Targeting Beneficiaries of Cyber Attacks

Stewart A.Baker, Partner and Kaitlin Cassel, Associate, Steptoe & Johnson

Stewart A.Baker, Partner

Companies today face an increasing number of cyber attacks in which hackers steal corporate trade secrets and intellectual property. To combat these attacks, companies must be on guard against such attacks, but they must also be prepared for when an attack occurs. After an attack, companies may believe that improving defenses and patching security is their only remedy. However, companies victimized by network intrusions may be able to use established US law to pursue legal remedies against cyber hackers, as well as companies that have benefited from cyberespionage. Pursuit of these remedies would help not only the individual company, but could create a deterrent effect on a broader scale by holding companies benefiting from cyber attacks accountable for the thefts.

Attribution after a Cyber Attack

When a cyber attack occurs, a company will often hire forensics experts to help stop the attack, discover and destroy malicious files, identify and patch weaknesses, ensure no other vulnerabilities exist, and install new defenses to improve security. These forensic exports may also be able to help a victimized company gain an understanding of who has attacked them, what secrets they stole, and from what other companies they may be stealing information.

While anonymity is commonly seen as an advantage of a cyber attack, governments and private experts today have increasing capabilities to identify those responsible–a critical first step at combating such attacks. Two years ago, the United States (and the private security firm Mandiant) stripped a PLA espionage unit of its cover with a detailed description of the unit’s individual hackers. More recently, the President outed North Korea for the attack on Sony Corporation. And as if to underscore the growing confidence of the intelligence community in its attribution capabilities, the Director of National Intelligence almost casually tagged Iran for a destructive cyberattack on Sheldon Adelson’s Las Vegas Sands gambling empire. While these efforts to identify attackers and their conspirators are critical, without penalties or real consequences, nothing will dissuade these attacks from continuing to occur.Kaitlin Cassel, Associate, Steptoe & Johnson

The Next Step–Legal Action against Beneficiaries of Cyber Attacks

Companies should consider taking the next step to combat these attacks by pursuing legal remedies under existing United States law. While individual hackers, who are all too often well-protected by their governments, may be difficult to target, their customers are necessarily more visible. These customers–state-owned companies benefiting from the theft of their competitors’ intellectual property– must sell their products globally to get the full benefit from the new stolen technology. But, when selling globally, these companies will necessarily face other countries’ laws–thereby creating an opportunity for these nations to craft legal penalties to deter cyber attacks.

"Finally. Better attribution may let us play offense against cyberspies for a change”

In the United States, such legal remedies are already available to victimized companies. For example, victims of cyberespionage can sue a company benefiting from the theft of trade secrets under the Uniform Trade Secrets Act (UTSA) if the company “knew or had reason to know” that the trade secret was acquired by improper means. Similarly, under the Computer Fraud and Abuse Act (CFAA), a company can sue hackers, who “intentionally accessa computer without authorization,” obtain information, and cause at least $5,000 of loss, as well as anyone who “conspired” with the intruders. Additionally, a company may be able to file a complaint with the International Trade Commission (ITC) under section 337 of the Tariff Act of 1930, which allows the ITC to bar the importation of goods resulting from “unfair methods of competition,” including those produced using stolen trade secrets.

Where there is a strong suspicion that a company may have benefited from the cyber intrusions, these remedies may be available. When an attack occurs, it is thus important to involve the company’s legal team, who can work with the technical team to see what can be done to gathera sufficient level of evidence to pursue legal remedies. For example, companies may be able to combine the information gathered by forensic experts with their own knowledge of their industry’s competitive environment to identify the hackers’ most likely customers. With this evidence, companies may be able to use these legal remedies to recover their damages, prevent use of the stolen information, and deter future attacks.

Role of the US Government

In pursuing these private rights of action, companies should view the US government as an ally. Litigation by private entities has a great potential to increase cyber security on a broad scale, by deterring cyber attacks through the creation of real world consequences for its beneficiaries.

The US government has itself recognized the importance of targeting not only hackers engaged in cyberespionage, but companies that knowingly benefit from such espionage. For example, it has instituted a sanctions program that gives it the authority to sanction individuals and companies engaged in malicious cyber activity that aims at harming critical infrastructure, damaging computer systems, or stealing trade secrets or sensitive information, as well as companies that knowingly receive or use trade secrets that were stolen by cyber-enabled means. An alternative to the private rights of action, this program provides yet another path to hold hackers and their beneficiaries responsible for attacks and demonstrates the United States commitment and support for efforts to deter cyber attacks.

Conclusion

In preparing defenses against cyber attacks, companies should be aware of these legal remedies that may prove to be helpful tools to protect against and recover from attacks. By combining the remedies of existing law with the increasing ability of forensic experts to attribute cyber attacks to specific actors, companies may not only be able to recover their own damages, but can create a broader deterrent effect against hackers and their customers to the benefit of cyber security generally.