Ricci Dipshan, Legaltech News
An exploration of the modern cyberespionage threat and how in-house legal departments are fighting back.
Illustration by Stuart Briers
Of the many emotions spurred by U.S. intelligence agen cies' conclusion
that Russian hackers sought to influence the 2016 presidential election, one of
the most prevalent was a sense of disbelief. But far from the lights and
acrimony of the election, the corporate world knows all too well that such
cyberespionage is not only possible, but is becoming more commonplace every
day.
The evolution
of cyberespionage—the theft of sensitive information for malicious intent or
the benefit of a perpetrator, whether it be a criminal actor, state government
or competitor company—has presented complex challenges to many corporate
counsel tasked with protecting and legally defending their enterprises.
Though faced
with limited legal remedies, counsel are coming up with creative new ways to go
after cyberespionage actors, and partnering with an array of cyber
professionals and government agencies to combat the threat.
Their efforts
speak to a landscape more perilous than ever before, and one that all corporate
actors must understand head on. James Melendres, co-chair of the cybersecurity,
data protection, and privacy practice at Snell & Wilmer, explains, "I
think that the most important takeaway for [corporate] counsel, for companies'
leaders or C-suite folks, is to recognize that these are threats that are here,
that are pervasive, that are sophisticated, that are not going away."
Cyberespionage 2.0
Reaching even
beyond intellectual property (IP)-intensive, government-connected "high
risk industries" like technology, aerospace and defense, modern
cyberespionage represents a new era in corporate threat. Unmatched in audacity,
it is driven in no small part by rampant nation-state meddling.
Christopher
Swift, member of Foley & Lardner's government enforcement, compliance and
white collar defense practice, defines this cyberespionage era as a result of
two big trends. The first is the move "away from purely criminal
operations to operations that have a broader corporate or political
effect."
The second is
the simultaneous "rise of state-sponsored or state-directed
cyberespionage, often in concert with some of the criminal operations, not
necessarily separate from it, but definitely in some instances standing behind
it."
Unlike past
threats, the purpose of modern cyberespionage "isn't always financial
theft," Swift says, explaining that these attacks may also seek to
undermine a company's reputation, cripple its day-to-day operations and impact
its stock price.
Many
cybercriminals accomplish such feats through stealing and publically releasing
sensitive information from a target. This practice, known as doxing, was most
notoriously used in the 2016 election as well as the 2014 North Korea-sponsored
cyberespionage attack on Sony Pictures.
As
cyberespionage attacks have evolved, however, so too have the responses they
elicit. For Melendres, a watershed moment in modern cyberespionage came during
the U.S. government's response to the 2010 China-sponsored cyberattacks on a
host of U.S. energy and manufacturing firms, including U.S. Steel and U.S.
subsidiaries of German solar technology company SolarWorld.
In May 2014,
a grand jury in the Western District of Pennsylvania indicted five members of
the Chinese military for computer hacking, economic espionage and other
offenses in relation to the attack. This represented "the first time that
foreign [government or military] actors had been named publically" as
perpetrators in cyberespionage, Melendres explains.
He adds,
"While [the indictment] certainly was not a silver bullet by any stretch
of the imagination, it was a case that demonstrates that this was unacceptable,
that this was something the FBI and U.S. Justice Department (DOJ) could
investigate, [that] this was a criminal act that would be prosecuted."
Cyberespionage
has also recently directly targeted legal. In late December 2016, the U.S.
Attorney's Office for the Southern District of New York indicted three Chinese
nationals for hacking two law firms' servers in 2014 and 2015 to steal company
M&A information. The unsealed indicment did not name the comprised law
firms.
The Limits of Legal
The
indictment was essentially a call to arms—with the blessing and aid of the DOJ,
cyberespionage victims could fight back against nation-state perpetrators
themselves, not just the criminals they support. But bringing justice to
nation-state actors, let alone their associates, is much easier said than done.
Corporate
legal teams can help prosecute cybercriminals through a variety of criminal and
civil statues, such as the Computer Fraud and Abuse Act of 1986 and the
Economic Espionage Act of 1996. They can also utilize various state laws, many
of which are based on the Uniform Trade Secrets Act. Further, because of the
recently-enacted Defense of Trade Secrets Act of 2016, corporate attorneys can
more easily utilize federal laws . The Act provides a new federal level of
action for trade secret misappropriation.
But no matter
what law is used, civil or criminal prosecution will most likely be a slow
process, and one that is may prove ultimately ineffective given that statutes
only apply within U.S. jurisdiction. The problem with prosecution, therefore,
is that "the legal system and its solutions are by definition territorial,
and the cyberespionage threat may come from U.S. or any other country,"
explains Olga Mack, general counsel at ClearSlide, a software provider for sales
and marketing teams.
This means
that while "restitution is a standard penalty that is a part of the
federal criminal justice system," Melendres adds, it can be difficult to
obtain in dealing with foreign actors in countries like China that lack
extradition treaties with the U.S.
Difficult,
but perhaps not entirely impossible. A victim of a 2010 Chinese cyberespionage
attack, U.S. Steel and its legal team are pushing the boundaries of how
cyberespionage can be prosecuted.
During the
2010 attack, U.S. Steel suffered theft of trade secrets relating to the
manufacturing of new steel alloys, and in the years to follow, a loss in
business once the alloys were commercialized by Chinese manufacturers and
furtively exported into the U.S. and global markets.
Not content
to wait for criminal prosecution, U.S. Steel looked to a newly-empowered United
States International Trade Commission (USITC) for restitution. In 2013, the
U.S. Court of Appeals for the Federal Circuit in Tianrui Group Co. v.
International Trade Commission established the USITC's extraterritorial
authority to block imports of products into the U.S. through the application of
Section 337 of the Tariff Act of 1930. The section concerns unfair or unlawful
import trade practices with regards to intellectual property infringement.
In early
2016, U.S. Steel successfully petitioned the USITC to take up a Section 337
investigation against a multitude of Chinese steel manufacturers, seeking to
bar their steel products from entering the U.S. The investigation is currently
pending.
The use of
Section 337 is a novel approach, regularly used for IP cases involving medical
devices, technology and pharmaceuticals. It was last used by a steel maker in
1978.
Suzanne Rich
Folsom, general counsel, chief compliance officer and senior vice president of
government affairs at U.S Steel, explains that Section 337 "is typically
known for the expeditious adjudicatory process available to aggrieved parties
who seek relief for the infringement of intellectual property rights, like
patents and copyrights."
She adds,
"U. S. companies faced with decisions about how to legally address cyber
incidents should certainly investigate all of the specific information
associated with the incident, explore all available and applicable avenues of
legal recourse, and bring all powers to bear against illegal actors."
Laura E.
Jehl, partner at Sheppard Mullin, calls U.S. Steel's strategy "a creative
use of existing laws." She notes that "if it succeeds, I think we'll
see a number of U.S. companies follow suit."
The use of
Section 337 to mitigate damage from a cyberespionage attack, however, has some
obvious limitations. For one, it is a U.S.-specific solution, Mack says.
"You can only stop goods at the border of the U.S."
And though
action through the USITC is "relatively quick compared to federal courts,
it also takes some time. So it is a tool for a very narrow purpose and limited
effectiveness," she adds. "Just like most legal tools, it is good in
some cases for very narrow fact-specific purposes."
Such a
strategy, after all, does little to help victims of doxing.
Partners in Prosecution
Though there
is little legal recourse against doxing, putting government pressure on nation
states supporting cybercriminals, implementing cybersecurity controls, and
sharing intelligence affords corporate counsel some leverage. None of these
actions, however, can be accomplished unilaterally.
As with any
corporate cybersecurity plan, there is always a need for collaboration across
multiple departments, including legal, to create and test security incident
plans, cybersecurity controls, and protections around sensitive data.
"An
ounce of prevention is worth a pound of cure," Melendres says.
"Companies should inventory their digital crown jewels, including, but not
limited to, legally defined trade secrets, and assess the technical protections
in place to protect those assets, including network segmentation and access
controls."
In addition,
it can be just as pivotal for counsel to promote collaboration between other
companies, industries and government agencies to ascertain and share real-time
threat intelligence. "One key resource that companies tend to
underestimate is true threat intelligence that allows companies to assess
risks," says Alexa King, executive vice president and general counsel at
cybersecurity firm FireEye. "Companies today are making decisions about
security without regards to the types of actors targeting, their methods and
intentions."
Jim DeGraw,
partner in Ropes & Gray's corporate technology group, also stresses the
need of in-house counsel to partner with a forensics firm after an attack,
noting that "they have resources available to them that many companies
don't, and they have much experience" with breach investigations.
And there are
perhaps no better-equipped forensic teams than federal law enforcement
agencies, such as the FBI. These groups, Mack says, "have a lot of
resources, especially as compared to small or medium size, and often even
relatively large businesses."
Collaboration
with government law enforcement agencies may even be necessary, given how
certain cyberespionage attacks constitute violations of U.S. economic sanctions
and export control laws. Companies quick to contact and partner with government
officials, Swift says, can help law enforcement officials understand that they
were a "victim when these problems arose, and not a facilitator of a
criminal act."
But working
with the government also means ceding some authority over an investigation or
prosecution. "The government does not work for you," Jehl tells her
Sheppard Mullin clients. "You may choose to invite them in to investigate
an incident or to share information with them, but you have very little control
over the subsequent investigation or their use of that information."
Still, the
government's ability to move the needle in cybersecurity matters often
outweighs any unilateral success corporate counsel may achieve. Melendres, for
instance, hails the Obama Administration's 2015 agreement with China not to
engage in cyberespionage against the U.S. as a factor in significantly
decreasing such Chinese-related attacks in 2016.
How the
federal government will chip away at the cyberespionage threat in the years to
come remains to be seen. But what is certain is that countering cyberespionage
takes a village.
"At the
end of the day, no company has enough resources to deal with state-sponsored
rogue actors," Mack says. "We are [all] threatened. We need to work
together to collectively deal with cyberespionage."
No comments:
Post a Comment