23 July 2015

CAN U.S. COURTS STOP CHINESE CYBERSPYING?


The recent near-simultaneous and computer-based disruptions of iconic American financial, transportation and media institutions raised reasonable fears that the United States was undergoing a focused cyberattack. Though it now appears the failures at the New York Stock Exchange, United Airlines and the Wall Street Journal were unrelated coincidences, the fears of an attack were well-founded based on the well-known and growing threats facing America’s critical communications infrastructure. Indeed, these suspicious acts came the day before congressional hearings once again disclosed a major cyber breach carried out by China — this time, a hack of 21 million Americans’ most private personal security information from the Office of Personnel Management. And more than just personnel files are at risk, with China’s widely discussed role in corporate espionage and theft of intellectual property entering the realm of epidemic proportions.


As former National Security Agency Director Keith Alexander has publicly stated, China’s campaign of cyber-enabled intellectual property theft constitutes the “greatest transfer of wealth in history.” Similarly, FBI Director James Comey has observed that there are essentially only two types of U.S. companies: those that know they have been hacked by China and those that have been hacked by China but don’t know it. These observations are backed up by criminal complaints that lay bare China’s involvement in thefts from the U.S. agricultural, aluminum, aviation, finance, glass, health insurance, nuclear power, software and steel sectors. One indictment speaks of a Chinese government database containing American corporate intelligence and others discuss known activities by “Unit 61398” of the Third People’s Liberation Army, Beijing’s signals intelligence service.

In this atmosphere of relentless attacks, officers and directors of hacked businesses may be held liable for failing to safeguard private information. And yet corporations wishing to “hack back” not only run the risk of sparking an international conflict, but also face potential U.S. criminal liability. Worse, it is still unclear how commercial and government-backed insurance policies will treat the costs of state-sponsored cyberattacks. And China just shrugs off official U.S. protests about cyberespionage, leaving U.S. businesses, burgled daily of their trade secrets by China, in an increasingly difficult position of being caught unable to retaliate and also unable to stop the attacks at their source.

So what can a company do that might make China reconsider its unending cyber offensive? U.S. companies whose intellectual property is stolen by China actually do have legal recourse. Civil remedies with considerable damages and enforceable judgments are available in federal and state courts, as well as before the International Trade Commission.

Documents from American cybersecurity firms, congressional committees, and the U.S.–China Economic and Security Review Commission suggest that prominent Chinese technology companies — including companies with U.S. subsidiaries — facilitate the ongoing espionage as a matter of Chinese “national defense construction.” According to the House Intelligence Committee, these Chinese companies are “obligated to cooperate with any request by the Chinese government to use their systems or access them for malicious purposes under the guise of state security.” Consequently, a case may be made that they, and the Chinese government, can therefore be sued under theories of joint and several liability.

Chinese cyberattacks involve unauthorized access of — and often damage to — computers used in foreign commerce in order to defraud victims of valuable things. When intellectual property is stolen, federal copyright infringement laws are also violated, as is the civil racketeering statute, which includes infringement and fraud among its predicates. Even wire fraud is in play, given its key role in the “spear phishing” attacks integral to Chinese cyberespionage.

Companies can also argue that state-sponsored, corporately enabled cyberespionage violates our federal Computer Fraud and Abuse Act (CFAA). Common law precedent on trade secret misappropriation and unfair competition laws at the state level also apply to Chinese companies profiting from the theft of American know-how. And, because members of Beijing’s Communist Party Central Committee maintain personal financial interests in companies benefitting from cyberespionage, and can therefore use their intelligence services to enrich themselves, the sovereign immunity defense may not apply to their misconduct.

Chinese companies suspected of helping Beijing’s spies refused to reveal basic information to Congress, such as their owners and directors’ names, and how they are financed and managed. Stonewalling like that in front of American trial judges would result in preclusion, sanctions or even entries of default.

The biggest available hammer, for a U.S. company willing to swing it, might be Section 337 of the Tariff Act of 1930. It offers the extraordinary relief of excluding imports that threaten substantial injury to American industries on the basis of a broad range of “unfair” activities, including products unfairly benefitting from trade secret misappropriation.

After cyberespionage, sales by American victims often fall while China’s exports of the same products to the United States rise. This is circumstantial evidence of trade secret theft. Under the Tariff Act, Chinese exports made with stolen American secrets could be turned back from our ports, on the basis of an International Trade Commission order.

Chinese leaders may have gotten used to disregarding American diplomatic protests about their country’s cyberespionage. But Chinese firms could still learn the hard way to respect our courts. The above list represents a few of the legal tools available to those willing to use them.

Kevin Carroll was senior counsel to the House Homeland Security Committee, and before that a CIA and Army intelligence officer. He is now an attorney in private practice and Adjunct Fellow at the recently established Center for Security & Resilience.

No comments: