AG Holder Addresses Cyber Security and Theft of Trade Secrets

2/20. Attorney General Eric Holder gave a speech in Washington DC regarding cyber security and theft of trade secrets.

Holder (at right) said that the Department of Justice (DOJ) "has made the investigation and prosecution of trade secret theft a top priority". He said that the DOJ "has also gathered valuable intelligence about foreign-based economic espionage"; but, he did not identify any foreign nations that conduct, or are home to, cyber theft of trade secrets. And, he called for greater cooperation among government agencies, and government and the private sector.

Substantively, he said little. He disclosed no new criminal arrests or prosecutions. He identified no offenders. He announced no new DOJ policies or practices. He proposed no new legislation. He said nothing about DOJ or FBI investigation or surveillance authorities or practices.

However, that the Attorney General devoted a speech to cyber security and trade secrets theft is in itself significant.

And, the Executive Office of the President's (EOP) Intellectual Property Enforcement Coordinator (IPEC) released a document titled "Administration Strategy on Mitigating the Theft of U.S. Trade Secrets". See, related story in this issue titled "IPEC Releases Administration Strategy Regarding Theft of Trade Secrets".

Holder discussed the nature of the problem. He stated that the proliferation of "smart phones, tablets, laptops, and other internet-access devices" and "cloud-based computing" creates "more access points and vulnerabilities that allow criminals to steal confidential information".

He added that "as new technologies have torn down traditional barriers to international business and global commerce, they’ve also made it easier for criminals to steal trade secrets -- and to do so from anywhere in the world. A hacker in China can acquire source code from a software company in Virginia without leaving his or her desk. With a few keystrokes, a terminated or simply unhappy employee of a defense contractor can misappropriate designs, processes, and formulas worth billions of dollars."

"By corrupting insiders, hiring hackers, and engaging in other unscrupulous and illegal activities, these entities can inflict devastating harm on individual creators, start-ups, and major companies." He elaborated that "Some of these criminals exploit pilfered secrets themselves -- often by extorting the victim company or starting their own enterprise. Others try to sell the illicit information to a rival company, or obtain a bounty from a country interested in encouraging such theft. And all represent a significant and steadily increasing threat to America's economic and national security interests."

He did disclose that the DOJ's National Security Division's (CSD) Counterespionage Section "has taken a leading role in economic espionage cases -- and others affecting national security and the export of military and strategic commodities or technology."

He also said that "We need to increase cooperation and coordination between partners at every level of government.  We need to improve engagement with the corporations represented in the room today. We need to find ways to work together more efficiently and effectively -- by following the road map set forth in the Administration’s new, comprehensive strategy.  And we need to do so starting immediately -- because continuing technological expansion and accelerating globalization will lead to a dramatic increase in the threat posed by trade secret theft in the years ahead."

IPEC Releases Administration Strategy Regarding Theft of Trade Secrets

2/20. The Executive Office of the President's (EOP) Intellectual Property Enforcement Coordinator (IPEC) released a document titled "Administration Strategy on Mitigating the Theft of U.S. Trade Secrets".

It states, among other things, that

• the US will put diplomatic pressure, mainly via the Department of State (DOS), on the governments of nations where trade secret theft is practiced
• the US utilize trade policy tools, including via the Office of the U.S. Trade Representative (OUSTR), and especially with the Special 301 process
• the US FBI will expand its investigations into trade secrets theft
• the US intelligence community will share more information with the private sector

This document also contains many items that are rhetorical rather than substantive nature.

Diplomacy and the DOS. This document states that "The Administration will continue to apply sustained and coordinated diplomatic pressure on other countries to discourage trade secret theft. This will be achieved by utilizing a whole of government approach directed at a sustained, consistent and coordinated message from all appropriate agencies to foreign governments where there are regular incidents of trade secret theft".

Trade Policy and the OUSTR. This document states that another strategy will be "Targeting weaknesses in trade secret protection through enhanced use of the annual Special 301 process, including the Special 301 Report". (Footnote omitted.)

It adds that the US will seek, "through USTR-led trade negotiations such as the Trans Pacific Partnership, new provisions on trade secret protections requiring parties to make available remedies similar to those provided for in U.S. law".

It should be noted that neither the People's Republic of China (PRC), nor other nations that are likely the most egregious thieves of trade secrets, are not parties to the ongoing Trans Pacific Partnership Agreement negotiations.

The Special 301 process, which was created by the Trade Act of 1974, requires the executive branch to identify countries that fail to protect the intellectual property rights (IPR) and market access of US companies, and take certain actions against those countries. These Special 301 provisions are codified at 19 U.S.C. § 2411, et seq.

Under the Special 301 provisions, the OUSTR identifies other countries that deny adequate and effective protection of IP or deny fair and equitable market access to U.S. artists and industries that rely upon IP protection. It does this primarily in annual reports. However, it also conducts out of cycle reviews (OCRs). And, it recently began doing separate notorious markets reports.

The definitions in Section 2411 are clear that Special 301 authority extends to trade secrets protection. Subsection 2411(d)(3)(F)(1) provides that "adequate and effective protection of intellectual property rights includes adequate and effective means under the laws of the foreign country for persons who are not citizens or nationals of such country to secure, exercise, and enforce rights and enjoy commercial benefits relating to patents, trademarks, copyrights and related rights, mask works, trade secrets ..." (Emphasis added.)

However, it should also be noted that the OUSTR's Special 301 reports have placed the PRC on the Priority Watch List, and detailed numerous denials of adequate and effective protection of IPR in the PRC, usually to little avail.

See, for example, report [54 pages in PDF] titled "2012 Special 301 Report", report [53 pages in PDF] titled "2011 Special 301 Report" and story titled "OUSTR Releases Special 301 Report" in TLJ Daily E-Mail Alert No. 2,231, May 3, 2011.

US Law Enforcement Investigations. This IPEC document states that DOJ and its Federal Bureau of Investigation (FBI) "will continue to prioritize these investigations and prosecutions and focus law enforcement efforts on combating trade secret theft. The FBI is also expanding its efforts to fight computer intrusions that involve the theft of trade secrets by individual, corporate, and nation-state cyber hackers."

Although, this document discloses nothing about "these investigations", such a number of personnel by area of expertise, whether the DOJ invokes Foreign Intelligence Surveillance Act (FISA) authority to investigate theft of trade secrets of US companies by foreign companies, or what investigation or surveillance techniques are being employed.

Information Sharing by the Intelligence Community. This document states that the Office of the Director of National Intelligence (ODNI) "will coordinate within the intelligence community to inform the private sector about ways to identify and prevent the theft of trade secrets that benefit a state sponsor or an entity with ties to a foreign government."

It also states that "ODNI will coordinate expanded discussions between the intelligence community and the private sector". However, missing from this document is any changes in law, and particularly regarding immunity, for private sector entities that provide information regarding cyber attacks to intelligence or other government agencies.

Information Sharing by the Private Sector. This document states that "The Administration encourages companies to consider and share with each other practices that can mitigate the risk of trade secret theft", and that the government "will help facilitate efforts by organizations and companies to develop industry led best practices to protect trade secrets".

However, there are a number of legal impediments to private sector information sharing, with other private sector entities, or government agencies, including risk of civil liability for data breaches, loss of proprietary information to Freedom of Information Act requests, and violation of privacy related laws and antitrust prohibitions. This document proposes nothing that removes these impediments.

This section of the report adds that "In identifying and promoting the adoption of best practices, it should be emphasized that such guidelines are intended solely to offer suggestions to assist businesses in safeguarding information they wish to keep secret and are not designed to be a minimum standard of protection".

Legislation. This document contains a section on legislation. However, it merely states that the administration will "review existing Federal laws to determine if legislative changes are needed to enhance enforcement against trade secret theft".

It makes no proposals for statutory changes.

It cites two minor changes to trade secret law enacted in the 112th Congress: S 3642 [LOC | WW], the "Theft of Trade Secrets Clarification Act of 2012" and HR 6029 [LOC | WW], the "Foreign and Economic Espionage Penalty Enhancement Act of 2012".

Other. This document states that the government will seek greater "international law enforcement cooperation", and conduct domestic "education and outreach".

People and Appointments

2/20. Former Rep. Jesse Jackson (D-IL) pled guilty in the U.S. District Court (DC) to conspiracy to commit wire fraud, mail fraud and false statements, in connection with his diversion of campaign contributions to personal use. See, Federal Bureau of Investigation (FBI) release.

More News

2/20. The Government Accountability Office (GAO) released a report [51 pages in PDF] titled "Information Security: Actions Needed by Census Bureau to Address Weaknesses". It finds that at the Department of Commerce's (DOC) Census Bureau (CB) "significant weaknesses in access controls and other information security controls exist that impair its ability to ensure the confidentiality, integrity, and availability of the information and systems supporting its mission". As a result, CB data and systems are at risk of "unauthorized access, disclosure, modification, or loss".

2/20. Google announced in a release the March 15, 2013 is the deadline to submit applications for its "Google Policy Fellowships".

SEC Chairman Addresses Regulatory Uses of IT

2/19. Securities and Exchange Commission (SEC) Commissioner Elisse Walter gave a speech at American University law school in Washington DC titled "Harnessing Tomorrow's Technology for Today's Investors and Markets".

Walter (at right) holds one of the Democratic seats on the Commission. She has been Chairman since former Chairman Mary Schapiro left the SEC at the end of December. However, President Obama's intent is to designate Mary Jo White Chairman when she is confirmed by the Senate.

She said that the SEC is "making an unprecedented investment in the cutting-edge technology we need to protect investors in today's blindingly fast and extraordinarily complex markets", and "to help make investors and other market participants smarter".

Te SEC is a large agency, with about 4,000 employees, that has a long history of failing to detect and stop large scale long running securities fraud, as for example, in the case of Bernard Madoff.

Walter discussed how the SEC will require regulated entities to build information technology (IT) systems and massive and merged databases that the SEC will then rely upon to monitor markets, public companies, investors, and others. She also discussed how the SEC is expanding its regulation of the private sector's use of IT to automate trading.

In contrast, she said nothing about crowd funding, the JOBS Act, making it easier for start up tech companies to raise capital online, or how IT can facilitate participation in equity markets by small investors.

She said nothing about the status of eXtensible Business Reporting Language (XBRL) in digital SEC filings, interactive data, or the extent to which this is enabling investors to more easily analyze corporate data, compare companies, and make more informed investment decisions.

Also, Walter said nothing about the SEC's misguided investigation of Netflix for using social media to communicate company information.

In Walter's vision, IT in private hands is something that needs to be regulated. In government hands, it can become a useful tool for expanded regulation, monitoring and surveillance. But, in her view, IT is not something that can make equity markets more efficient, more open to small and start up businesses, or more accessible to small investors.

MIDAS and CAT Databases. She addressed at some length the SEC's ambitious plans to rely up the IT based MIDAS and CAT programs.

She said that the SEC's Market Information Data Analytics System (MIDAS), which is an aggregation of trading information data, will enable the SEC "to examine the fundamental mechanics of today's high-speed markets".

She said the the SEC's new rule [351 pages in PDF] that national securities exchanges and other self-regulating financial organizations, SROs, maintain Consolidated Audit Trail (CAT) systems for use by the SEC could be "the most important regulatory development in my lifetime".

This yet to be implemented CAT rule is intended to provide the SEC with non-public data, including individual orders from individual accounts.

That is, the SEC has mandated that SROs develop IT based systems that would provide the SEC access to customer and order event information across all markets, from the time of order inception through routing, cancellation, modification, or execution. The SEC wants one single huge database that collects and merges data from all of these CAT systems.

Rules for Computer Based Trading. Walter next discussed the SEC's recent activities regarding regulation of the use of IT to automate trading. She said that "I have asked the staff to accelerate work on a regulation aimed at improving systems compliance and integrity -- something we are calling Reg SCI".

The SEC has long had an Automation Review Policy (ARP). Walter wants a rule.

She stated that she wants "to transform those voluntary guidelines into mandatory rules", that would mandate "standards" for "the core technology of the exchanges, significant alternative trading systems and clearing agencies".

NEP Algorithm. Next, she said that the SEC has "created a risk-based targeting algorithm for our National Examination Program that analyzes information obtained from SEC filings and other sources to identify the firms most likely to be putting investors at risk."

API Model. Next, she discussed the SEC's shadowy Aberrational Performance Inquiry (API) program. She said only that it is "an analytical model that uses performance data to identify hedge fund advisers worthy of further review". Just what this model is, or how it is implemented, the SEC does not disclose.

She asserted that "Ponzi schemers, whose funds tend to claim suspiciously high and consistent returns, can be identified and singled out for scrutiny".

Scrutiny may uncover fraud, which is bad for markets. It may also uncover superlative performance, which is good for markets and investors. Such scrutiny also imposes regulatory costs upon funds singled out by the SEC's API program. It may thus result in imposing significant costs upon, and therefore reducing the prevalence of, legitimate outperformers.

Electronic Bluesheet Analysis Platform. She also stated that the SEC has an "Automated Bluesheet Analysis Platform" (ABAP).

Blue sheets were once forms on blue paper that the SEC sent to clearing firms requesting certain information. Firms mailed back responses. Later, the SEC made these requests electronically, without blue sheets. But, the name stuck.

Walter said that ABAP is a "proprietary tool" that "links records of significant company news -- like an acquisition announcement -- with trading data to help investigators identify suspicious trading patterns".

Software Based Audio Surveillance. Walter also said that the SEC is listening to audio recording of, for example, "conversations between brokers and their customers".

Moreover, the SEC its using "an audio-searching technology that allows phonetic searches".

And this: "like a wiretap that lets the cop stay on the beat while the bad guy's phone calls are monitored, it can allow them to be many more places at once."

Netflix Sued Over Hastings' Facebook Posting

2/19. The Rosenfarb Law Firm filed a complaint [23 pages in PDF] in the U.S. District Court (NDCal) against Netflix and others alleging violation of federal securities laws in connection a Facebook posting by Netflix CEO Reed Hastings on July 3, 2012.

Nominally, the plaintiff is Martin Schulthes. They seek class action status to represent all purchasers of Netflix stock between July 3 and July 24, 2012, inclusive. Netflix announced its results for the second quarter on July 24.

Hastings wrote in Facebook on July 3 that "Netflix monthly viewing exceeded one billion hours for the first time ever in June". The gist of the complaint is that this was false and misleading, and deceived the market, not because it was literally false, but because he did not also disclose other information, and because this mislead analysts and investors that subscriber growth was greater that it actually was. Moreover, the complaint alleges, paid subscriptions to the Netflix streaming service are correlated with total viewing hours.

The complaint alleges that the Netflix stock price jumped up immediately after Hastings made his statement on Facebook on July 3. The complaint further alleges that the Netflix stock priced jumped down immediately after the release of the second quarter results. Hence, purchasers in this time period were injured.

The two count complaint alleges securities fraud in violation of Section 10b of the Exchange Act, and SEC Rule 10b5 thereunder.

The complaint also alleges individual liability of CEO Reed Hasting and CFO David Wells under Section 20 of the Exchange Act.

The Securities and Exchange Commission (SEC) launched an investigation into the same posting in December of 2012. See, story titled "The SEC Strikes Again" in TLJ Daily E-Mail Alert No. 2,486, December 8, 2012.

Netflix disclosed in a Form 8-K in December that the SEC is investigating whether there was a violation of the SEC's outdated Regulation FD.

This case is Martin Schulthes v. Netflix Inc., Reed Hastings and David Wells, U.S. District Court for the Northern District of California, D.C. No. 3:13-cv-00712-EMC, Judge Edward Chin presiding. Jorge Amador signed the complaint.

NTIA Releases Report on Reallocation of 1695-1710 MHz Band

2/19. The Department of Commerce's (DOC) National Telecommunications and Information Administration (NTIA) released a report [5 pages in PDF], as required by Section 6401 of the 2012 spectrum bill, that identifies the 1695-1710 MHz spectrum band for reallocation from federal to non-federal use.

The NTIA previously recommended reallocation of this band. See, NTIA November 15, 2010 report [262 pages in PDF] titled "An Assessment of the Near-Term Viability of Accommodating Wireless Broadband Systems in the 1675-1710 MHz, 1755-1780 MHz, 3500-3650 MHz, and 4200-4220 MHz, 4380-4400 MHz Bands". See also, and story titled "NTIA Announces Plan to Reallocate 115 MHz of Spectrum" in TLJ Daily E-Mail Alert No. 2,157, November 16, 2010.

The 112th Congress enacted HR 3630 [LOC | WW], the "Middle Class Tax Relief and Job Creation Act" in February of 2012. That bill, among other things, gave the FCC authority to conduct incentive auctions.

Section 6401(a) provides that "Not later than 1 year after the date of the enactment of this Act, the Secretary of Commerce shall submit to the President a report identifying 15 megahertz of spectrum between 1675 megahertz and 1710 megahertz for reallocation from Federal use to non-Federal use."

Then, "the President shall ... not later than 3 years after the date of the enactment of this Act, begin the process of withdrawing or modifying the assignment to a Federal Government station of the electromagnetic spectrum" described above.

The NTIA's 2010 report recommended that this 15 MHz be reallocated for "wireless broadband use on a shared basis".

The just released report states that the NTIA's Commerce Spectrum Management Advisory Committee (CSMAC) established a working group that "has been developing ways to facilitate the introduction of commercial wireless broadband in this 15 megahertz of spectrum through improved modeling of commercial wireless networks and the possible reductions in the size of exclusion zones". Moreover, this working group "has made significant progress toward an effective and efficient spectrum sharing framework".

Hence, the report states that the Federal Communications Commission (FCC) "can proceed now with its process to repurpose the 15 megahertz between 1695 MHz and 1710 MHz".

This report adds that "During its meeting in February 2013, the CSMAC will likely recommend a regulatory framework for sharing in the 1695-1710 MHz band that will allow flexibility for and coordination of actual commercial system implementation within the protection zones around federal meteorological-satellite receive sites".

This meeting is scheduled for February 21, from 9:00 AM - 12:00 NOON at the Stanford Institute for Economic Policy Research (SIEPR), in Stanford, California. It will be webcast. See, notice in the Federal Register, Vol. 78, No. 23, February 4, 2013, at Page 7758.

As directed by Congress in Section 6401(a)(3) of the Middle Class Tax Relief and Job Creation Act of 2012 (Tax Relief Act), this report identifies 15 megahertz of spectrum between 1675 MHz and 1710 MHz for reallocation from federal use to non-federal use.1 Specifically, the Secretary of Commerce, through the National Telecommunications and Information Administration (NTIA), recommends that the Federal Communications Commission (FCC) reallocate the 1695-1710 MHz band for commercial use.2

This recommendation reaffirms NTIA's January 2011 conclusion that the FCC should repurpose the 1695-1710 MHz band for wireless broadband use on a shared basis, as NTIA identified in its Fast Track Report.3

The just released report is titled "Identification of 15 Megahertz of Spectrum Between 1675 and 1710 MHz for Reallocation from Federal Use to Non-Federal Use Pursuant to Section 6401(a) of the Middle Class Tax Relief and Job Creation Act of 2012".

Mandiant Releases Report on Cyber Espionage by People's Liberation Army

2/19. Mandiant, a US based cyber security firm, released a report [76 pages in PDF] on February 19, 2013, titled "APT1: Exposing One of China's Cyber Espionage Units". See also, Mandiant release. It pertains to advanced persistent threats (APT) originating in the People's Republic of China (PRC).

The report states that "Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as ``APT1´´ and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen."

"Though our visibility of APT1's activities is incomplete, we have analyzed the group’s intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai ..."

The report also states that "Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China’s cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People’s Liberation Army (PLA’s) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate."

APT1 engages in "large-scale thefts of intellectual property". Also, the report states, "The industries APT1 targets match industries that China has identified as strategic to their growth, including four of the seven strategic emerging industries that China identified in its 12th Five Year Plan".

People and Appointments

2/19. The National Telecommunications and Information Administration (NTIA) announced forty organizations to be represented on the First Responder Network Authority's Public Safety Advisory Committee (PSAC). See, NTIA release.

Go to News from February 11-15, 2013.