Lawrence Muir, Adjunct Professor of Law at Washington and Lee University, teaches in the area of cybercrime. Below is an article Prof. Muir presented at a recent symposium on national security law at American University.
The Digital Penetration of American National Security: How a coordinated government response that emphasizes private ownership and private lawyers will strengthen America
By Lawrence L. Muir, Jr., Esq.[1]
- Introduction
The Heritage Foundation, in its 2016 Index of U.S. Military Strength, stated in the 20th century national security focused on military security.[2] The study’s author posits that the concept of national security has evolved to include seven non-military elements.[3] The primary two elements Dr. Holmes lists are political security[4] (protecting the sovereignty of the government) and economic security (protecting the national economic capacity and the freedom of individuals to make economic decisions).[5] Dr. Holmes’s fifth element is cybersecurity, protecting the computer and data infrastructure of a nation.[6]
Dr. Holmes’s distinctions are academically helpful and provide an important framework for analysis. However, the neat distinctions between military, political, and economic security have been penetrated by cyberattacks. The thesis of this article holds that all facets of American national security are inseparable and nearly indistinguishable from cybersecurity. The historic notion that national security is a government domain has receded and been replaced by the understanding that the private sector must protect American national security, through protection of its own economic digital assets.[7] The next wave of American national security enhancements must provide a robust set of options for the private sector to protect itself.
America has two primary cyber nemeses, China and Russia. Chinese cyberattacks, allegedly through the cyber units of its People’s Liberation Army, have stolen American research & development.[8] These thefts undermine America’s economic advantages,[9] thereby ultimately reducing American national security. Russian cyberattacks, allegedly perpetrated by rogue hacking outfits controlled by Russian Military Intelligence,[10] have sown seeds of political discord amongst the American population that threatens to undermine America’s historic domestic stability,[11] and thereby significantly diminishes American national security. Then Assistant Attorney General for the National Security Division John P. Carlin correctly recommended in the Harvard National Security Journal that the United States’ new approach involves deeper partnerships with the private sector,[12] but then admitted in understated fashion that, “Companies sometimes hesitate to voluntarily share information with the government.”[13]
This article posits that the different components of the American federal government must coordinate strategies to bolster cybersecurity in such a way that private sector businesses and attorneys can take a vigorous, assertive role in protecting privately-held confidential information, thereby strengthening American national security. This article makes specific recommendations for the different governmental authorities that comprise the whole-of-government to provide more legal options to the private sector and its lawyers. The government will benefit from the private sector’s increased participation in national security efforts when the private sector has a full panoply of legal options to protect itself.
- II. Recommendations
This section of the article makes recommendations that can be pursued as part of the whole-of-government approach by the different bodies and agencies of the federal government. Many of the rough pieces have been put into place by Congress, the White House, the Department of Justice, and other agencies. However, should these pieces be refined to be more inclusive of the private sector and its capabilities, the tools will become more advantageously used to the betterment of American national security.
- Congress can provide an executive branch power to the private sector so aggrieved companies can more quickly and confidentially block the benefit to foreign governments and agents.
As mentioned earlier, the Department of Justice believes that the Chinese government, acting through the cyber units of its People’s Liberation Army, has been involved in economic cyberespionage to benefit the Chinese economy at the expense of American companies. The harm done by Chinese hacking can better be demonstrated through the implosion of a Canadian company, Nortel. It is largely believed that the Chinese hacked Nortel’s computer networks, and then stole so many of Nortel’s trade secrets for the benefit of Chinese company Huawei that Nortel declared bankruptcy and went out of business.[14] Foreign hacking of trade secrets poses a very real risk to the economic security of a nation.
Congress made a significant contribution to protecting national security when it passed the Defend Trade Secrets Act of 2016 (DTSA)[15]. Economic security is a component of national security, and economic security rests upon American ingenuity being applied by American companies to grow the American economy. Unfortunately, poor cybersecurity has led to the loss of American trade secrets which has undermined economic security, and thereby undermined national security. The DTSA marks the first effort by Congress to reverse that trend.
- DTSA’s retained criminal protections and civil actions and remedies shifts national security responsibility and protections to the owner of trade secrets.
The DTSA grew out of the Economic Espionage Act of 1996.[16] Patrick Coyne writes that, “The EEA was directed at the theft of trade secrets by foreign governments, instrumentalities, and agents.”[17] The DTSA retains the two criminal provisions from the Economic Espionage Act[18] and adds a civil cause of action and civil remedies. Section 1831 has the stronger connection to national security. It states, among other provisions, that whoever, intending to benefit a foreign government or agent, knowingly steals or without authority appropriates a trade secret, can be imprisoned up to 15 years in prison.[19] Section 1832 proscribes a person from converting a trade secret, intended to become a good or service in interstate or foreign commerce, with the intent to economically benefit anyone other than the owner.[20] That provision carries up to 10 years in prison.[21]
The DTSA protects owners of trade secrets that are misappropriated by allowing them to bring a civil action if the trade secret is related to a product or service used in, or intended for use in, interstate or foreign commerce.[22] Businesses are now encouraged to take an inventory of its trade secrets,[23] designating them as such and encouraging extra protection of them. The DTSA enables the courts to expedite trade secret litigation by requiring the trade secret owner to identify the trade secret at the outset of litigation.[24]
While the EEA was purely a criminal statute, the DTSA has civil provisions as well. Section 1836 provides a civil cause of action to an owner of a trade secret that is misappropriated if the trade secret is related to a product or service used in, or intended for use in, interstate or foreign commerce. [25] Additionally, the statute provides for ex parte seizures to retrieve the stolen trade secrets[26] and specific provisions on how to prevent disclosure of the retrieved trade secrets.[27]
DTSA requires eight requirements for preliminary injunctive relief, which is more stringent than other temporary restraining orders require.[28] Specifically, the person against whom an ex parte seizure is ordered must actually possess the trade secret, that the movant can identify the matter to be seized and where it is located, and that the movant must show that the person against whom the seizure is ordered would move or hide the matter if the thief was given notice.[29]
- DTSA improves national security by incentivizing better trade secret protection and cybersecurity
The DTSA can bolster national security through economic security by promoting better cybersecurity. First, by requiring companies to designate trade secrets at the outset of litigation, it requires companies to have a better inventory of its trade secrets before they are stolen, and to appropriately designate them as such. More importantly, the designation suggests to companies that they should better protect this valuable information from theft. A collateral national security issue is that DTSA incorporates injunctive relief that can prevent the flow of capital to malicious actors.
However, the DTSA requires the Plaintiff to show that the res of the property is still within the jurisdiction of the court, and that the property would be moved if the thief knew of the order. DTSA is silent, however, on what happens if the trade secrets have already been moved, especially if they are moved to a foreign country that falls outside of the jurisdiction of an American court. Congress could close that gap by following the lead of Executive Order 13694.
- But there is a potential gap in equitable relief when foreign criminals use computer hacking to misappropriate trade secrets.
The injunctive relief in the DTSA matters in light of Executive Orders 13694 and 13757. Corporate trade secrets may be stolen through adversaries hacking the servers on which the information is stored. Executive Order 13694 provides injunctive relief in the form of asset freezing against individuals and the organizations that fund those individuals engaged in malicious cyber-enabled activities. “The order is aimed primarily at state-sponsored actors and other hackers who are beyond the reach of law enforcement or diplomatic efforts. It gives the government the power to go beyond nation-level actions to target individuals who may be sponsored or supported in some way by a nation.”
Executive Order 13694 enables all property and interests in property that are in the United States, or that come into the United States, to be blocked and not transferred.[30] Any person that has engaged in cyber-enabled activities originating from, or directed by persons located, outside the United States that are likely to result in a significant threat to national security or the economic health of the United States can have his or their assets frozen.[31] Cyber-enabled malicious activities include harming causing a significant misappropriation of trade secrets for commercial advantage or private financial gain.[32]
The injunctive relief in the DTSA and the asset freezing in the Executive Order is linked by the affirmative abilities of aggrieved parties to have a court block the movement of assets (the trade secrets or financial assets) in possession of foreign agents. But like a hotel door and frame held together by a linked chain, there is a gap that can be exploited. That gap is represented by the extraterritorial nature of the hack. While the DTSA focuses on trade secrets still within the jurisdiction of the court subject to the motion of the aggrieved party who has not put the other party on notice, the Executive Order requires the action of the federal government to take steps against only extraterritorial hackers. As noted by Mr. Carlin, companies are hesitant to share information with the government.[33] To meld the relief offered by the government, aggrieved companies should have legal recourse to move for an Executive Order 13694 type of asset freeze when the res of the property, and defendants, are located outside of the jurisdiction of the court. There is precedence for this in intellectual property law.
- 4. Closing the gap by making the Executive Order remedy available in private litigation
The Economic Espionage Act’s criminal statutes did not provide for asset freezing as an equitable remedy. The Lanham Act, however, is a set of civil statutes that protect intellectual property in the form of trademarks. Aggrieved companies have consistently been able to freeze the assets of counterfeiters who have stolen trademarks of companies operating in the United States.[34] The mold for extending Lanham Act asset freezing in intellectual property cases exists, and so extending this remedy to trade secrets makes sense. The mold for freezing assets in foreign hacking cases exists in the Executive Order, so extending those powers through an Act of Congress to aggrieved businesses makes sense. Congress should amend the DTSA to provide private companies with a private action to obtain asset freezes in situations where the Executive Order would apply, without having to share any information with the federal government. This action would provide a significant national security tool to the private sector. The aggrieved party can, through using its own lawyers, act more swiftly, and thereby cut off some of the economic damage that would result from the theft of trade secrets. Finally, while the Lanham Act has consistently been used by aggrieved plaintiffs to freeze assets, the Executive Order was used exactly once in its first 21 months of existence.[35]
- Congress can incentivize better trade secret protection by amending the Computer Fraud and Abuse Act
This author has previous written about how amending the Computer Fraud and Abuse Act could improve American national security.[36] This author has previously opined that, “Congress should revise the ‘access terms’ in the CFAA to incentive businesses to more securely protect information, decouple the civil causes of action in the CFAA from the criminal law, and provide for foreign bank accounts to be frozen if foreign nationals commit cyberattacks against American companies.”[37]
While Congress can provide stronger remedies to the corporate victims of cyberespionage, the ideal situation would be one in which trade secrets are not stolen. The DTSA subtly encourages better protection of trade secrets by requiring companies and their lawyers to inventory their trade secrets.[38] However, knowing the location of trade secrets is only the first half of better cybersecurity. The second, more important part, requires protection of those trade secrets. Congress can explicitly incentivize the better protection of network-stored trade secrets by amending the CFAA to specifically provide criminal causes of action when a code-based protection measure[39] is breached.
The CFAA is known as the anti-hacking statute, but trade secrets can be involved when information is accessed from a computer in interstate commerce,[40] or when information is accessed with the intent to commit fraud.[41] Further, if the violation of 18 U.S.C. 1030(a)(2) was committed for purposes of commercial advantage or private financial gain, the base misdemeanor charge is enhanced to a felony. This crime of unlawful computer access is effectively a precursor to DTSA crimes.
The CFAA is a dual use criminal and civil statute, and that unfortunate legislative decision has given rise to conflicting litigation around the issue of whether the downstream use of the access can define whether a person entered the network without authorization.[42] This matters in the trade secret context because corporations have had recourse against intellectual property thieves denied to them based on court rulings that require the bypassing of code-based restrictions to commit the crime.[43] This rule is not followed in all federal circuits, making recourse when contract-based restrictions have been abrogated a happy accident of geography.
Congress can fix this Circuit-split, and in the process Congress can better incentivize trade secret protection and bolster national security. Congress should change the access status terms in the CFAA to specifically protect information that has been obtained after bypassing a code-based protection.[44] Aaron’s Law, though too narrow to fully protect businesses, does suggest basing liability specifically on bypassing code-based restrictions, providing a bright-line rule that defendants know they cross. Conversely, this clear rule incentives businesses to clearly put information behind passwords in order to protect it. The trade secrets that DTSA promotes inventorying will be the same trade secrets hidden behind code-based protection measures.
- The State Department needs to work to extradite foreign-hackers from Russia and China
The State Department can also help private companies. The very rationale for Executive Order 13694 is that much of the hacking emanates from Russia and China, two nations that do not have extradition treaties with the United States.[45] Thus, the only way to deter hacking is to bring the incentive for hacking, profits, under the jurisdiction of United States courts. However important this restriction is, the restriction can be skirted through careful financial planning. The only way to truly deter a hacker from stealing the trade secrets of American companies is to make them subject to criminal prosecution in the United States.
The United States used its extradition treaty with Romania to effectively bring a foreign hacker to justice. Guccifer, the hacker responsible for exposing the Clinton server, is now serving a 52-month prison sentence for hacking, from Romania, over 100 Americans, many with political connections.[46] These victims included Sidney Blumenthal, an advisor to former Secretary of State Clinton, confidantes of President George W. Bush, and former Secretary of State Colin Powell.[47]
While Congress can better protect trade secrets by empowering private companies to freeze the assets of hackers, and to put their trade secrets behind stronger layers of protection, the State Department can help ensure that if those measures fail the hackers will face justice.
- The Justice Department must be the center hub from which these spokes emanate
The next Senior Counsel for Cybercrime in the Justice Department will be responsible for bolstering American cybersecurity and national security. This advisor will be the hub of the wheel from whence these other initiatives involving the private sector can be driven. By meeting with private companies, their chief information officers, and their top researchers, the advisor can determine what tools the private sector needs to protect its trade secrets. The advisor can help develop legislation in the House and Senate Judiciary and Homeland Security Committees to advance these legislative initiatives in a way that respects the separation of powers. This advisor can work with the White House and State Department work through the foreign policy initiatives and negotiate with other countries to implement these initiatives, taking a hard-line stance on the primacy of intellectual property ownership. The White House has given itself a significant power with Executive Order 13694. To divest itself of that power and give it to the private sector for its use would be a magnanimous devolution, but also an intelligent move that will make the tool more effective.
III. Conclusion
The whole-of-government approach advocated by the Justice Department’s National Security Division last year is a wise idea. Similarly, its recognition of the importance of the private sector that owns most of the trade secrets upon which American economic security depends is a sober reflection of the national security landscape. The next step in this evolution of thought is to blend the private sector more extensively into the national security thought process and provide businesses and their law firms with the tools needed to carry the burdens that have heretofore been largely the responsibility of the federal government. Congress took a great first step with the passage of the Defend Trade Secrets Act, but the federal government must go further in that direction by more completely filling the private sector’s arsenal of judicial recourse options.
[1] Mr. Muir is an attorney with Dunlap Bennett & Ludwig and an adjunct professor of law at Washington & Lee University School of Law.
[2] Kim R. Holmes, “What is National Security?” Heritage Foundation (2015), available at: http://index.heritage.org/military/2015/important-essays-analysis/national-security/
[3] Id.
[4] Dr. Holmes defines political security as, “Political security refers to protecting the sovereignty of the government and political system and the safety of society from unlawful internal threats and external threats or pressures. It involves both national and homeland security and law enforcement.” See Id.
[5] Dr. Holmes defines economic security as, “Economic security involves not only protecting the capacity of the economy to provide for the people, but also the degree to which the government and the people are free to control their economic and financial decisions. It also entails the ability to protect a nation’s wealth and economic freedom from outside threats and coercion. Thus, it comprises economic policy and some law enforcement agencies but also international agreements on commerce, finance, and trade. Recently, it has been defined by some in a human security context to mean eradicating poverty and eliminating income inequality.” See Id.
[6] Dr. Holmes defines cybersecurity, “Cybersecurity refers to protection of the government’s and the peoples’ computer and data processing infrastructure and operating systems from harmful interference, whether from outside or inside the country. It thus involves not only national defense and homeland security, but also law enforcement.” See Id.
[7] See John P. Carlin, Detect, Disrupt, Deter: A Whole-of-Government Approach to National Security Cyber Threats, 7 Harvard Nat’l Security J. (2016).
[8] See “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage.” U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage | OPA | Department of Justice. N.p., n.d. Web. 17 Feb. 2017.
[9] Id.
[10] See https://www.theguardian.com/world/2016/dec/30/us-expulsions-put-spotlight-on-russias-gru-intelligence-agency
[11] See http://www.forbes.com/sites/paulroderickgregory/2016/12/11/the-battle-over-russian-hacking-is-over-the-legitimacy-of-the-trump-presidency/#3be082a16ed7; see also the #NotMyPresident hashtag on social media.
[12] See Carlin, Detect, Disrupt, Deter at 396.
[13] Id. At 432
[14] See http://www.afr.com/technology/web/security/how-chinese-hacking-felled-telecommunication-giant-nortel-20140526-iux6a
[15] See https://www.congress.gov/bill/114th-congress/senate-bill/1890/text
[16] https://www.law360.com/articles/806201/what-you-should-know-about-the-defend-trade-secrets-act
[17] Id.
[18] See 18 U.S.C. §1831 and §1832
[19] 18 U.S.C. §1831(a)(1).
[20] 18 U.S.C. §1832(a).
[21] Id.
[22] See 18 U.S.C. §1836(b)(1).
[23] See https://www.law360.com/articles/806201/what-you-should-know-about-the-defend-trade-secrets-act
[24] Id.
[25] 18 U.S.C. §1836(b)(1)
[26] 18 U.S.C. §1836(b)(2)
[27] 18 U.S.C. §1836(d).
[28] Id.
[29] Id.
[30] See Section 1(a) Exec. Order 13,694 80 Fed. Reg. 63 (Apr. 2, 2015).
[31] See Section 1(a)(ii) of Id.
[32] See Section 1(a)(ii)(D) of Id.
[33] See Carlin, Detect, Deter, Disrupt at 432.
[34] See Reebok Intern. Ltd. v. Marnatech Enterprises, Inc., 737 F. Supp. 1521 (S.D. Cal. 1990) and many other cases.
[35] See US Department of the Treasury press release 12/29/2016 available at: https://www.treasury.gov/press-center/press-releases/Pages/jl0693.aspx
[36] See http://journal.georgetown.edu/revising-the-cfaa-how-stronger-domestic-cybercrime-law-can-improve-international-cybersecurity/
[37] Id.
[38] See inventory footnote
[39] Passwords and biometric protections like fingerprints
[40] See 18 U.S.C. §1030(a)(2)
[41] See 18 U.S.C. §1030(a)(4)
[42] See the conflicting holdings allowing downstream usage to define access in United States v. John, 597 F.3d 263 (5th Cir. 2010) compared to the holding that access is only defined by the status of the user at the point of access in Bell Aerospace Services, Inc. v. US Aero Services, Inc., 690 F.Supp.2d 1267 (M.D. Ala. 2010).
[43] United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)
[44] See the text of the proposed “Aaron’s Law” which explicitly requires circumventing technological measures, available at https://www.congress.gov/bill/114th-congress/senate-bill/1030.
[45] See http://www.wsfa.com/story/22665099/countries-with-no-extradition-treaty-with-us
[46] See https://www.washingtonpost.com/local/public-safety/guccifer-hacker-who-revealed-clintons-use-of-a-private-email-address-sentenced-to-52-months/2016/09/01/4f42dc62-6f91-11e6-8365-b19e428a975e_story.html?utm_term=.4ec8d1ee277b
[47] See Id.
