Tinker, Tailor, Soldier, Hacker: Russia and the U.S. Economic Espionage Act

and


Miranda Lupion graduated from the University of Pennsylvania with a B.A. in international relations and Russian language and literature. Cornell Overfield is a senior majoring in history and international relations at the University of Pennsylvania. 

 

From Fancy Bear to the Energetic Bears, the U.S. is bearing the brunt of the Kremlin’s savvy in compromising networks and email accounts. While Congress and tech companies remain fixated on 2016’s politically-motivated hacks and trolling, another equally potent and digitally-driven hazard fails to make headlines. Russian economic espionage (EE) operations remain a persistent and rapidly evolving threat – one for which the U.S. lacks the adequate legal tools to prosecute. A note on nomenclature: unlike industrial espionage, EE is conducted by or for the benefit of a government.

In the popular imagination, Russian EE evokes images of the Cold War or the post-Soviet 1990s. This impression isn’t entirely incorrect — that is, if we limit our definition of EE to cases in which physical infiltration and human intelligence collection techniques dominate. In 1924, the new Soviet government launched its EE operations, opening the Amtorg Trading Agency in New York. Amtorg aided Russian workers in collecting blueprints from companies like General Electric and Bell Telephone and transmitting this intel back to Moscow. Through the early 1940s, lenient export controls on Soviet purchases let officials easily obtain American aircraft and radar technology. Three decades after Klaus Fuchs penetrated the Anglo-American Manhattan Project, the Soviet Union boasted one of most integrated EE programs in the world. Through the Spetsinformatsiya (special information) system, the USSR’s 12 industrial ministries submitted requests to the the Military-Industrial Commission (VPK) for specific intel on foreign tech and military programs. The VPK then tasked its overseas operatives with procuring this information. It was arguably one of the most successful instances of central planning in the USSR’s history.

After 1991, policy makers predicted that EE would rule in a world won by capitalism. However, as the DNI’s annual Worldwide Threat Assessments show, the September 11 attacks and subsequent focus on terrorism and cyber threats meant that, for almost a decade, both Russia and EE lost the intelligence community’s attention. However, this breed of espionage is more common today than public perception suggests, as information breaches may fall under the U.S. law governing EE. In fact, recent Russian incidents, from the 2014 Yahoo hack to the Department of Homeland Security’s directive banning Kaspersky Lab software on government computers, suggest flaws in the U.S.’s Economic Espionage Act (EEA). Although a 2012 reform stiffened financial punishments, the law itself is stuck in the era of GoDaddy domains. Written in 1996, it’s too outdated to sufficiently combat the Russian threat. At a minimum, an effective law needs to (1) more clearly differentiate between private and state actors (2) distinguish between intent and co-option, and (3) clarify digital jurisdiction.

Although Fukuyama saw the post-Cold War world as a place where market economies and stark delineations between state and firm would reign, in countries like China and Russia state-centric models prevailed. Failing to anticipate the persistence of state-captured (but not state-owned) entities, the authors of the EEA seemed to buy Fukuyama’s thesis. Prosecution under 1831, the clause that governs EE, stipulates that the accused intends to benefit a foreign state or its instrumentality, meaning “any agency […] or […] corporation, firm, or entity that is substantially owned, controlled, sponsored, commanded, managed, or dominated by a foreign government.” In Russia, the state’s ubiquitous but sometimes ambiguous role in critical industries makes it difficult to determine what constitutes “substantial domination.” While Rosneft and Gazprom (although technically private) are clearly state-commanded, what about LUKoil, which is private, but historically friendly toward and susceptible to pressure from the Kremlin? The EEA needs to clarify the status of government-friendly or government-influenced companies – virtually all large, private corporations in Russia.

This grey area also challenges the issue of intent. A conviction under section 1831 requires that the defendant stole or attempted to steal a trade secret “knowing the offense will benefit a foreign government…” In Russia, amendments to the Yarovaya law, (to go into effect in July 2018), force private companies to store the content of calls and texts for six months, and Moscow has fined Telegram for refusing to provide the FSB with its encryption keys. The Kremlin could glean trade information from Americans communicating electronically with Russians, even though telecom operators did not necessarily intend for this information to benefit the state. Moreover, Russian law allows its agencies to compel companies, like Kaspersky Labs, to leverage their products in procuring sensitive information — including industrial secrets. While damaging, co-option is not covered under the EEA.

And how do hacks — the future of EE — fit into the picture? In 2014, the “Energetic Bears” a group of Russian hackers, targeted more than 100 Western oil and gas companies. The sophistication of their attack indicates government backing and the act targeted American entities. However, extraterritorial acts of economic espionage can only be prosecuted if the offender is a U.S. citizen, or if part of the offense occurred in the United States. This begs a meta question – is the internet considered U.S. territory? In 2017, the Justice Department charged two Russians, who likely never stepped foot in the U.S., with EE for their role the 2013 and 2014 Yahoos hacks. This case suggests that attackers can be prosecuted if the information they’re targeting is stored on U.S. networks or infrastructure. Today, nearly all business records are digitized, and the proliferation of an insecure internet of — cloud computing, rapid software development cycles that cut corners on security, and the breakdown of boundaries between work and home — has made cyberspace an EE goldmine. Yet the 1996 act doesn’t mention the internet – let alone cyber jurisdiction.

An improved EEA would address not only the jurisdiction of hacks, but also the definition of hacking. In the wake of Russia’s DNC email breach and the 2016 U.S. presidential election, the term hacking has gained primarily political connotations and is often incorrectly used to describe the work of social media trolls. While politically motivated hacks are serious, an amended EEA that spells out the role of hacking in EE might refocus some of the hysteria associated with Russia’s Facebook ads — of questionable effectiveness — on more damaging threats.