Cyber Security Threats Offer New Legal Challenge to Holding Spies Responsible for Espionage

In December 2014, naturalized US citizen Mostafa Ahmed Awwad was arrested by the FBI for attempting to sell blueprints of the US Navy’s brand-new nuclear-powered aircraft carrier, the USS Gerald R. Ford.[1] Awwad, a former Egyptian citizen and engineer in the Nuclear Engineering and Planning Department of the massive Norfolk Naval Shipyard, had a Secret security clearance and access to sensitive blueprints of the most advanced ship ever designed.[2] The case against Awwad is pretty cut-and-dry. Believing he was corresponding with an Egyptian Intelligence officer, Awwad turned over computer-aided drawings of the aircraft carrier, wore a pinhole camera in sensitive areas of the shipyard to record restricted information, and acknowledged that the information he provided would be sent to Egypt for use.[3] With the details of this case reading like a Cold War spy thriller, complete with dead-drops, spy gadgets, and a discreet payment left in a hole under a park bench in Southeast Virginia, the “Egyptian Intelligence officer” that Awwad was corresponding with was actually an undercover FBI agent.[4] Awwad was arrested, charged with attempted espionage, and recently sentenced to eleven years in federal prison.[5]

Modern-day espionage cases have all resulted in similar responses from the FBI and Department of Justice: arrest, try, and sentence. From Robert Hanssen to John Walker and Mostafa Ahmed Awwad, when suspected spies are caught, they’re tried and held responsible for their acts.[6] But how does our justice system’s response to espionage change when the actors are not physically within our country when they’re spying? What about when the secrets that are stolen are taken over the internet?

US defense contractors spend billions of dollars every year on research and development to design and build the most sophisticated and advanced military equipment in the world. The USS Gerald R. Ford, for instance, will cost nearly $13 billion to design and build once complete.[7] Similarly, the US military’s brand new F-35 Joint Strike Fighter has taken nearly twenty years and $400 billion to design and build, and its state of the art technology is more advanced than any other fighter jet ever built.[8] Coincidentally, shortly after its debut, China unveiled its new J-31 fighter jet, which strikingly resembles the F-35 in its design and performance characteristics.[9] The similarities, revealed to be from a 2007 data breach of US defense contractor Lockheed Martin’s computer servers by Chinese hackers, represent, “the greatest transfer of wealth in history,” and extend to include over fifty-terabytes of sensitive military weapon systems data—including the AEGIS Ballistic Missile Defense Radar System, and the Navy’s Littoral Combat Ship.[10]

This new form of digital-espionage leaves the US in unchartered territory. Can the US treat these breaches the same way as traditional espionage cases? Is it even possible to hold faceless hackers halfway across the globe accountable under the US criminal justice system? Furthermore, how is the dynamic changed when the hacker is an individual activist (or hacktivist) versus a nation?

Judging by the Department of Defense’s initially tacit response to the massive hacks, and only fully revealed to the public after documents released by Edward Snowden detailed the theft, policy-makers, defense leaders, and the law enforcement community do not want to publicly define these acts because doing so would tie their hands in their response. While on the surface these two different forms of espionage yield similar results (i.e. sensitive military and intelligence information in the hands of our adversaries), the complexities of holding the perpetrators responsible are worlds apart.

Furthermore, the question remains of where the line is drawn between espionage or something more. The 2014 Chinese hacks on the personnel and security clearance databases of the Office of Personnel Management went beyond the previous breaches of military technology.[11] Exposing over 22 million Americans’ social security numbers and personal life details, the hacks could have a very real, though likely not kinetic, effect on the lives of the US citizens whose information was stolen.[12]  By not defining these hacks or drawing any clear lines, the US retains the ability to choose how to best respond, and whether or not to make these responses public. Taking a hard line would tie the country’s hand whenever a breach occurs and could escalate a situation beyond the scope of the original act.

_________

[1] Howell, Kellan. “FBI Charges Saudi-born Naval Engineer over Plans to Sink Aircraft Carrier.” The Washington Times 06 Dec. 2014. Web. 13 Nov. 2015.

[2] Zapotosky, Matt. “Navy Engineer Admits Trying to Leak Plans for New Aircraft Carrier to Egypt.” The Washington Post 15 June 2015. Web. 13 Nov. 2015.

[3] Cavas, Christopher P. “Navy Engineer Indicted for Trying to Sell Secrets.” Navy Times 05 Dec. 2014. Web. 13 Nov. 2015.

[4] Id.

[5] FBI. “Navy Civilian Engineer Sentenced to 11 Years for Attempted Espionage.” FBI 2015. Web. 13 Nov. 2015.

[6] FBI. “Counterintelligence Cases Past and Present.” FBI 2013. Web. 13 Nov. 2015.

[7] Harper, Jon. “Funding Restricted for Ford-Class Carriers.” National Defense Magazine Sept. 2015. Web. 13 Nov. 2015.

[8] Wall Street Journal. “China’s Cyber-Theft Jet Fighter.” The Wall Street Journal 12 Nov. 2014. Web. 13 Nov. 2015.

[9] Goldstein, Sarah. “Snowden: Chinese Hackers Stole F-35 Fighter Jet Blueprints.” New York Daily News 20 Jan. 2015. Web. 13 Nov. 2015.

[10] Russian Today. “50 Terabytes! Snowden Leak Reveals Massive Size of F-35 Blueprints Hack by China.” Russian Today 19 Jan. 2015. Web. 13 Nov. 2015.

[11] Nakashima, Ellen. “Hacks of OPM Databases Compromised 22.1 Million People, Federal Authorities Say.” The Washington Post 09 Jul. 2015. Web. 14 Nov. 2015.

[12] Id.

The (Short)cut is the Deepest: The Implications of IP Theft on National Security

AirplanesRadiosCell phones.

What do these three technologies all have in common?  They were all developed and produced within the private sector but have proven indispensable to the government and military in protecting the nation.  It is important not to underestimate the importance that innovation has on a nation’s strength and power.  Imagine the military operating without airplanes or radios.

Arpanet. Torpedo Data Computer. Eniac.

Again, what is the relationship between these three technologies?  They were developed either by or under the control of the U.S. government and led to future innovations, including secure computer-to-computer communication.  These early computers were small enough to fit on a submarine or so large as to require 1800 square feet of floor space. The computer inside a cell phone, which communicates with orbiting satellites to pinpoint the user’s location, owes its development to military technology.  Imagine all of us operating without smart phones.

All of these products were created and produced by an investment of either public or private funds.  The only viable shortcut to creative innovation is theft of such innovation.  The danger that products will be stolen is ever present.  This risk has been compounded by the theft of intellectual property, which squanders the investment made in its development.  The sheer momentum of successful technological advances is dependent on entities, whether public or private, having some way to recover costs.  When trade secrets are stolen, these entities have no way to recover costs that were incurred during research and development.  It is not disputed that the retarding of innovation will likely occur with the loss of profits.  We have no idea what further advances could be created which could help us militarily, etc.  But how can we protect those inventions that do not yet exist?  With the increase of intellectual property theft, there is an increasing likelihood that the United States will not be the producer of these inventions because we cannot afford the research and development.

Intellectual property theft clearly hurts the nation financially, but it also impacts research and development.  When foreign entities engage in intellectual property theft, it results in less capital invested in search of solutions.  In a capital-intensive endeavor like research and development, anything that cuts into the revenue stream, cuts into the efficiency of the programs that either intentionally make us safer or have the potential to make us safer.  As we have explored earlier, many things that are produced or created in the private sector have applications for security and defense.  Alternately, items that are produced with government involvement often have mass market potential.  There is often not a bright line between which products are private and which are public.

Without a secure revenue stream, there can be no innovation.  As reported by CNBC, the companies identify a percentage of revenue devoted to research and development.  From a market value standpoint, some highly profitable companies spend less as a percentage but spend more as a total dollar amount.  By distorting and inhibiting this revenue stream, not only do the companies not retain the revenue needed for research and development, but the tax receipts also suffer due to this stolen profit.  When a company spends all of its time fighting the intellectual property theft, with reduced resources as a result of the theft, even less money can be allocated to research and development.  Consequently, fewer products are created, making the nation less profitable and potentially less safe.

U.S. intellectual property is under attack by threats both foreign and domestic, with China posing the greatest threat.  Not only does China conduct cyber espionage to infiltrate U.S. government networks, but it also uses these intrusions to fill the gaps in its own research programs, lessening the research and development expenditures supporting national science and technology development.  In 2013, China accounted for approximately 80% of all intellectual property thefts from companies headquartered in the United States, amounting to $338 billion in lost profits.  Because these multinational companies cannot afford to bypass China, they are forced to expend resources trying to prevent and mitigate intellectual property thefts.  The effects from these thefts span from counterfeited products to pirated operational processes and the reproduction of complete business models.

The voices of industry are adamantly aware of the need for a change both in industry standards and intellectual property laws. Due to our reliance on a global economy, ignoring the problem is not a solution.  Lacking the ability to wall off our intellectual property assets, we have no other recourse but to rely on the government to protect our interests. Unfortunately, the only consistent U.S. national security policy is its inconsistency with protecting the nation.  The U.S. government is content with spying on its citizens but resists sealing off its borders.  Currently there is much discussion emanating from Washington D.C. about the need for reform.  Additionally, President Obama could use his authority under the International Emergency Economic Power Enhancement Act (IEEPA) to declare that the cyber theft of intellectual property poses a threat to U.S. national security.  Yes, stricter sanctions for intellectual property theft will absolutely ruffle the feathers of U.S. trading partners.  All strong action has a cost, but inaction has a much greater cost.  How can the U.S. government ignore the impact that intellectual property theft is having on the nation by failing to reform intellectual property and privacy laws?