Can the United States Deter Commercial Cyberespionage?
Military espionage has proven to be an enduring feature of the nation-state system.1 Cyberspace added a new dimension to a very old craft without changing its essential nature. The United States and most advanced countries sharply distinguish between military cyberespionage on the one hand and commercial cyberespionage on the other. In the US view, deterring military espionage, whether through cyberspace or other means, is solely a task for the target nation and its military allies; however, deterring commercial cyberespionage should be a common task for all nations engaged in commercial exchange. China refuses to draw a distinction between military and commercial cyberespionage, and some other countries may share China’s views—especially in the wake of Edward Snowden’s revelations about the wide scope of surveillance by the US National Security Agency (NSA).
Cyberhacking shares the same technology as cyberespionage but with different objectives. The core goal of cyberhackers is “gotcha,” both through public disclosure of a target company’s confidential data on millions of customers and thousands of employees and by mining customer data to fraudulently draw on credit cards and bank accounts. The core goal of cyberespionage is to capture the target company’s trade secrets for commercial advantage. Sometimes core goals overlap, as for example when a company like Boeing is targeted.
Cyberhacking generally draws more public notice than cyberespionage, simply because millions of people are immediately affected and because perpetrators of cyberhacking crave publicity, while perpetrators of cyberespionage almost always seek to operate in the dark.
In 2014, prominent cyberhacking attacks hit Target, Google, Boeing, and Sony Pictures (see table 1). In a sensational case, hackers (almost certainly based in North Korea) intimidated Sony Pictures to cancel the release of The Interview by threatening terror attacks against US movie theaters. This incident not only inflicted severe costs on Sony Pictures but also alarmed US national security officials.
Fewer cyberespionage cases have been reported (some are listed in table 1), both because they embarrass the target company and because the perpetrator has no interest in disclosure. But among business circles, deterring cyberespionage has become equally as important as deterring hackers. Moreover, while cyberhacking is often the handiwork of isolated computer geeks or rogue nations (like North Korea), cyberespionage is usually sponsored by a company or country seeking commercial advantage and thus more feasibly subject to international discipline.
|Table 1 Cyberattacks on US companies reported in 2014|
|January||Target Neiman Marcus Yahoo!||Contact information hacked for 70 million customers; Credit card information hacked for 350,000 customers||Retail|
|April||AT&T||Credit and debit card information, including social security numbers, hacked for millions of customers||Communications|
|May||eBay Westinghouse Electric, US subsidiaries of SolarWorld AG, United States Steel Corporation, Allegheny Technologies, Alcoa, and United Steelworkers||Employee log-in information hacked; The US Department of Justice charged five Chinese military officers of Unit 61398 with hacking into US company servers and stealing trade secrets||Retail, Energy and utilities, Manufacturing, Unions|
|June||Feedly Evernote||Blocked access for 15 million users; Blocked access for 100 million users||Communications, Technology|
|August||US Investigation Services Boeing||Employee information hacked; Chinese national Su Bin charged with hacking defense companies and stealing manufacturing plans||Services, Defense|
|September||Google Apple iCloud||5 million Gmail usernames and passwords hacked; Apple user’s online data storage hacked||Communications, Technology|
|October||JPMorgan Chase||Contact information for 76 million households and 7 million small business firms hacked||Financial|
|November||Sony Pictures Entertainment||Personal and financial information of employees and corporate documents were stolen. FBI announced that North Korea launched the cyberattack.||Entertainment|
|Sources: Riley Walters, “Cyber Attacks on U.S. Companies in 2014,” Heritage Foundation, October 27, 2014 (accessed on February 18, 2015); and “Timeline of the Sony Pictures Entertainment Hack,” New York Times, December 18, 2014 (accessed on January 20, 2015).|
In May 2014, the US Department of Justice charged five Chinese military officers of Unit 61398 for hacking US companies including Westinghouse, SolarWorld AG, United States Steel Corporation, Allegheny Technologies Incorporated (ATI), Alcoa, and the United Steelworkers. This was the first time the US government publicly charged state employees of China directly with cybercrimes. The alleged crimes included conspiracy to commit computer fraud, unauthorized access to company computers, transmission of a program to damage protected computers, identity theft, economic espionage, and trade secret theft.2 In response, China harshly criticized the United States, citing NSA surveillance of the major Chinese telecommunication company Huawei and denying the commercial accusations. The US government argued that NSA surveillance has nothing to do with stealing confidential information to benefit US companies, thereby distinguishing between military and economic cyberespionage.3 Chinese military officers will not be flying across the Pacific to defend themselves in US federal courts, but the indictments signaled fresh US initiatives to deter economic cyberespionage and underscored broad US concerns about protecting trade secrets.
Trade secrets are confidential information about practices, products, or processes that a company endeavors to hold from public knowledge, thus enabling the rightful owner to better outcompete rival companies. The loss of trade secrets via cyberespionage obviously jeopardizes business prospects. Hacking can also inflict cleanup costs as much as $1 billion in a major episode.4
The Center for Strategic and International Studies estimates that the overall economic losses caused by cyberespionage and cybercrime are approximately $100 billion per year.5 The figure represents a mix of lost profits, lost exports, and lost employment. The US Department of Commerce estimates that every $1 billion of US exports supported 5,590 jobs in 2013.6 How many billion dollars of US exports are lost owing to cyberespionage is unknown, but the job losses in high-tech industries could run into the tens of thousands.
The current legal toolbox contains only modest deterrence weapons. The strongest US law against commercial cyberespionage is the Economic Espionage Act of 1996 (EEA), which authorizes criminal penalties against perpetrators. However, fewer than 150 cases have been prosecuted over the last two decades: Foreign hackers are hard to bring to justice, and proving intent to benefit foreign entities is difficult. Moreover, criminal remedies, when imposed, do not compensate US firms that have lost valuable trade secrets.
The United States has also sought relief through international trade agreements. The World Trade Organization (WTO) agreement on Trade-Related Intellectual Property Rights (TRIPS) condemns cyberespionage along with other forms of intellectual property theft. But it does not require WTO members to provide meaningful relief or criminal penalties through their national court systems. And in a WTO dispute the complaining country carries the burden of proof, which is a heavy burden when the origins of cyberespionage are usually obscure. Intellectual property chapters in US bilateral free trade agreements, such as the North American Free Trade Agreement (NAFTA) or the Korea-US FTA (KORUS), share the same weaknesses.7
With these shortcomings in mind, the United States is seeking to strengthen the protection of trade secrets both in domestic and international law. In the 113th Congress, Senator Chris Coons (D-DE) introduced the Defend Trade Secrets Act of 2014 and Representative George Holding (R-NC) proposed the Trade Secrets Protection Act of 2014. Both bills would create a private cause of action for trade secret owners to seek monetary damages in federal court.8 In the Trans-Pacific Partnership (TPP) and Transatlantic Trade and Investment (TTIP) negotiations, the United States has proposed to subject a cybercriminal to court jurisdiction both in his residence country and the damaged country.9 All of these proposals, if enacted, would substantially add to the toolbox of deterrence against commercial cyberespionage.
Of course neither the TPP nor TTIP would have an immediate impact on cyberespionage perpetrated from Chinese soil, since China is not a party to either accord. The long-standing problem of cybercrime originating in China has been compounded by China’s own cybersecurity policies, which require private firms to submit confidential data and even trade secrets to Chinese authorities with respect to information communication technology (ICT) products and services.10
Yet, over time, the new US legal initiatives, if enacted, will establish much higher standards for protecting trade secrets. Eventually the Chinese government (and others) might be persuaded to distinguish between military and commercial cyberespionage and to hold their firms and citizens accountable for the theft of trade secrets.11 This would represent a quantum improvement in today’s weak array of defenses against commercial cyberespionage.
1. Military espionage is occasionally limited by state-to-state “no collection” agreements between military allies. The United States, for example, has such agreements with the United Kingdom and Canada, among others.
2. For more detail, see “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” Department of Justice, May 19, 2014 (accessed on January 20, 2015).
3. David E. Sanger, “With Spy Charges, U.S. Draws a Line That Few Others Recognize,” New York Times, May 20, 2014 (accessed on February 12, 2015).
4. Industrial experts estimate cyber insurance coverage can reach as much as $1 billion per attack. See Gina Chon, “Cyber attack risk requires $1bn of insurance cover, companies warned,” Financial Times, February 19, 2015 (accessed on February 19, 2015).
5. See James Andrew Lewis and Stewart Baker (2013), The Economic Impact of Cybercrime and Cyber Espionage, Center for Strategic and International Studies. This $100 billion figure falls in the middle of available estimates, which run from $14 billion to $350 billion. Also see chapter 16 in C. Fred Bergsten, Gary Clyde Hufbauer, and Sean Miner, (2014), Bridging the Pacific: Toward Free Trade and Investment between China and the United States, Peterson Institute for International Economics.
7. For more detail, see chapter 16 on cyberespionage in Bergsten, Hufbauer, and Miner (2014).
8. For an excellent summary, see Brian T. Yeh (2014), Protection of Trade Secrets: Overview of Current Law and Legislation, CRS Report to Congress (September 5), Congressional Research Service.