Cambridge International Law Journal

I am indebted to the Cambridge International Law Journal for publishing my article ‘A Right to Bear Cyber Arms?‘ on its blog http://cilj.co.uk/2019/11/19/a-right-to-bear-cyber-arms/

Image by Pete Linforth from Pixabay

The article addresses the reintroduction of the Active Cyber Defense Certainty Act (ACDC) to the 116th U.S. Congress in June 2019 and concludes with the call for a common platform to be agreed on the more aggressive defensive cyber actions (hacking back/Offensive Cyber/legal right to bear cyber arms) that SMEs should and should not be permitted to conduct in defence of trade secrets.

How much longer can Europe afford to ignore cyber-enabled ‘trade secret theft’ as a form of IP Crime?

The latest report from the EUIPO and Europol on IP Crime threats assessment makes clear that such threats are viewed as limited to instances of piracy and counterfeiting. Important as these criminal activities may be to threaten the health of our economy such a limited approach is at odds with American jurisprudence where, ”the threat of trade secrets theft to U.S. corporations conducting business internationally is a well-recognized and extensively documented phenomenon”, and “top intellectual property priority” for investigation by the FBI. The United States Trade Representative’s Special 301 Report (2018) goes further by identifying a failure to adequately protect trade secrets by trading partners as a key area of concern, given U.S. government recognition that “trade secrets may constitute the most critical intellectual property assets” for U.S. corporations.

It was for this reason that the U.S. government reported it had been, “extremely active in Brussels in support of the EU trade secrets directive” (2016), using its co-chairmanship of the Transatlantic IPR Working Group to push ”this topic to the forefront on EU action on intellectual property matters”, albeit this legislative initiative was ultimately only limited to the civil law domain.

Work undertaken by the OECD in 2014 recognises that the U.S. leads the world in the legal protection of trade secrets, with the UK struggling to stay above the average – behind the legal jurisdictions of Canada, Lithuania, Spain, Japan, Netherlands, Ireland, Israel, New Zealand, Hong Kong (China), Singapore and Australia. A UN Conference on Trade and Development Report (2011) confirmed over 50% of global trade in services is now undertaken online, with a global fraud report (2010) recording incidents of data theft now surpassing that of physical theft. One area of primary concern highlighted by U.S. Secretary of State Hillary Rodham Clinton in 2012 was,”emerging powers are putting economics at the centre of their foreign policies” and making commercial cyber espionage a central part of their policy toolbox.

During his presidential campaign candidate Trump highlighted the blue-ribbon panel report into the Theft of American Intellectual Property, the updated version of which cites estimates of the value of trade secret theft as between 1% to 3% of GDP. It is sobering to note the Director of the European Centre for International Political Economy would point out, “there is no evidence or indication that cyber espionage against European firms is any lesser in scale than against other countries,” offering an estimation of “the cost of cyber espionage to Europe at 55 billion euros annually (and placing) 289,000 jobs at risk.”

Whereas the UK government would advocate that the solution lies with firms enhancing their own cybersecurity protection, such an approach is likely to become increasingly unrealistic as a holistic solution in the emerging 5G/Industry 4 era, where decades of R&D are susceptible to being ‘hacked’ at the click of the mouse.  Calls for parity of criminal law protection with SME counterparts in the U.S. can only be expected to grow within the UK.

With the UK providing notice to leave the EU and looking to build upon its current trading position with the U.S. a parity of criminal law protection against trade secret theft can only offer some reassurance to the U.S., with a trading partner which is currently said to offer better criminal law protection for the boardroom table than the theft of boardroom secrets (Alan Campbell QC 1967).

Welcome though such a legislative initiative might be for our vulnerable SMEs, Europol has already reported that national criminal legislation cannot of itself provide a unilateral solution. With TRIPS now nearing a quarter of a century of operation there are reassuring signs that the U.S., Japan and EU are starting to form a ‘coalition of the willing’ to work together on the margins of the TRIPS Council to elaborate upon the nature of the legal protection to be afforded under Article 39, with a special emphasis on SMEs (side event 9th November 2016).

Europe has been at the vanguard of developments for the legal protection of personal data, the question is whether the appetite now exists to extend the legal protection for valuable commercial data by using the criminal law.

EU takes action against cyber-enabled ‘IP theft’ perpetrated from outside the EU

In the first EU measure of its type, Council Regulation (EU) 2019/796 concerning restrictive measures against cyberattacks threatening the Union or its Member States [17th May 2019] contains targeted sanctions against online “external threats” to IP. This Regulation is aimed at threats which originate from outside the EU, use infrastructure from outside the EU, or otherwise the person(s) instrumental in such a cyberattack are established abroad (Article 1).

Amongst other criteria, Article 2 of the Regulation targets an actual or attempted cyberattack on IP which has a, potentially, “significant effect”, on the “loss of commercially sensitive data”. Such commercially sensitive data will fall within the definition of a ‘trade secret’ under Council Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure [8 June 2016] if that data: 1. is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; 2. has commercial value because it is secret; 3. has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

Article 3 of this new Regulation imposes an asset freeze on natural or legal persons, entities or bodies who are responsible for the actual or attempted cyberattack; provide financial, technical or material support for or are otherwise involved in the cyberattack; or are associated with the natural or legal person, or bodies involved. As a result of such an asset freeze, all funds and economic resources belonging to, or controlled by, such listed persons and that fall under EU jurisdiction (e.g. held by EU banks) will be frozen. In addition, no funds or economic resources may be made available to or for the benefit of the said listed person by parties falling under EU jurisdiction.

This latest EU Regulation should serve to remind us that the “big international question” of cyberspace governance still remains to be resolved, albeit Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) would note that the major private sector providers are more receptive than ever to its resolution (see Public Accounts Committee Oral evidence: Cyber Security in the UK, HC 1745 [1st April 2019] Q93).

In his article Jurisdiction In Cyberspace: A Theory of International Spaces Darrel Menthe asserts that, “unless it is conceived of as an international space, cyberspace takes all of the traditional principles of conflicts-of-law and reduces them to absurdity.” Akin to the “law of the flag” on the high seas, nationality of a vessel (manned or unmanned) in outer space or the nationality of the base in Antarctica, Menthe advocates, even in the absence of such a sui generis treaty regime as regulates the other three international spaces, that jurisdictional analysis requires cyberspace should be treated as a fourth international space governed by a comparable set of default legal rules (see Darrel Menthe, Jurisdiction In Cyberspace: A Theory of International Spaces 4 MICH.TELECOMM.TECH.L.REV 69 (1998)).