Cyberspies can’t count on anonymity any more.
The United States (and the private security firm Mandiant) stripped a PLA espionage unit of its cover two years ago with a detailed description of the unit’s individual hackers; that report was followed by federal indictments of members of the unit that described them and their activities is great detail. More recently, the President outed North Korea for the attack on Sony. And as if to underscore the growing confidence of the intelligence community in its attribution capabilities, the Director of National Intelligence almost casually tagged Iran for a destructive cyberattack on Sheldon Adelson’s Las Vegas Sands gambling empire.
That’s good news, but it’s only a first step. To make a real difference, attribution has to yield more than talk.
Unfortunately, neither the companies victimized by network intrusions nor their governments have yet found ways to turn attribution into deterrence. No one expects to see members of the PLA in federal court any time soon. The administration’s public sanctions on North Korea were barely pinpricks. And Iran could be forgiven for concluding that its cyberattacks were rewarded by concessions in the nuclear enrichment negotiations.
But that’s not the last word. I attended a recent international conference where a surprising number of European officials signaled their eagerness to confront countries engaged in cyberespionage against their industries. They assumed that they could identify the countries that were stealing corporate secrets.
What they wanted were legal remedies — and remedies of a particular kind. They didn’t want to punish the hackers, who all too often are well protected by government. What they wanted was a way to punish the hackers’ customers — the state-owned companies who were benefiting from the theft of competitors’ intellectual property. Unlike the hackers, those companies can’t hide at home forever. To get the full benefit of their shiny new stolen technology, they have to sell their products globally. Which means they have to submit to the law and the jurisdiction of western nations.
But what law? Does a company victimized by cyberespionage have any legal remedies against the company that received the stolen data? That’s the question European (and American) trade officials were beginning to ask.
Faced with that question, I found three plausible legal remedies for companies that are victimized by hacking aimed at their corporate intellectual property. Here they are.
First, victims of cyberespionage could sue the foreign company benefiting from the theft of trade secrets. A company can be sued under the Uniform Trade Secrets Act (UTSA) if it uses “a trade secret of another without express or implied consent” and it “knew or had reason to know that [its] knowledge of the trade secret was derived from or through a person who had utilized improper means to acquire it.” UTSA § 1(2)(ii)(B)(II). So if the foreign company had reason to believe that it was receiving data stolen from a competitor’s network, it is at grave risk of liability under the UTSA.
The UTSA has been adopted in one form or another in forty-eight states, and plaintiffs can sue for damages, including “actual loss,” “unjust enrichment . . . that is not taken into account in computing actual loss,” and “exemplary damages” for “willful and malicious” violations. UTSA § 3(a), (b). All of those damages would seem to apply where the defendant was complicit in an attack on the plaintiff’s corporate network.
Second, the federal Computer Fraud and Abuse Act (CFAA) allows private suits against anyone who “intentionally accesses a computer without authorization,” obtains information, and causes at least $5,000 of loss. 18 U.S.C. § 1030(a)(2)(C). That certainly applies to the hackers themselves; but what about the recipients of the stolen data? They’re liable too, at least if they can be shown to have “conspired” with the intruders. 18 U.S.C. § 1030 (b). Proving conspiracy poses a higher hurdle than meeting the UTSA’s “reason to know” standard; some courts say that a charge of conspiracy requires “specific allegations of an agreement and common activities.” See, e.g., NetApp, Inc. v. Nimble Storage, Inc., No. 5:13-cv-05058, 2014 WL 1903639, at *13 (N.D. Cal. May 12, 2014). But there will be many times when the evidence strongly suggests both. For example, if the theft of data was more than just a one-off event, there is every reason to believe that the beneficiary of the thefts was actively telling the thieves what to steal.
A third remedy is section 337 of the Tariff Act of 1930. It allows the International Trade Commission (ITC) to bar the importation of goods produced using stolen trade secrets. The ITC may exclude such goods from the United States if they are the result of “unfair methods of competition . . . the threat or effect of which is to destroy or substantially injure an industry in the United States.” 19 U.S.C. § 1337(a), (d). “Unfair methods of competition” includes a federal common law cause of action for the theft of trade secrets, which closely mirrors the provisions of the UTSA. See TianRui Grp. Co. v. Int’l Trade Comm’n, 661 F.3d 1322, 1327–28 (Fed. Cir. 2011). A complaint can be filed in the ITC even if the theft of trade secrets occurred abroad, so long as the theft violated the laws of the place where the secret was stolen. Id. at 1328. Although Section 337 does not allow for the recovery of money damages, a victim of commercial cyberespionage can at least make sure he’s not competing in the United States against products that are produced using his trade secrets and intellectual property.
In short, there are surprisingly robust legal remedies not just against cyberspies but against the companies who benefit from the spies’ intrusions. But that is not the end of the matter. Just having a good legal case does not mean that a victim will bring suit. There are plenty of practical reasons why a lawsuit might not be prudent even with the law on your side. But that’s a topic for another day, and another post.