Dan Geer and Brock Dahl on Problems with Pending Cybersecurity Legislation

“For years now, there has been mounting evidence that many foreign nations and their corporations have been seeking to gain [a] competitive advantage by stealing the trade secrets, the intangible intellectual property of inventors in this country.”  – U.S. Senator Arlen Specter “Alarmingly, the new target of foreign espionage is our industrial base.  But for too many years, we were complacent and did not heed these warnings.  And we left ourselves vulnerable to the ruthless plundering of our country’s vital information.  We did not address this new form of espionage – a version of spying as dangerous to our national well-being as any form of classic espionage.  Today, that complacency ends.”  –U.S. Senator Herb Kohl The increasing visibility of America’s cyber vulnerabilities has focused attention in Washington on a range of cyber security issues: data security, consumer privacy, and cyber espionage targeted at U.S. government and private sector entities. The quotes above could have been ripped from today’s headlines. In fact, Senators Specter and Kohl made these comments nearly a decade and a half ago, as Congress passed the Economic Espionage Act of 1996 (EEA). Section 1831 of the EEA criminalizes the theft of a “trade secret” for the benefit of a foreign government – sometimes called foreign economic espionage (18 U.S.C. § 1831). While Section 1831 remains the most significant prosecutorial tool the government possesses to fight foreign economic espionage, it has a limited track record of success. Nonetheless, none of the current cyber security proposals in Washington enhance the government’s ability to investigate or prosecute such foreign economic espionage. More robust investigative and prosecutorial powers must be an ingredient in any efforts to strengthen the nation’s cyber security. In a time when cyber incursions make foreign economic espionage far easier, the prosecutorial power of the state is an essential element in combating foreign intelligence attacks on the U.S. competitive edge. On February 8, 2012, the Justice Department announced an indictment of five individuals for foreign economic espionage.  While this recent indictment sends a significant message to would-be thieves, the broader numbers with respect to prosecutions of economic espionage tied to foreign governments indicate that to date, the tool has not been as powerful as may have been anticipated. In the first five years after the EEA was passed, the government only prosecuted one individual for an 1831 violation. According to the Department of Justice, through October 2011, the government had only charged seven more cases related to foreign economic espionage. Though there is a general sense of the dangers posed by the theft of U.S. trade secrets, actually identifying such secrets and proving their theft under the EEA is challenging. The owner of the secret (think: company with a secret formula or algorithm) must show that it “derives independent economic value” from keeping the information secret and that it “took reasonable measures” to keep the information secret. Valuation presents one legal and policy challenge. The sensitive nature of the information, difficulty of identifying leaks, and problems with quantifying the negative competitive impact of lost proprietary information make estimates difficult to ascertain.   A recent study by the National Counterintelligence Executive noted that academic studies estimate a vast range of losses – between $2 to 400 billion per year. Those estimates also range over time, though a steady rise is evident no matter how the information is parsed.  At a firm level, projecting the losses from potential competition can be equally as challenging. In one of the most recent cases involving foreign economic espionage, the plea agreement reached with the defendant estimated losses to the company between $7 million and $20 million. In addition, firms must demonstrate that they took reasonable means to protect their information. Recent reporting on data leakages in general, however, reveals that firms are often unaware of the nature of cyber threats or that their systems have been compromised. In one of the most comprehensive annual studies available on data breach statistics, Verizon reports that roughly 86% of the breaches (in its sizeable data set) were discovered by external parties and reported to the victim. More specifically, roughly 76% of breaches were identified by a third party fraud detection system or by law enforcement. This report demonstrates a concentration of fraud detection in financial service areas were fraud detection practices are more sophisticated and where detection opportunities are more prevalent because of the usual immediate use of leaked financial information. It also reveals the continued reliance by the private sector on the government for cyber security support. Recent testimony by Kevin Mandia reinforces this latter point on reliance on the government. Mandia noted in October 2011 that in 48 out of the 50 most recent breaches his security firm Mandiant had investigated, the companies were notified by the government that a breach had occurred. Because systematic testing for trade secret infringements is not possible as it is with the theft of financial information, the numbers would seem to indicate a heavy reliance on law enforcement by companies with valuable trade secrets. Yet, in admitting the need for government assistance, the private sector must use caution in the type of assistance it seeks. The current flurry of statutory and regulatory activity surrounding cybersecurity could very well change the landscape of the American cyber economy for the foreseeable future. In their haste to do something on cyber security, various branches of the U.S. government are proposing solutions to the cyber problem, some of which could constrain the private sector as much or more than they assist it. Though there are a number of proposed bills bouncing around the Hill that address various aspects of the cybersecurity debate, there are generally three themes evident in the efforts of Washington policy-makers, none of which address the investigative and prosecutorial powers of the government with regard to foreign economic espionage. One type of proposal attempts to establish overarching frameworks for protecting the nation’s critical infrastructure by creating a permanent bureaucracy to oversee private sector cyber security practices. One of the most recent incarnations of this approach is the Cybersecurity Act of 2012 recently introduce in the Senate. (The PRECISE Act of 2011 proposed in the House also expands the bureaucratic infrastructure, but appears to contain a lighter regulatory approach.)  The Cybersecurity Act of 2012 sets up the Department of Homeland Security as a super-regulator that can require that any industry or entity falling under the rubric of critical infrastructure, as deemed by the government, will have to meet certain government-defined compliance standards. This Act is a modified version of the Cybersecurity and Internet Freedom Act of 2011, which also aimed at establishing a fairly sizeable bureaucratic infrastructure to address cyber threats. While the Congressional Budget Office has not yet analyzed the current version, it projected that the 2011 proposal would affect the operations of 50,000 entities; and at least one former Obama Administration cyber security official has criticized this sweeping approach and the burdens it would place on the private sector. In particular, many of the 50,000 affected entities will inevitably be small to medium sized enterprises that could face substantial burden under this new edifice, while the relative benefit (compared to other alternatives) remains unclear. Moreover, such sweeping acts tend to result in check-the-box style compliance regimes, similar to the Federal Information Security Management Act (FISMA), which can hardly keep pace with actual security threats. Quite simply, a large bureaucracy would lend further competitive advantages to big businesses capable of absorbing regulatory costs while hindering the agility needed to maintain true information security. A second approach focuses more narrowly on consumer protection, imposing penalties for data security breaches. This approach is evident in the current drafts of data security bills circulating through both the Senate and the House. The average regulatory penalty being considered (for imposition upon a private company) for failing the security standards and procedures stipulated in the bill is $5,000,000. To put this in context, each violation of 1831 of the EEA carries a $500,000 penalty for an individual (1831(a)) and $10,000,000 for an entity (1832(b)). Since, in practical terms, the government tends to prosecute individuals for violating the EEA, these new bills could make it more expensive for firms to  lose  data than for individuals to actively  steal  it, placing more substantial burdens on victims than criminals. A third alternative which is intended to more directly target foreign economic espionage offers liability protection to firms that voluntarily disclose cyber threat information to the intelligence community. This proposal has emerged in part from a recognition of the private sector’s concerns that revealing information about data breaches could expose companies to lawsuits and potential regulatory actions – particularly if either of the first two options are implemented. In addition to the potential civil liberties implications of providing such data to the intelligence community, however, it is not clear how such liability protections may work. While companies might enjoy immunity from, for example, Federal Trade Commission (FTC) Consumer Protection action, it would seem that they will still be obliged to reveal cyber risks in their regular securities filings with the SEC. One detailed empirical study has shown a correlation between a negative impact on stock price and the public revelation of security breach information, so it is uncertain that limited liability protections alone will mollify a concerned private sector. While the merits of each individual proposal currently circulating Washington are debatable, none supplement or enhance the government’s ability to actually pursue or prosecute the individuals and entities that are stealing trade secrets. However, there are steps that the government and private sector can take now to hopefully strengthen our country’s ability to attack foreign economic espionage. First, the policy community may do well to initiate a debate about what is truly meant by cyber security. Much of the confusion prevailing on the Hill comes simply from the different priorities and approaches being proposed. Once Congress truly knows what it is trying to achieve, then it can focus on a more effective set of measures in pursuit of those objectives. We think a helpful understanding of cyber security is the “absence of unmitigatable surprise.”  This understanding would be sensitive to the perpetually evolving threat landscape, recognizing that vulnerabilities will always exist in the public and private sectors, while driving resources towards the development of a resilient architecture for addressing evolutionary threats. This understanding would also account for Washington’s desire to refuse to accept ignorance of security threats from private sector actors. Yet, it would also admit that the rate of change in cyberspace excludes any comprehensive regulatory architecture, frozen in time at the point of publication in the Code of Federal Regulations, from adequately orchestrating our national response to cyber threats. In short, it still leaves a relevant role for the government to play an assisting and informative role to the private sector in responding to cyber threats, while recognizing the resilience required to achieve true security. More specifically, as Congress continues to hold a range of hearings on various aspects of the bills under consideration, it could be beneficial to explore the current challenges to the effective enforcement of 1831 and to supplement current proposals with legislative fixes to the challenges that are evident.   In addition to the valuation and demonstrative protection issues we have already noted, Congress may do well to more deeply examine the following:

• Investigations into the activities of foreign governments are likely expensive, and require adequate resourcing, which may not currently be provided.
• Rules of evidence may collide with the type of counterespionage activities which uncover foreign economic espionage, making it difficult to try a case effectively even when certain types of information are available.
• Diplomatic considerations may discourage the filing of such cases where the harm to the relationship may outweigh the benefit of obtaining a conviction, and the executive branch may need to be encouraged to take a harder line despite such diplomatic nuance.

The private sector can also take concerted action to work with law enforcement in combating foreign economic espionage. Companies will need to continue to enhance their own security practices while potentially preparing for heightened regulation in cyber space. The EEA provides a framework for thinking about the current imperatives.

• In light of expanding reporting requirements, the private sector can provide more specific feedback to Congress about the most effective means of communicating with law enforcement about breaches in a way that does not substantially harm their continued security and create unnecessary liability.
• Prudent firms will also work to concretely define and value the secrets they need to protect.
• Such firms will also need to develop a security architecture around those secrets, so that they can adequately defend against theft and potential claims of inadequate preparation in the future.

It will take time for the government and the private sector to establish a status quo for managing their security interests, but both can take steps now to effectively fight the economic espionage that threatens our national competitiveness.  The current range of options on the Hill seem to hoist substantial burdens upon the private sector while offering little government muscle to fight against the relentless pursuit of American intellectual property by foreign governments. In examining its options, Congress may do well to consider the challenges to bringing 1831 actions and making the necessary improvements to the legislative and resource architecture that the Executive branch needs to pursue cyber spies. The private sector, in turn, should be proactive in communicating to Congress the most effective means for cooperating on these issues. Dan Geer is Chief Information Security Officer at In-Q-Tel, the strategic investment arm of the US intelligence community, and Past President of the USENIX Association. Brock Dahl is an attorney at Wilson Sonsini Goodrich & Rosati; he formerly represented Treasury on the Afghanistan Interagency Operations Group and in the US Embassy in Baghdad.  The opinions expressed here are the authors' own.