Can a cybersecurity vulnerability—like a bug in code or a backdoor into a system—be a trade secret? Claiming a flaw as a trade secret may sound strange. Usually, talk of trade secrets conjures up images of scientists in laboratories or complex computer algorithms. But nothing in the definition of a trade secret excludes vulnerabilities. As the electronic theft of company secrets increases, recognizing cyber vulnerabilities as trade secrets could play an important role in safeguarding business information. For companies that depend on trade secret protections, increased digitalization means that their trade secrets may be exposed. And this exposure could result not only in diminished legal protections but also in a devastating loss of company profits, strategic advantage, or cutting-edge research. This Essay proposes that recognizing cyber vulnerabilities as trade secrets can limit those harms and protect important company information.
Introduction
Every year, trade secret theft costs American businesses between $225 billion and $600 billion. Some of the thefts are perpetrated from the inside, like by a disgruntled employee who takes confidential files with him to his next job. But a significant portion of this figure comes from cyber espionage—digitally stealing confidential information or trade secrets from a commercial entity. The digitalization of business records and data assist this form of cyber theft. No longer do thieves need to break into a company’s offices and sneak out with physical files. Now, the crime can happen from anywhere, including the other side of the world. And as companies increase the amount of information they store digitally, “they have more bits and bytes worth stealing.”
Accompanying this increase in corporate espionage is an increase in the kinds of businesses targeted. The world of corporate spying is “no longer cent[e]red on a few ‘sensitive’ industries, such as defen[s]e and pharmaceuticals.” Any business is at risk of having its proprietary information electronically stolen. Instead of a rarity, corporate espionage has “become a general business risk.”
On top of the direct economic costs of corporate spying, this increase in cyber espionage greatly reduces companies’ incentives for innovation and investment. And understandably so. There is less incentive to devote resources to research and development if that research, or any related proprietary information, could be compromised in a cyberattack. A competitor hiring a hacker to break into your system and steal your cutting-edge research is the modern-day version of a competitor hiring a photographer to take aerial photographs of your company’s new factory from an airplane. (Yes, that actually happened.) A foreign government may target American companies’ data to help their own businesses “catch up with advanced U.S. technology.” Or a cybercriminal may target your data in the hopes of selling it to a third party for a profit. Given the range of threats, keeping trade secrets “safely locked in the digital vault can be devilishly difficult.”
Fortunately for companies, trade secret law has developed rapidly over the last few decades to provide robust protection against these thefts. The Economic Espionage Act was passed in 1996 to “protect the trade secrets of all businesses operating in the United States, foreign and domestic alike, from economic espionage and trade secret theft and deter and punish those who would intrude into, damage, or steal from computer networks.” The Computer Fraud and Abuse Act, most recently amended in 2008, allows for both criminal charges and civil suits against anyone who breaks into a computer “without authorization or exceeding authorized access.” Nearly all fifty states have adopted the Uniform Trade Secrets Act (“UTSA”), and Congress passed a federal version of the UTSA—the Defend Trade Secrets Act—in 2016. So if a company’s top-secret formula is stolen, the legal system affords the company a variety of ways to remedy the issue.
But the problem of corporate espionage is not limited to stealing data or research outright. Though companies spent $219 billion globally on cybersecurity defenses in 2022, there is no such thing as perfect cybersecurity, meaning that vulnerabilities—weaknesses in a system that can be exploited by an attacker—exist in any system. Rather than hacking into a system and selling the data or information located within, some cybercriminals try to monetize these flaws by selling hacking tools, hidden exploits, or discovered system vulnerabilities on the black market. This market for previously undiscovered software flaws (otherwise known as zero-day vulnerabilities) is of particular concern because, unlike data theft, it is unregulated.
Currently, there is a private market for weeding cybersecurity vulnerabilities out of companies’ systems. Some cyber specialists, often dubbed “white hat hackers,” search company systems and equipment for vulnerabilities and report their findings to the company, sometimes for a small reward. More proactive companies hire hacking specialists to find weak spots in their systems so they can address these issues before they are exploited.
But the private market goes both ways: just as some hackers choose to sell their findings back to the company whose system is at risk, others choose to sell the information to competitor companies, foreign governments, or other interested parties. And for good reason—the price on the black market for vulnerabilities is often ten to one hundred times higher than on the white market. As the black market for vulnerabilities grows, companies’ proprietary information is put increasingly at risk.
Unfortunately, due to the lack of regulation of this market, there has been little stopping the growth in corporate espionage. Existing suggestions in academic literature for tackling the global trade in zero-day vulnerabilities include criminalization, regulation through export controls, and “increasing the payouts offered on the white market through a combination of liability protections, tax benefits, and subsidies.” This Essay offers a simple alternative—or supplement—to these options: protecting cyber vulnerabilities through trade secret law.
By correctly applying trade secret law to zero-day vulnerabilities, companies will be afforded many options to protect their cybersecurity weaknesses from falling into the hands of their competitors or the public. A company whose system has been poked and prodded for vulnerabilities could bring trade secret claims under the applicable law, which could award them not only damages but also an injunction to prevent disclosure or use of the weakness. Federal trade secret law also allows for courts to issue warrants for property seizure, which could prevent the offending individual or organization not only from disseminating the vulnerability but also from conducting further operations. Under the Economic Espionage Act or Computer Fraud and Abuse Act, an offending hacker—or competitor who knowingly uses stolen information—could be held criminally liable. Trade secret law provides companies with many powerful tools for combatting the growing vulnerability black market. By treating vulnerabilities as trade secrets, the legal system will provide companies with far more protections for their systems’ weaknesses than currently exist. This, in turn, will help protect their underlying research and data.
One case has contemplated the application of cybercrime law to system vulnerabilities. In 2008, three undergraduate students at the Massachusetts Institute of Technology (“MIT”) planned to present research at a cybersecurity conference that exposed “weaknesses in common subway fare collection systems,” particularly the Massachusetts Bay Transportation Authority (“MBTA”). Their demonstration promised to “present several attacks to completely break the CharlieCard” (the MBTA’s subway card), “release several open source tools [they] wrote to perform these attacks,” and reveal “how [they] broke these systems.”
Ironically, the students’ presentation included a slide with the text: “What this talk is not: evidence in court (hopefully).” But before they could give their presentation, the MBTA sued, alleging the students’ research violated the Computer Fraud and Abuse Act (“CFAA”). Though the MBTA was initially granted a temporary restraining order, the U.S. District Court for the District of Massachusetts later denied the MBTA’s request for a preliminary injunction and dissolved the restraining order, finding that discussing the system’s vulnerabilities was likely not the sort of “transmission” covered by the CFAA.
But the District of Massachusetts’s ruling is not the end-all-be-all for legal protection of vulnerabilities. The MBTA brought suit under the Computer Fraud and Abuse Act, not the Uniform Trade Secrets Act, as Massachusetts had yet to adopt the UTSA. Nearly a decade later, the Massachusetts legislature passed the Massachusetts Uniform Trade Secrets Act, bringing it up to speed with forty-eight other states.
Under the UTSA, the court’s decision to dissolve the temporary restraining order and deny preliminary injunctive relief could have come out very differently. A vulnerability or weakness in a company’s cybersecurity could qualify as a trade secret under the UTSA. Not only will recognizing vulnerabilities as trade secrets protect against innocent disclosures of proprietary information, as in the MBTA case, but it will also help reduce the growing threat of cyber espionage and weaken the market for vulnerabilities.
Part I of this Essay explains why vulnerabilities ought to qualify for trade secret protections under the definition of a trade secret in the Uniform Trade Secrets Act. Part II makes a normative argument for including vulnerabilities in trade secret protection. The Essay concludes by briefly revisiting the MBTA case to show how affording vulnerabilities protection under the UTSA would prevent future harms to the MBTA.