Targeting Beneficiaries of Cyber Attacks
967
![]() 1546
![]() 320
![]() |

Stewart A.Baker, Partner
Companies today face an increasing number of cyber attacks in which hackers steal corporate trade secrets and intellectual property. To combat these attacks, companies must be on guard against such attacks, but they must also be prepared for when an attack occurs. After an attack, companies may believe that improving defenses and patching security is their only remedy. However, companies victimized by network intrusions may be able to use established US law to pursue legal remedies against cyber hackers, as well as companies that have benefited from cyberespionage. Pursuit of these remedies would help not only the individual company, but could create a deterrent effect on a broader scale by holding companies benefiting from cyber attacks accountable for the thefts.
Attribution after a Cyber Attack
When a cyber attack occurs, a company will often hire forensics experts to help stop the attack, discover and destroy malicious files, identify and patch weaknesses, ensure no other vulnerabilities exist, and install new defenses to improve security. These forensic exports may also be able to help a victimized company gain an understanding of who has attacked them, what secrets they stole, and from what other companies they may be stealing information.
While anonymity is commonly seen as an advantage of a cyber attack, governments and private experts today have increasing capabilities to identify those responsible–a critical first step at combating such attacks. Two years ago, the United States (and the private security firm Mandiant) stripped a PLA espionage unit of its cover with a detailed description of the unit’s individual hackers. More recently, the President outed North Korea for the attack on Sony Corporation. And as if to underscore the growing confidence of the intelligence community in its attribution capabilities, the Director of National Intelligence almost casually tagged Iran for a destructive cyberattack on Sheldon Adelson’s Las Vegas Sands gambling empire. While these efforts to identify attackers and their conspirators are critical, without penalties or real consequences, nothing will dissuade these attacks from continuing to occur.Kaitlin Cassel, Associate, Steptoe & Johnson
The Next Step–Legal Action against Beneficiaries of Cyber Attacks
Companies should consider taking the next step to combat these attacks by pursuing legal remedies under existing United States law. While individual hackers, who are all too often well-protected by their governments, may be difficult to target, their customers are necessarily more visible. These customers–state-owned companies benefiting from the theft of their competitors’ intellectual property– must sell their products globally to get the full benefit from the new stolen technology. But, when selling globally, these companies will necessarily face other countries’ laws–thereby creating an opportunity for these nations to craft legal penalties to deter cyber attacks.
"Finally. Better attribution may let us play offense against cyberspies for a change”
In the United States, such legal remedies are already available to victimized companies. For example, victims of cyberespionage can sue a company benefiting from the theft of trade secrets under the Uniform Trade Secrets Act (UTSA) if the company “knew or had reason to know” that the trade secret was acquired by improper means. Similarly, under the Computer Fraud and Abuse Act (CFAA), a company can sue hackers, who “intentionally accessa computer without authorization,” obtain information, and cause at least $5,000 of loss, as well as anyone who “conspired” with the intruders. Additionally, a company may be able to file a complaint with the International Trade Commission (ITC) under section 337 of the Tariff Act of 1930, which allows the ITC to bar the importation of goods resulting from “unfair methods of competition,” including those produced using stolen trade secrets.
Where there is a strong suspicion that a company may have benefited from the cyber intrusions, these remedies may be available. When an attack occurs, it is thus important to involve the company’s legal team, who can work with the technical team to see what can be done to gathera sufficient level of evidence to pursue legal remedies. For example, companies may be able to combine the information gathered by forensic experts with their own knowledge of their industry’s competitive environment to identify the hackers’ most likely customers. With this evidence, companies may be able to use these legal remedies to recover their damages, prevent use of the stolen information, and deter future attacks.
Role of the US Government
In pursuing these private rights of action, companies should view the US government as an ally. Litigation by private entities has a great potential to increase cyber security on a broad scale, by deterring cyber attacks through the creation of real world consequences for its beneficiaries.
The US government has itself recognized the importance of targeting not only hackers engaged in cyberespionage, but companies that knowingly benefit from such espionage. For example, it has instituted a sanctions program that gives it the authority to sanction individuals and companies engaged in malicious cyber activity that aims at harming critical infrastructure, damaging computer systems, or stealing trade secrets or sensitive information, as well as companies that knowingly receive or use trade secrets that were stolen by cyber-enabled means. An alternative to the private rights of action, this program provides yet another path to hold hackers and their beneficiaries responsible for attacks and demonstrates the United States commitment and support for efforts to deter cyber attacks.
Conclusion
In preparing defenses against cyber attacks, companies should be aware of these legal remedies that may prove to be helpful tools to protect against and recover from attacks. By combining the remedies of existing law with the increasing ability of forensic experts to attribute cyber attacks to specific actors, companies may not only be able to recover their own damages, but can create a broader deterrent effect against hackers and their customers to the benefit of cyber security generally.
Read Also
Today's Threat Landscape Requires Adaptive Security
Staying Abreast of Application Development and Delivery
How to Ensure Information Security when Outsourcing Your Projects
This Is How Your Computer Gets Hacked!
Featured Vendors
THETA432: Performance, Precision, Efficiency, Visibility - The Key to Incident Response and Answer to the Talent Shortage
EveryCloud Technologies: Delivering Powerful Email Filtering Services" title="Graham O\'Reilly, CEO & Co-Founder" style="float:left; margin-right:10px; margin-bottom:20px;" width="60px" height="50px">
EveryCloud Technologies: Delivering Powerful Email Filtering Services
Onepath: A Responsive Info-Security Management Framework – the easier way to dramatically improve your overall info-security posture
Covenant Security Solutions, Inc.: Revolutionary Solutions to Mitigate Security and Compliance Risks
EDITOR'S PICK
The IT World: An Ever Changing Place With Constant...
By Pete V. Sattler, VP-IT & CIO, International Flavors &...
Deploying In-Memory Capabilities To Meet Tomorrow's...
By Benjamin Beberness, CIO, Snohomish County PUD
Tech Provider, Delivery Partner or Both?
By Gary Watkins, CIO of IT Shared Services, KAR Auction...
Technology Helps Supply Chain Embrace Uncertainty
By Tonya Jackson, VP Global Supply Chain, Lexmark
From Bean Counter to Propeller Head: Lessons Learned by a...
By Chad Lindbloom, CIO, C.H. Robinson
Efficient Ways to Manage Data and Make Effective Decisions
By Ryan Fay, CIO, ACI Specialty Benefits
Democratizing IT Technologies to Improve Sales...
By Kris Holla, VP& CSO, Nortek, Inc.
The Cloud (still)Doesn't Support VoIP
By Shawn Wiora, CIO & CISO, Creative Solutions In Healthcare
AI and the Future of Field Service: Moving from...
By Michael Alcock, Director-CIO Executive Programs &...
Revolutionizing Industrial Mining through Smart Tools
By Jeff Bauserman, VP-Information Systems & Technology,...
Virtualize, Cloud, Mobile First
By Wes Wright, CTO, Sutter Health
Performing as a Turnaround CIO Artist, It's Not Magic...
By Peter Ambs, CIO, City of Albuquerque
By Mark Ziemianski, VP of Business Analytics, Children's...
The Highway's Jammed With Broken Heroes on A Last Chance...
By Jonathan Alboum, CIO, The United States Department of...
AI Can Improve Patient Outcomes, but will Pharma Get...
By Ryan Billings, MS, MBA, Executive Director, Digital...
Creating a New Productive Work Environment
By Christina Clark, Managing Principal, Cresa
Blockchain and The Law: How a Simple Project can get...
By Evan Abrams, Associate, Steptoe & Johnson LLP
Scope of IT Services in Today's Business Landscape
By Holly Baumgart, Vice President-Information Technology,...
Digital Transformation in an Ever Changing World
By Melissa Douros, Director of Digital Product Management,...
The Digital Transformation of the Insurance Industry
By Andrew Palmer, SVP & Chief Information Officer, U.S....