Ryan Fayhee, a partner at Baker McKenzie in Washington, D.C. and a former Department of Justice national security prosecutor, details the latest threats and risks in white collar cybercrime.
What are the newest threats or risks that cybercrime poses to companies and executives, and what should they be doing that they might not have considered? What threats or risks, or new technology, are around the corner that they might not see coming yet?
As the Department of Justice began to focus on the theft of trade secrets and export controlled data nearly a decade ago, there were logistical limitations to acquiring so-called “crown jewel” proprietary data by electronic theft in contrast to the more regular illicit procurement of assembled controlled technologies sought only to be reverse engineered. Those limitations have long since dissipated. Of greatest concern today, sensitive data is increasingly stolen in bulk via sophisticated computer intrusions, occasionally foreign government sponsored, which can have serious national security implications. These cyber incidents also present unusual challenges for companies and their boards, particularly with regard to contact with law enforcement, and seemingly endless mitigation of secondary consequences such as derivative suits and reputational concerns. The damage calculations in recent criminal cases are simply staggering—often in the many millions in lost research and development dollars. Smaller companies have been put out of business altogether.
Modern collection methods have become even more advanced and include joint ventures with U.S. firms to conceal foreign ownership and the marketing of services and products to U.S. firms in order to gain entry to sensitive facilities and access to computer networks. The most recent and concerning trend in the arena is that cyber criminals are holding company computer systems “ransom” by rendering them inaccessible, only to be released in exchange for a large sum of anonymized bitcoins. The increasingly common use of an electronic ledger system for legitimate commercial uses, but also for virtually untraceable ransom payments, will cause this scheme to proliferate.
What should corporate executives be doing to minimize the risks and protect their trade secrets or other intellectual property? Are the risks and remedies any different depending on whether corporate espionage occurs inside a company versus externally?
Planning and preparing for a cyber incident at the board level is essential. Develop a plan well-suited to the company considering, for example, whether the greatest risk concerns financial information, privacy protected data, trade secrets, or export controlled data. The ultimate goal cannot be to eliminate the threat, but to minimize it and, should it materialize, to isolate the damage. The board should have confidence that the information and communication systems can be shut down or brought offline safely. Depending on the scope and nature of the business and other privacy considerations, there should also be a plan for how to best interact with regulators and notify customers.
Importantly, cyber programs should include an insider threat profile such that when an employee leaves a company, trade secrets and other proprietary information do not leave with him (or be made accessible to him via electronic means). Once a plan is in place, it should be tested through periodic exercises and its shortcomings remedied. Identify key information that holds the most value for the organization and take special steps to protect it. In certain instances involving material risk or the exfiltration of export controlled technical data, there is a legal obligation to disclose the breach to U.S. authorities. Accordingly, a contact with law enforcement should be identified–the FBI and the U.S. Secret Service tend to be the agencies which handle cybercrime. For incidents involving trade secrets or export controlled data, the FBI is likely to take on a primary role due to its counterintelligence and national security mission.
What governmental developments are impacting this arena? What are current best practices in light of evolving legislative, regulatory, and judicial developments?
There have been numerous policy advancements in cyber–the two most meaningful worthy of mention here will put law enforcement and the intelligence community in a more proactive posture. Late last year, the Cybersecurity Information Sharing Act (“CISA”) was signed into law. In the increasingly limited instances in which disclosure is not obligated by law, CISA encourages companies to voluntarily disclose breach data to the government directly by limiting liability for causes of action under privacy laws. Companies are expected to take advantage of CISA as a means for engaging law enforcement on a more regular basis without the fear of costly and often unfounded privacy suits. The Department of Justice and Homeland Security recently issued written guidance and interim procedures relating to CISA disclosures and many companies and commentators will be paying close attention to how these procedures will guide investigations in the months and years to come.
An also recent and more provocative countermeasure, the administration has issued an executive order authorizing the imposition of cyber sanctions on individuals and entities engaged in the theft of financial information, destructive cyber attacks, and economic espionage. This new sanctions regime is modeled after those that have proven effective in the counter-terrorism and counter-proliferation arenas by isolating bad actors from the global financial system and imposing trade restrictions that may lead to criminal enforcement actions. The Treasury Department has yet to make any designations under this new authority, but is expected to do so in the coming months. Other efforts by the administration to impose trade controls on specific intrusion technologies were met with overwhelming opposition from technology companies and were subsequently returned to the drawing board. As a consequence, the cyber sanctions are the one powerful tool that can effectively reach bad actors in faraway places where traditional law enforcement tools have proven ineffective.