(Illustration by Stuart Briers.)
Of the many emotions spurred by U.S. intelligence agen cies' conclusion that Russian hackers sought to influence the 2016 presidential election, one of the most prevalent was a sense of disbelief. But far from the lights and acrimony of the election, the corporate world knows all too well that such cyberespionage is not only possible, but is becoming more commonplace every day.
The evolution of cyberespionage—the theft of sensitive information for malicious intent or the benefit of a perpetrator, whether it be a criminal actor, state government or competitor company—has presented complex challenges to many corporate counsel tasked with protecting and legally defending their enterprises.
Though faced with limited legal remedies, counsel are coming up with creative new ways to go after cyberespionage actors, and partnering with an array of cyber professionals and government agencies to combat the threat.
Their efforts speak to a landscape more perilous than ever before, and one that all corporate actors must understand head on. James Melendres, co-chair of the cybersecurity, data protection, and privacy practice at Snell & Wilmer, explains, "I think that the most important takeaway for [corporate] counsel, for companies' leaders or C-suite folks, is to recognize that these are threats that are here, that are pervasive, that are sophisticated, that are not going away."
Reaching even beyond intellectual property (IP)-intensive, government-connected "high risk industries" like technology, aerospace and defense, modern cyberespionage represents a new era in corporate threat. Unmatched in audacity, it is driven in no small part by rampant nation-state meddling.
Christopher Swift, member of Foley & Lardner's government enforcement, compliance and white collar defense practice, defines this cyberespionage era as a result of two big trends. The first is the move "away from purely criminal operations to operations that have a broader corporate or political effect."
The second is the simultaneous "rise of state-sponsored or state-directed cyberespionage, often in concert with some of the criminal operations, not necessarily separate from it, but definitely in some instances standing behind it."
Unlike past threats, the purpose of modern cyberespionage "isn't always financial theft," Swift says, explaining that these attacks may also seek to undermine a company's reputation, cripple its day-to-day operations and impact its stock price.
Many cybercriminals accomplish such feats through stealing and publically releasing sensitive information from a target. This practice, known as doxing, was most notoriously used in the 2016 election as well as the 2014 North Korea-sponsored cyberespionage attack on Sony Pictures.
As cyberespionage attacks have evolved, however, so too have the responses they elicit. For Melendres, a watershed moment in modern cyberespionage came during the U.S. government's response to the 2010 China-sponsored cyberattacks on a host of U.S. energy and manufacturing firms, including U.S. Steel and U.S. subsidiaries of German solar technology company SolarWorld.
In May 2014, a grand jury in the Western District of Pennsylvania indicted five members of the Chinese military for computer hacking, economic espionage and other offenses in relation to the attack. This represented "the first time that foreign [government or military] actors had been named publically" as perpetrators in cyberespionage, Melendres explains.
He adds, "While [the indictment] certainly was not a silver bullet by any stretch of the imagination, it was a case that demonstrates that this was unacceptable, that this was something the FBI and U.S. Justice Department (DOJ) could investigate, [that] this was a criminal act that would be prosecuted."
Cyberespionage has also recently directly targeted legal. In late December 2016, the U.S. Attorney's Office for the Southern District of New York indicted three Chinese nationals for hacking two law firms' servers in 2014 and 2015 to steal company M&A information. The unsealed indicment did not name the comprised law firms.
The Limits of Legal
The indictment was essentially a call to arms—with the blessing and aid of the DOJ, cyberespionage victims could fight back against nation-state perpetrators themselves, not just the criminals they support. But bringing justice to nation-state actors, let alone their associates, is much easier said than done.
Corporate legal teams can help prosecute cybercriminals through a variety of criminal and civil statues, such as the Computer Fraud and Abuse Act of 1986 and the Economic Espionage Act of 1996. They can also utilize various state laws, many of which are based on the Uniform Trade Secrets Act. Further, because of the recently-enacted Defense of Trade Secrets Act of 2016, corporate attorneys can more easily utilize federal laws . The Act provides a new federal level of action for trade secret misappropriation.
But no matter what law is used, civil or criminal prosecution will most likely be a slow process, and one that is may prove ultimately ineffective given that statutes only apply within U.S. jurisdiction. The problem with prosecution, therefore, is that "the legal system and its solutions are by definition territorial, and the cyberespionage threat may come from U.S. or any other country," explains Olga Mack, general counsel at ClearSlide, a software provider for sales and marketing teams.
This means that while "restitution is a standard penalty that is a part of the federal criminal justice system," Melendres adds, it can be difficult to obtain in dealing with foreign actors in countries like China that lack extradition treaties with the U.S.
Difficult, but perhaps not entirely impossible. A victim of a 2010 Chinese cyberespionage attack, U.S. Steel and its legal team are pushing the boundaries of how cyberespionage can be prosecuted.
During the 2010 attack, U.S. Steel suffered theft of trade secrets relating to the manufacturing of new steel alloys, and in the years to follow, a loss in business once the alloys were commercialized by Chinese manufacturers and furtively exported into the U.S. and global markets.
Not content to wait for criminal prosecution, U.S. Steel looked to a newly-empowered United States International Trade Commission (USITC) for restitution. In 2013, the U.S. Court of Appeals for the Federal Circuit in Tianrui Group Co. v. International Trade Commission established the USITC's extraterritorial authority to block imports of products into the U.S. through the application of Section 337 of the Tariff Act of 1930. The section concerns unfair or unlawful import trade practices with regards to intellectual property infringement.
In early 2016, U.S. Steel successfully petitioned the USITC to take up a Section 337 investigation against a multitude of Chinese steel manufacturers, seeking to bar their steel products from entering the U.S. The investigation is currently pending.
The use of Section 337 is a novel approach, regularly used for IP cases involving medical devices, technology and pharmaceuticals. It was last used by a steel maker in 1978.
Suzanne Rich Folsom, general counsel, chief compliance officer and senior vice president of government affairs at U.S Steel, explains that Section 337 "is typically known for the expeditious adjudicatory process available to aggrieved parties who seek relief for the infringement of intellectual property rights, like patents and copyrights."
She adds, "U. S. companies faced with decisions about how to legally address cyber incidents should certainly investigate all of the specific information associated with the incident, explore all available and applicable avenues of legal recourse, and bring all powers to bear against illegal actors."
Laura E. Jehl, partner at Sheppard Mullin, calls U.S. Steel's strategy "a creative use of existing laws." She notes that "if it succeeds, I think we'll see a number of U.S. companies follow suit."
The use of Section 337 to mitigate damage from a cyberespionage attack, however, has some obvious limitations. For one, it is a U.S.-specific solution, Mack says. "You can only stop goods at the border of the U.S."
And though action through the USITC is "relatively quick compared to federal courts, it also takes some time. So it is a tool for a very narrow purpose and limited effectiveness," she adds. "Just like most legal tools, it is good in some cases for very narrow fact-specific purposes."
Such a strategy, after all, does little to help victims of doxing.
Partners in Prosecution
Though there is little legal recourse against doxing, putting government pressure on nation states supporting cybercriminals, implementing cybersecurity controls, and sharing intelligence affords corporate counsel some leverage. None of these actions, however, can be accomplished unilaterally.
As with any corporate cybersecurity plan, there is always a need for collaboration across multiple departments, including legal, to create and test security incident plans, cybersecurity controls, and protections around sensitive data.
"An ounce of prevention is worth a pound of cure," Melendres says. "Companies should inventory their digital crown jewels, including, but not limited to, legally defined trade secrets, and assess the technical protections in place to protect those assets, including network segmentation and access controls."
In addition, it can be just as pivotal for counsel to promote collaboration between other companies, industries and government agencies to ascertain and share real-time threat intelligence. "One key resource that companies tend to underestimate is true threat intelligence that allows companies to assess risks," says Alexa King, executive vice president and general counsel at cybersecurity firm FireEye. "Companies today are making decisions about security without regards to the types of actors targeting, their methods and intentions."
Jim DeGraw, partner in Ropes & Gray's corporate technology group, also stresses the need of in-house counsel to partner with a forensics firm after an attack, noting that "they have resources available to them that many companies don't, and they have much experience" with breach investigations.
And there are perhaps no better-equipped forensic teams than federal law enforcement agencies, such as the FBI. These groups, Mack says, "have a lot of resources, especially as compared to small or medium size, and often even relatively large businesses."
Collaboration with government law enforcement agencies may even be necessary, given how certain cyberespionage attacks constitute violations of U.S. economic sanctions and export control laws. Companies quick to contact and partner with government officials, Swift says, can help law enforcement officials understand that they were a "victim when these problems arose, and not a facilitator of a criminal act."
But working with the government also means ceding some authority over an investigation or prosecution. "The government does not work for you," Jehl tells her Sheppard Mullin clients. "You may choose to invite them in to investigate an incident or to share information with them, but you have very little control over the subsequent investigation or their use of that information."
Still, the government's ability to move the needle in cybersecurity matters often outweighs any unilateral success corporate counsel may achieve. Melendres, for instance, hails the Obama Administration's 2015 agreement with China not to engage in cyberespionage against the U.S. as a factor in significantly decreasing such Chinese-related attacks in 2016.
How the federal government will chip away at the cyberespionage threat in the years to come remains to be seen. But what is certain is that countering cyberespionage takes a village.
"At the end of the day, no company has enough resources to deal with state-sponsored rogue actors," Mack says. "We are [all] threatened. We need to work together to collectively deal with cyberespionage."