Collaborating with the Federal System in Protecting Against International Cybertheft
The COVID-19 pandemic exposes many frailties and problems globally, including cybersecurity and trade secret vulnerabilities. When countries conduct coronavirus research collaboratively and competitively, multiple countries continuously report hackers targeting their research institutes or pharmaceutical companies regarding the research. For example, European Medicines Agency reported that hackers accessed some confidential data on the Pfizer-BioNTech vaccine. The hackers then leaked some stolen data on the Internet, the goal of which was to undermine the public’s trust in the vaccine. However, the current law or law enforcement in the U.S. is not effective for protecting trade secrets of research institutes or companies against hackers.
First, it is always costly and technically challenging to seize hackers. Many cybercrimes are unexplored or unreported because hackers either conceal their identity or are overlooked by the victims. Prosecutors also face hardships when gathering and preserving evidence. Even if they arrest the cybercriminals, they are often unable to seize strong evidence, as much of the hackers’ hardware equipment remains untouchable overseas.
Second, none of the current cybersecurity laws or trade secret laws can provide adequate protection against hackers. The Computer Fraud and Abuse Act (“CFAA”) criminalizes cyber intrusions without authorization. However, when the hacked information targets trade secrets, CFAA may not help the victims as much. In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), the court asserted that trade secret misappropriation issues should be solved under trade secret law rather than CFAA. Indeed, federal prosecutors usually raise both CFAA and the Economic Espionage Act (“EEA”) to go after cybercriminals. In addition to the EEA addressing trade secret misappropriation on the criminal side, there is also the Defend Trade Secrets Act that governs trade secret misappropriation on the civil side. However, the bar of showing the existence of trade secrets is quite high and may rise even higher against strangers who are not bound by a confidential relationship and who acquire the stolen information from computers.
Of particular note is how the Southern District of New York dealt with the trade secret claim in the lawsuit between the Democratic National Committee (“DNC”) and the Russian actors who allegedly stole information from the DNC’s computers in 2019. Democratic Nat’l Comm. v. Russian Fed’n, 392 F. Supp. 3d 410 (S.D.N.Y. 2019). The DNC failed to establish that the stolen “donor lists” and “fundraising strategies” constituted trade secrets. When trade secrets become public knowledge, acquiring them does not constitute misappropriation. Moreover, the same court ruled that federal law does not govern a country, such as Russia, and suggested that the government, rather than the court, should handle the cybersecurity problem with foreign governments. Therefore, while locating a country as a cyber culprit seems technically easier than catching individual cybercriminals, it does not help the judicial proceedings that would benefit victims of trade secret misappropriation. The victims bear the same consequence regardless of whether the cybercriminals are state-backed, even though the state-backed ones are indeed prickly.
Accordingly, since it is too passive for cybertheft victims to rely on Congress or local law enforcement, the government is taking action. For example, in March 2020, the FBI took down a Russia-based cyber platform—DEER.IO—supporting hackers. The Cybersecurity Act of 2015 also authorizes public and private entities to share cybersecurity-threat information with private entities, governments, and the public so that federal agencies may bolster cybersecurity protections. Specifically, as a part of the Cybersecurity Act of 2015, the Cybersecurity Information Sharing Act of 2015 set up the Cybersecurity and Infrastructure Security Agency (“CISA”). The CISA governs the shared cybersecurity information and excludes any privacy data. It then shares with other federal government agencies that actively deploy the collected cybersecurity information to guard against destructive cyberattacks, identify the sources of cybersecurity threats, and investigate and prosecute probable felonies conducted by individual cybercriminals or state-backed hackers.
What American intelligence officials can usually do alone, nevertheless, is still passive and limited, such as monitoring, guarding, and warning, with increasing but insufficient participation. The Department of Homeland Security statistically found that the CISA increased the sharing system’s participants in 2016 but failed to maintain the increase and participation level in the following years. However, according to FireEye’s 2021 Security Predictions Report, the rise in remote work is expected as a result of the pandemic, which significantly drives cybersecurity issues. Thus FireEye, one of the most influential cybersecurity service providers, strongly suggests private entities strengthen managerial and technical skills regarding cybersecurity. However, even though private cybersecurity measures are improving, the defense technologies and strategies can never be perfect. For example, the attacked European Medicines Agency is “certainly considered a hard target.” Moreover, some private cybersecurity services may raise ethical issues. Professor James Pattison at the University of Manchester suggests defensive cybersecurity strategies are permissible but raises deep concerns about offensive strategies, which are increasingly popular among the private sector. It is also not economically efficient to forgo the federal cybersecurity system but to create cyber-chaos for defending against existing or potential cyberattacks.
Therefore, private entities need to rely on the federal cybersecurity system further to avoid ethical and legitimacy concerns. Promoting the use of the information sharing system is the first step to unite the varies federal government agencies’ power and systematically improve their ability to secure cyberspace and chase trade secret cyberthieves. The federal government also needs to progress more and be aligned with the private sector’s participation.