Economic Espionage: An Overview From a Law and Cybersecurity Risk Management Perspective

Since the large-scale Russian invasion of Ukraine, which was launched on February 24, 2021, businesses, mainly Silicon Valley companies, became concerned that they may be targeted. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that unprovoked attack by Russia on Ukraine, which has included cyberattacks on the Ukrainian government and critical infrastructure organizations, may have an impact on organizations both within and beyond the region, even though there were no specific or credible threats to the U.S. when the warning was issued. Under its initiative “Shields Up,” the U.S. cyber defense agency initiated assistance to prepare the U.S. organizations, respond to, and mitigate cyberattacks, particularly ransomware attacks. Most mainstream media continue addressing ransomware activities and raising awareness around related malicious attacks, but it is not popular to find articles addressing cybercrimes from an economic espionage perspective. Stealing for the profit of another country is considered economic espionage, and only several governments and corporations are taking substantial steps to combat this problem. Cybercriminals target businesses within critical sectors, primarily the aerospace and energy sectors, to steal valuable business assets, such as source codes, prototype designs, critical bid information, and customer lists, by hacking computers and evading security measures. Trade secrets are the collective name given to these assets since their worth stems from their confidentiality, and their theft causes an immense financial impact on businesses and the economy. To better understand trade secret theft from a legal perspective and its implications, this article will illustrate a brief overview of economic espionage, the offense under the U.S. Economic Espionage Act, and highlight the role of the organizations’ legal and cybersecurity teams in preventing such an offense.

      Cyber espionage is classified as an Advanced Persistent Threat (ATP). What makes an ATP concerning is that threat actors, who are often nation-states, devote far more resources than regular criminals, and the Internet’s nature makes it challenging to identify the party behind such an act. Traditionally, espionage entails one nation-state sending spies into the territory of another nation-state with the purpose of exfiltrating critical information. In contrast, cyber espionage aims to get sensitive digital information about an adversary to gain a competitive advantage through cyberspace from anywhere in the world. While conventional espionage is riskier and less effective than digital spying, it is easier for a nation-state to access sensitive information by breaching the target’s cybersecurity. The attribution of the related cyber-attack would be more complex than a spy on the adversary’s territory. Cyber espionage undermines the purpose of confidentiality protection by releasing information to unauthorized persons, and it occurs in three stages: reconnaissance, gaining access to sensitive information, and exfiltration. However, besides political and state secrets espionage, adversaries have been targeting industrial espionage, by which state actors and firms attempt to steal trade secrets for economic gain. Thus, it is important to identify the difference between each type of espionage (political espionage and economic espionage) before elaborating on economic espionage as an offense and how to prevent it.
      • Political Espionage Espionage encompasses the non-consensual collecting of sensitive information under the control of another actor. Nation-States are the most frequent espionage offenders, and they often engage in two categories of espionage, each defined by the sort of information obtained. Political espionage aims to improve the offending Nation-State’s national security by gaining access to foreign government’s political and military secrets and non-state actors’ secrets, such as terrorist organizations’ secrets. Nation-States have also shown a predilection for economic espionage, in which they aim to promote their national economy by collecting trade secrets from corporations based in foreign jurisdictions and then passing this proprietary information to the relevant parties. Usually, such information originates from two sources: human sources, known as Human Intelligence (HUMINT), and electronic sources, known as Signals Intelligence (SIGINT).
      • Economic EspionageEconomic espionage, unlike political espionage, does not provide the perpetrator with immediate and direct national security advantages, but it is a critical tool for the offending state to gain an indirect national security interest. Nonetheless, economic espionage ultimately strengthens the perpetrator’s national security by indirectly increasing its financial security, as the immediate benefit goes to its domestic enterprises’ competitiveness facing foreign competition. Just to say here that international jurists appear to be concerned that investigating the role of international law in regulating economic espionage may open Pandora’s box, raising issues about how international law relates to political espionage. To put it plainly, if political espionage is beyond the scrutiny of international attorneys, then so is commercial espionage. Therefore, it is beyond this article’s scope to discuss economic espionage from an international law lens, and instead, we will address its scope under the national law of the United States (U.S.), particularly under the U.S. Economic Espionage Act, which was promulgated to promote and protect the U.S. national economic security and consequently to safeguard the nation’s vital security interests.

      Unlike corporate espionage, which serves a commercial objective, the motives behind economic espionage are not always commercial in nature. As shown in recent years, one motive might be to address nations’ technology or military disparities. Economic espionage is typically directed or sponsored by a foreign power aiming to gain access to business information or sensitive trade secrets from U.S.-based persons or businesses. Thus, while the hazards of economic espionage to a firm are apparent, they may also pose national security threats. In fact, receiving, acquiring, or having a trade secret that is known to have been stolen or misused, as well as any attempt or conspiracy to commit economic espionage, are all federal crimes under the 1996 Economic Espionage Act (EEA). The latter defines “trade secrets” as the information “the owner thereof has taken reasonable measures to keep secret,” and that “derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.”The EEA has also prohibited the attempt to steal trade secrets with the intent or knowledge of benefiting a foreign government is prohibited under the Act.
      • Prohibition under the U.S. Economic Espionage Act“Economic espionage” and “theft of trade secrets” are defined under the EEA. For instance, the EEA has clearly identified two distinct offenses related to the misappropriation of a trade secret. The first offense, referred to under Section 1831 as foreign economic espionage, involves the misappropriation of a trade secret with the intent to benefit a foreign government or foreign instrumentality. The EEA has identified the offense of economic espionage and applies to whoever intends or knows that the offense is likely to benefit any foreign government, foreign instrumentality, or foreign agent, who (1) steels, obtains, appropriates without authorization, takes, conceals, carries away, by fraud, or deception, obtains a trade secret; (2) without authorization, duplicates, copies, draws, sketches, downloads, destroys, photographs, uploads, photocopies, alters, transmits, replicates delivers, mails, communicates, sends, or conveys a trade secret; (3) buys, receives or possesses a trade secret, knowing the same to have been appropriated, stolen, obtained, or converted without authorization; (4) attempts to commit any of the stated offenses; or (5) conspires with one or more people to commit any of the such described offenses, and one or more of such persons do any act to effect the object of the conspiracy.The second offense involves the common trade secret misappropriation, which arises under Section 1832. As per the latter, the federal criminal trade secret misappropriation requires proof of the intent to convert a trade secret to the economic benefit of anyone other than the proprietary of such trade secret and the intent or knowledge that the offense will cause harm to any proprietary of that trade secret. Furthermore, Section 1832 offenses involve trade secret theft committed by a competitor or an employee insider. The EEA offense of theft of trade secrets is applicable on “Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret,” knowingly (1) without authorization appropriates, steals, takes, carries away, conceals, or by fraud, or deception, artifice, or obtains such information; (2) without authorization copies, replicates duplicates, photo copies, sketches, draws, photographs, uploads, downloads, alters, communicates, destroys, transmits, sends, mails, delivers or conveys such information; (3) buys, receives, or possesses such information, knowing the same to have been obtained, stolen, or appropriated, or converted without authorization; (4) attempts to commit any offense described herein; or (5) conspires with one or more other persons to commit any offense described in paragraphs (1) through (3), and one or more of such persons do any act to effect the object of the conspiracy.
      • Exceptions to the ProhibitionsHowever, the EEA entails an exception to the economic espionage and theft of trade secrets prohibitions under  18 U.S.C. 1833,  which are applicable to any lawful activity conducted by the U.S. State, the U.S. governmental entity, or a political subdivision of the U.S. State, or the reporting of a suspected violation of law to any U.S. governmental entity, a State, or a political subdivision of a State, only if such an entity has lawful authority with respect to that violation.
      • Sanction for the violation of the U.S. Economic Espionage ActThose convicted of economic espionage in violation of 18 U.S.C. 1831 face up to 15 years in prison. Up to a USD 5 million fine is now attainable for the EEA violators since Congress first passed it. The maximum possible fine was increased to the larger of USD 10,000,000 or three times the value of the stolen trade secret by an organization. To be convicted for economic espionage under the same section of the EEA, prosecutors have to prove the defendant’s intent to benefit a foreign government, by which he knew that he possessed information falling under the trade secret scope and that such information was obtained without authorization. The EEA was applied in 2009 in the infamous case (United States v. Chung, 2011),  which was the fifth of eight authorized cases for prosecution in the 15-year history of the EEA. The Chung case, which involved Dongtan (Greg) Chung, a naturalized American citizen and former Boeing engineer who provided China sensitive aerospace and military information belonging to his employer, made the requirements for prosecution under the EEA more difficult.  The decision provided the crime elements and emphasized the need for the prosecutor to prove whether the defendant knew the documents amounted to “trade secrets” (“whether the information was a trade secret is a crucial element that separates lawful from unlawful conduct. Possession of open-source or readily ascertainable information for the benefit of a foreign government is clearly not espionage.”) The Chung case set the requirements that put into play the EEA’s application and highlighted the act’s key issues, such as the requirement of the reasonable measures’ standards taken by the trade secret proprietary, intending to limit the burden of requiring costly and stringent measures on the latter, and aiming to promote innovation and Intellectual Property (IP) development.The EEA was applied to economic espionage involving cybercrimes. In a recent case, (United States v. Yanjun Xu, 2021), a Chinese intelligence official, Yanjun Xu (known by different names), was found guilty at the end of 2020. As per Christopher Wray, the Director of the FBI statement, Xu corrupted insiders from the aviation industry to access GE’s IT infrastructures to assist the Chinese cyber units exfiltrating the company’s information after planting malware on a joint venture company computer.  As per the official statement of the U.S. Attorney, Vipal J. Patel, for the Southern District of Ohio, “Xu conspired to commit economic espionage on behalf of the Chinese government, he tried to steal the valuable innovation and trade secrets of industry-leading American aviation technology companies. This office will continue to seek to protect American innovation and hold accountable those who attempt to steal our nation’s science and technology, regardless of status or affiliation, whether civilian, military or spy.”  Xu’s extradition to the U.S. in this monumental case demonstrated the efficiency of the U.S. Criminal Division’s Office of International Affairs and the value of international cooperation, thanks to the Belgium Government and the Belgian Federal Police. However, it is challenging to prosecute economic espionage due to various EEA ambiguities starting from the definition of a trade secret to the elements to be proven. Therefore, it is crucial to identify how to prevent being a victim of economic espionage, as will be briefly demonstrated next.

      The United States is recognized for its innovation capabilities and the Intellectual Property- intensive industries that are supporting millions of jobs and contributing substantially to the nation’s GDP. Yet, IPs in the U.S. are subject to a tremendous level of theft, and there is a significant financial impact to stealing trade secrets.
      • The Economic Implication of the economic spying offenseIn addition to the billions in losses per year, IP theft’s harmful consequences exceed direct losses because IP losses are different from other sorts of property losses like losing real property or a vehicle that has been stolen and could be replaced thanks to insurance coverage. It is usually challenging to undo the harm caused by a stolen IP. For example, a company’s profits could be eroded due to trade secret theft, and consequently, jobs might be lost. For example, American Superconductor, a Massachusetts-based provider of clean-energy solutions, has lost an equivalent revenue of USD 100 million per year since 2011 due to the Chinese based largest customer, Sinovel Wind Grp., violating their contract after stealing the source code for its electronic components and installing a pirated version in wind turbines. Similar violations are increasing, and rogue states and nefarious actors continue to target corporate IPs. Such acts represent a threat to the national economy of targeted nation and cause a rippling effect that could crawl to other economies in the case of multinational corporations. Thus, awareness to mitigate the risk is essential.
      • Economic Espionage Risk Management To combat such harmful phenomena, it is crucial to adopt a multidisciplinary approach based on the “PMR” approach (Prevention – Mitigation – Reporting) to combat this parasitic behavior and stop this free-riding issue, which has a national security implication. Nonetheless, to prevent, mitigate and report, it is essential to identify, first, the root cause of the potential risks. The Act of economic espionage occurs through two sources: internal sources and external sources. Committing the offense of economic espionage through external sources is usually done through cyber intrusions after finding security vulnerabilities, followed by a malware insertion or other kinds of duplicitous software. Here, it is critical to differentiate between cyber economic espionage and in-person espionage in this context to address the applicable preventive measures. In fact, in the case of cyber-economic espionage, the “theft” is, most of the time, carried out remotely and outside the victims’ jurisdiction by parties who conceal their names and locations. However, sometimes, the offense gets more complex when an insider is helping a Nation-State party. Cybercriminals usually use various sophisticated means to commit the offense of economic espionage, like taking control of the Internet of things (IoT) in the target company to exploit and exfiltrate its IPs, insert malware, or use backdoors. The latter’s risk may be created through some imposed regulatory requirements by the foreign country, like the Chinese regulatory provisions requiring the U.S. tech financial institutions to turn over encryption software and source codes. Such regulatory requirements may leave backdoor entry points into secure networks, putting the company at risk of economic espionage in its home country. With those circumstances, multinational corporations need to assess the risks and the cost of doing business in a jurisdiction imposing such regulations. Such risks could be mitigated through preventive measures, including evaluating possible risky situations and finding vulnerabilities. Furthermore, companies working with governments or operating within sensitive industries should seriously consider the economic espionage problem. On the other hand, governments must take severe measures to face the rising threats and raise awareness. The U.S. may be taking as an example to emphasize the role of the executive branch in terms of support, awareness, and leadership to avert the cyber economic espionage threats and influence the lawmakers to combat this crime, as well as the legislative branch’s role in fighting such an offense, which is faced with hefty penalties. Nonetheless, it is worth mentioning that legislators must keep up with the pace of disruption to combat sophisticated crimes, which are usually used by criminals to challenge outdated laws and manipulate the gaps within the existing legislation like proving the offender’s link to another country and here comes the role of the law practitioners, cybersecurity experts, lawmakers, and the law enforcement agencies.
  • The Role of Law Practitioners:
  • Thus, it is essential to highlight the law practitioners’ role in economic espionage risk management, which may include the following: 
  • In-house legal teams are increasingly playing a vital role in negotiating better security software agreements to safeguard the company’s digital assets. When it comes to the legal protection of the organization’s IPs, lawyers and in-house legal teams must emphasize the need for the company to make a reasonable effort required by the applicable laws to keep the processes, mechanisms, tools, or formulas that are not publicly available secret.
  • Lawyers must aggressively go after trade secrets thieves through criminal and civil proceedings.
  • In-house attorneys have a critical role in conducting the background check during the hiring process before enabling new employees access to the company’s trade secrets and preparing the needed Non-disclosure Agreements for the new employees upon joining the organization.
  • Companies’ attorneys and legal Advisors must conduct thorough due diligence when the company is entering into a joint venture agreement with any party who would have access to the company’s trade secrets through any means.
  • During business negotiations, essentially in an international transaction, it is crucial to involve the legal team to guide the transaction and assist the business and technical teams.
  • The legal team shall supervise the disclosure of the trade secrets and make sure that the other departments are compliant with the terms of the contracts between the parties to the transaction and limit the disclosure of the company’s trade secrets to the strict minimum data.
Attorneys and the in-house legal teams are not only required to mitigate the contractual risks to protect the company’s trade secrets, but they also assess the risks related to potential legal challenges involving international parties in which trade secrets are disclosed. The in-house legal team must be vigilant and must implement a PRM roadmap to combat economic espionage within their area of expertise. Taking the example of the Wang Dong infamous case, Westinghouse Electric’s Chinese partner was indicted for “stealing from Westinghouse’s computers, among other things, proprietary and confidential technical and design specifications for pipes, pipe supports, and pipe routing within the nuclear power plants that Westinghouse was contracted to build, as well as internal Westinghouse communications concerning the company’s strategy for doing business” (from the Wang Dong Indictment.) That shows how entering transactions can be an entry point for trade secrets hunters with links to the adversaries to commit economic espionage, which could be averted through careful risk management conducted by the lawyers and in-house legal team. Furthermore, such legal risk management must be conducted in compliance with the policies and procedures implemented by the security teams – the cybersecurity and personal security teams – to protect the premises and the systems where such trade secrets are housed.
  • The Role of The Cybersecurity Team 
The cybersecurity team’s role in managing the economic espionage risks is paramount, since attackers and spies are becoming increasingly sophisticated, allowing them to circumvent many standard cybersecurity measures and outdated systems. No matter how sophisticated an adversary’s attack may be, there is still hope for the defense against these attacks. Here, we would mention [Sun Tzu, the great Chinese military strategist, once said, “if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one.] So to better understand the opponent, its attack methods, businesses can use a variety of cybersecurity and intelligence tools to detect and prevent cyber economic espionage. The potential cyber-risks may be averted using various tools and solutions including the following:
  • Sensors Coverage:
It is difficult to stop what you cannot see.” It is critical for organizations to have visibility of the entire environment to avoid blind spots that adversaries can use.
  • Threat Hunting:
More than ever, it is critical to have a firm grasp of the limitations of modern technologies. There will be a growing demand for managed, human-based threat hunting to complement the existing cybersecurity technology in many enterprises.
  • Cybersecurity Service Providers:
Companies may need help responding to highly sophisticated cyber threats. Thus, working with a top-tier cybersecurity service provider is an absolute must these days.
  • Cyber Fusion Centers:
The use of threat information aids in identifying and tracking malicious actors, campaigns, and malware families. As a result, threat intelligence is becoming increasingly crucial in determining the whole scope of an attack rather than simply confirming its occurrence. To track and evaluate metrics and make critical security decisions based on the collected information, as well as to provide operational and strategic services, a modern operation of cybersecurity has emerged as a service. Cyber Fusion Centers emerged to offer a single collecting point for data as a service. An organization’s tactical and strategic responses to attacks are coordinated in real-time by groups working together in a cyber fusion center. A cyber fusion center integrates multiple activities and combines the following key elements:
  • Threat Intelligence: operational, tactical, and strategic intelligence, which may include endpoint and user data, Indicators of Compromise (IoC), threat intelligence platforms (TIPs), and vulnerabilities.
  • Analytics: Analysis of operational and threat data, including user and entity behavior analysis.
  • Threat Detection: Threat identification using alert and security tools, such as firewalls, Security Information and Event Management (SIEM), intrusion prevention systems, intrusion detection systems, and endpoint detection.
  • Incident Response: Responding rapidly to threats, breaches, and attacks is the goal of incident response.
  • Governance and Compliance: Ensuring that all IT and security activities are in accordance with applicable rules and compliance requirements.
  • Threat Hunting: Detecting and remediating threats that aren’t flagged by security warnings.
The combination of integrated cyber defense, managed security services, intelligent automation technologies, and advanced analytics is a disruptive service provided by innovative cybersecurity service providers to manage the sophisticated cybersecurity risks that apply to averting cyber economic espionage and trade secrets theft. To recap, organizations need to implement a multidisciplinary approach combining various expertise to design adequate strategies and implement well-crafted policies and procedures using the knowledge of each business. Nonetheless, the multiple stakeholders must change the cultural behavior within the companies and take a series of measures to prevent nation-states’ competitive advantage losses on the one hand and spare expensive litigations and the long-term repercussions of trade secrets theft on business continuity on the other hand. Conclusion The digital era and what it encompasses from risks to opportunities within the “New Wild West” will remain the center of attention for the public and the pre-occupation of strategists and forecasters as well as governments and the international community. In fact, the digital revolution boosted by technological disruption has created unprecedented benefits for humanity thanks to its impact on societies and economies, creating new opportunities for businesses and increasing productivity, facilitating cross-border trade and service provision. Nevertheless, while a connected neural network ignites innovation and a better-connected world encourages cross-cultural exchange and offers new opportunities, there are also increased risks. Economic espionage and trade secret thefts related to cyber incidents targeting confidential data representing a critical financial asset for businesses are among the most growing risks. Such offenses could have a negative impact on innovation, increase the burden of security costs, cause reputational damage, and affect opportunity costs. To limit the threats of the misappropriation of trade secrets and cyber espionage, business leaders and their teams, cybersecurity service providers, governments, researchers, and law practitioners should collaborate and coordinate to combine their multidisciplinary expertise and joint strategies. Such strategies must focus on assisting businesses in addressing this challenge, Awareness, training, strengthening law enforcement, and enhancing institutional and coordination capabilities.

Most Popular



Related Posts