Five Minutes With … National Security and Cybercrime Professor Ahmed Ghappour

This marks the inaugural “Five Minutes With” feature that Trade Secrets Watch will run occasionally.  These will be question-and-answers with notable figures in the trade secrets world.

TSW got a chance to sit down with UC Hastings College of the Law professor and Liberty, Security & Technology Clinic founder Ahmed Ghappour.  He had a lot to say about trade secrets, cybersecurity, and encrypting “all the things.”
 
TSW:  Ahmed, TSW is dying to know what you’ve been up to lately in the world of economic espionage.  What’s the inside scoop?

I spend a lot of time thinking about “Cyber Espionage”—which, in operational terms, might be defined as the clandestine exfiltration of information from a computer system through the use of cyber operations, and “Cybersecurity”—which for our purposes might be defined as efforts to protect against computer system breaches.

The prevalence of cyber espionage raises questions like: How do we protect our systems from exfiltration, and, once a system is breached, how do we respond, remediate and mitigate loss?   Relatedly, how do we adequately insure our systems?  What role should government regulation have in all of this?  What about the risk management sector? And, perhaps most pressingly, how do we contain/enforce trade secret theft in the international context?

A recent leak of a May 2014 draft of the multi-national Trans-Pacific Partnership (TPP) agreement revealed the addition of new text obligating its signatories to criminalize the misuse of trade secrets through “computer systems.”  The interest in trade secret protection by the U.S. Trade Representative arises largely from reports of widespread cyber-espionage against U.S. companies emanating from China, Russia and others. This has also led to domestic proposals such as this year’s Defend Trade Secrets Act, introduced in the Senate in April, and its companion House bill, the Trade Secrets Protection Act, which would create a new federal private right of action for trade secret theft.

Of course, even if these new U.S. bills pass, their enforceability against foreigners will be limited in practical terms. Introduction of new language on trade secrets into the TTP addresses cyber-espionage on the global stage. While countries like China would not be a party to either agreement, the reasoning is that if there is widespread agreement on the new global standards, diplomatic pressure can be applied on non-signatories such as China to comply. Additionally, the agreement provides political cover should the U.S. take unilateral measures against non-signatories to investigate and enforce trade secret misappropriation.

Still, attribution for an attack remains a crucial (and controversial) step for combatting cyber espionage. The decentralized nature and anonymity of the Internet makes attribution of online threats challenging, even after a hack has been detected.  So, even when you realize you’ve been hacked (or were just hacked), it’s a challenge to figure out who the culprits are, their motivations for the attack, and whether they’ve disseminated your intellectual property and other protected information.

Each of these factors (and others) may determine the range of options a particular victim, or a state, has for response. In the international context, a cyber attack that destroys the infrastructure of a power company may be seen as an act of terrorism or war, depending on whether it was initiated by a state or non-state actor, and whether the damage was of a scale significant enough to rise to the level of a cyber “armed” attack as defined in Art. 51 of the UN Charter.  A less intense “state sponsored”  attack—say, one that exfiltrates millions of dollars’ worth of intellectual property from a leading electronics manufacturer—may only authorize a state response under the law of countermeasures under a theory that the hack violated U.S. sovereignty therefore constituting an “internationally wrongful act.”

The impacts of the attribution problem for trade secret enforcement in the domestic context are self-evident.  For starters, whom do you seek an injunction against if you don’t know who stole your trade secrets?  And, how do you deal with a scenario where your trade secrets are out in the wild?  Should it matter if a company’s competitors obtained proprietary information on a public website like Pastebin.org, where hackers are known to upload exfiltrated data and hack logs? Is asking the public to avert their eyes an option? What are the First Amendment implications?

TSW:  Okay, let’s nerd out in the cloak-and-dagger world for a minute.  You just published an article about “law enforcement hacking.”  What’s that, and why does it matter in the context of trade secrets?

In broad terms, it describes an investigative method where malware is used as a surveillance device by law enforcement. This involves the remote access of a computer (by a law enforcement agent) to install malicious software without the knowledge or permission of the owner/operator.

Once installed, malware controls the target computer, and can cause a computer to perform any task the computer is capable of—covertly upload files, photographs and stored e-mails to an FBI controlled server, use a computer’s camera or microphone to gather images and sound at any time the FBI chooses, or even take over computers which associate with the target (e.g. by accessing a website hosted on a server the FBI secretly controls and has programmed to infect any computer that accesses it).

The technique is especially handy in the pursuit of targets that have obscured their online location through the use of anonymizing software, proxies or otherwise.  Without this identifying information, current law enforcement investigation methods are useless.  On the other hand, network investigative techniques work by sending surveillance software over the Internet, so the physical location of the target computer is not essential to the execution of the surveillance.

Of course, the technique is not without its hurdles under both domestic and international law.  In the domestic context, it is unclear whether certain hacking methods used to track a computer whose location is unknown comport with the Fourth Amendment’s particularity and notice requirements.  In the international context, it is important to note that the vast majority of computers on the “Anonymous Internet,” comprising those who utilize tools to obscure their location online, are located outside the United States.  This introduces a host of legal issues as to law enforcement’s authority to execute unilateral searches overseas.  This also introduces an internal coordination issue: without advanced knowledge of the host country, how will law enforcement be able to adequately avail itself of protocols currently in place to facilitate foreign relations?

How does law enforcement hacking affect trade secrets enforcement?

Authorities aside, the use of network investigative techniques certainly give law enforcement a leg up in trade secrets enforcement — particularly because it provides a workaround for the attribution problem.  As things currently stand, companies may be tempted to “hack back” to prevent cyber network exploitation attempts in progress, to conduct investigative activities in the lead-up to enforcing an injunction or just to see the scope of what was stolen from them.  Indeed, some believe that the private sector is better equipped to conduct network investigative techniques.  However, this has not been tested by the courts, and is not without its complications.  As we speak, for instance, the FBI is conducting a probe into financial institutions’ use of cybersecurity firms to disable servers that were being used by Iran to attack the websites of major banks last year. At the same time, it’s not at all obvious whether the recently introduced Cybersecurity Information Sharing Act prohibits offensive or active “countermeasures” to keep systems secure.

TSW:   What’s the number one piece of advice you’d dole out to a company or an individual worried about cybersecurity, cybercrime and hacking, and protecting material like trade secrets?

ENCRYPT ALL THE THINGS.

TSW: Care to elaborate on that?

A company is supposed to take reasonable measures to maintain the proprietary nature of a trade secret, but whether and to what extent these measures consist of effective cybersecurity practices remains to be seen. On the one hand, companies should respond to the continued prevalence of cyber espionage by adopting effective cybersecurity measures. On the other hand, we’ve yet to define (or adequately understand) what effective cybersecurity measures comprise.

At the end of the day, most successful hacks are the result of some combination of poor information-security measures and human error.  Encryption won’t prevent attacks, but can significantly mitigate loss.  Something tells me a company that’s suffered a breach would have a lot less explaining to do if its sensitive documents were encrypted.  To that end, companies should encrypt all sensitive data—including (and especially) emails.  And if your system administrator tells you it can’t be done, it might be time to get a new one!