information is housed, and having strict rules ironed out about who gets access to what information. If cloud-based collaboration tools are used to work on the partnership, more strict rules about what can and cannot be stored and shared in such environments is essential.
Make sure that your IP stays in the United States if possible. If you must bring your IP, make sure there are agreements in place for every eventuality, understanding that such measures still may not be enough protection. Perhaps more importantly is the need to control access to your information and to limit the number of people that have access.
There have been many cases where a “partner” is manufacturing in China and uses the U.S. company’s molds or designs. If there is no agreement governing the molds or designs, and what happens when the relationship ends, then it is quite possible that the Chinese partner will retain the molds or designs and use the same for their own benefit. Even if you have an agreement governing what happens when the relationship is over, they may still steal your molds and designs to work against you.
10. They Are Getting Information from Your Workforce or Your Recruiter
IP is being stolen by competitors or foreign entities hiring operatives who may work at your business for years or even decades. Monitoring and auditing information transmissions and extreme vetting must be utilized to mitigate this risk.
Even more troubling is the recent revelation that the Chinese have begun U.S.-based recruitment and headhunting firms that appear perfectly legitimate, but really are placing “operatives” at U.S. businesses that have IP deemed strategically important to China. Further, according to the FBI, job advertisements are posted online by those intent on stealing IP to attract employees.
Economic espionage from abroad is a significant and growing concern. Cyber attacks are becoming more challenging to combat and, in conjunction with traditional physical stealing of trade secrets, poses a large existential threat to American businesses, the economy, and security.
In the United States, officials are pursuing an enhanced and comprehensive strategy to attempt to counter economic espionage and IP theft in general. Many agencies, including law enforcement, are focused on the problem, and it is a top priority for the FBI. In the end, however, self-help likely is U.S. companies most prudent avenue. In that regard, lawyers play a unique and important role: negotiator, risk manager, creative drafter, and hopefully not litigator. At about a billion dollars a day of U.S. IP theft, however, U.S. companies have much to lose, and they are continuing to lose.