Cyber Vulnerabilities as Trade Secrets

Can a cybersecurity vulnerability—like a bug in code or a backdoor into a system—be a trade secret? Claiming a flaw as a trade secret may sound strange. Usually, talk of trade secrets conjures up images of scientists in laboratories or complex computer algorithms. But nothing in the definition of a trade secret excludes vulnerabilities. As the electronic theft of company secrets increases, recognizing cyber vulnerabilities as trade secrets could play an important role in safeguarding business information. For companies that depend on trade secret protections, increased digitalization means that their trade secrets may be exposed. And this exposure could result not only in diminished legal protections but also in a devastating loss of company profits, strategic advantage, or cutting-edge research. This Essay proposes that recognizing cyber vulnerabilities as trade secrets can limit those harms and protect important company information.

Introduction

Every year, trade secret theft costs American businesses between $225 billion and $600 billion.1.Fed. Bureau of Investigation, Executive Summary—China: The Risk to Corporate America (2019), https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf/view [https://perma.cc/93BF-FGZR].Show More Some of the thefts are perpetrated from the inside, like by a disgruntled employee who takes confidential files with him to his next job. But a significant portion of this figure comes from cyber espionage—digitally stealing confidential information or trade secrets from a commercial entity.2.See, e.g., Nicole Sganga, Chinese Hackers Took Trillions in Intellectual Property from About 30 Multinational Companies, CBS News (May 4, 2022, 12:01 AM), https://www.cbs‌news.com/news/chinese-hackers-took-trillions-in-intellectual-property-‌from-about-30-multi‌national-companies/ [https://perma.cc/WT93-T5HL] (noting that “[t]he CCP continues to increase its theft of U.S. technology and intellectual property” via hacking operations).Show More The digitalization of business records and data assist this form of cyber theft.3.Tim Maurer & Arthur Nelson, The Global Cyber Threat, Fin. & Dev. 24, 25 (Mar. 2021), https://www.imf.org/en/Publications/fandd/issues/2021/03/global-cyber-threat-to-financial-systems-maurer [https://perma.cc/6DN4-3YQR].Show More No longer do thieves need to break into a company’s offices and sneak out with physical files. Now, the crime can happen from anywhere, including the other side of the world.4.See, e.g., Phil Mercer, China Accused of Economic Espionage on an Unprecedented Scale, VOA News: East Asia (Oct. 18, 2023, 2:39 AM), https://www.voanews.com/a/china-accused-of-economic-espionage-on-an-unprecedented-scale/7315625.html [https://perma.cc/5ZPY-K‌4EV].Show More And as companies increase the amount of information they store digitally, “they have more bits and bytes worth stealing.”5.Corporate Espionage Is Entering a New Era, Economist (May 30, 2022), https://www.‌economist.com/business/2022/05/30/corporate-espionage-is-entering-a-new-era [https://perm‌a.cc/8NJ3-S4T8].Show More

Accompanying this increase in corporate espionage is an increase in the kinds of businesses targeted. The world of corporate spying is “no longer cent[e]red on a few ‘sensitive’ industries, such as defen[s]e and pharmaceuticals.”6.Id.Show More Any business is at risk of having its proprietary information electronically stolen. Instead of a rarity, corporate espionage has “become a general business risk.”7.Id.Show More

On top of the direct economic costs of corporate spying, this increase in cyber espionage greatly reduces companies’ incentives for innovation and investment.8.Steve Morgan, Global Cybercrime Damages Predicted to Reach $6 Trillion Annually by 2021, Cybercrime Mag. (Oct. 26, 2020), https://cybersecurityventures.com/annual-cyber‌crime-report-2020/ [https://perma.cc/JG3C-Q8WL].Show More And understandably so. There is less incentive to devote resources to research and development if that research, or any related proprietary information, could be compromised in a cyberattack. A competitor hiring a hacker to break into your system and steal your cutting-edge research is the modern-day version of a competitor hiring a photographer to take aerial photographs of your company’s new factory from an airplane. (Yes, that actually happened.)9.See E. I. duPont deNemours & Co. v. Christopher, 431 F.2d 1012, 1013 (5th Cir. 1970).Show More A foreign government may target American companies’ data to help their own businesses “catch up with advanced U.S. technology.”10 10.Eamon Javers, Inside China’s Spy War on American Corporations, CNBC (June 21, 2023, 9:10 PM), https://www.cnbc.com/2023/06/21/inside-chinas-spy-war-on-american-corporatio‌ns.html [https://perma.cc/LXB2-3MCU].Show More Or a cybercriminal may target your data in the hopes of selling it to a third party for a profit.11 11.See, e.g., United States v. Genovese, 409 F. Supp. 2d 253, 255 (S.D.N.Y. 2005) (describing defendant’s charges for attempting to resell Microsoft source code on his personal website).Show More Given the range of threats, keeping trade secrets “safely locked in the digital vault can be devilishly difficult.”12 12.Corporate Espionage Is Entering a New Era, supra note 5.Show More

Fortunately for companies, trade secret law has developed rapidly over the last few decades to provide robust protection against these thefts. The Economic Espionage Act was passed in 1996 to “protect the trade secrets of all businesses operating in the United States, foreign and domestic alike, from economic espionage and trade secret theft and deter and punish those who would intrude into, damage, or steal from computer networks.”13 13.President William J. Clinton, Statement on Signing the Economic Espionage Act of 1996, 32 Weekly Comp. Pres. Doc. 2040 (Oct. 11, 1996), reprinted in 1996 U.S.C.C.A.N. 4034.Show More The Computer Fraud and Abuse Act, most recently amended in 2008, allows for both criminal charges and civil suits against anyone who breaks into a computer “without authorization or exceeding authorized access.”14 14.18 U.S.C. § 1030(a)(1).Show More Nearly all fifty states have adopted the Uniform Trade Secrets Act (“UTSA”),15 15.Trade Secrets Act Enactment Map, Unif. L. Comm’n, https://www.uniformlaws.org/‌committees/community-home?CommunityKey=3a2538fb-e030-4e2d-a9e2-90373dc05792 [https://perma.cc/ML7V-BSCT] (last visited Feb. 26, 2024).Show More and Congress passed a federal version of the UTSA—the Defend Trade Secrets Act—in 2016.16 16.Defend Trade Secrets Act, Pub. L. No. 114-153, 130 Stat. 376 (2016).Show More So if a company’s top-secret formula is stolen, the legal system affords the company a variety of ways to remedy the issue.

But the problem of corporate espionage is not limited to stealing data or research outright. Though companies spent $219 billion globally on cybersecurity defenses in 2022,17 17.Matt Kapko, Global Cybersecurity Spending to Top $219B This Year: IDC, Cybersecurity Dive (Mar. 17, 2023), https://www.cybersecuritydive.com/news/cybersecurity-spending-increase-idc/645338/ [https://perma.cc/6TV9-D7QT].Show More there is no such thing as perfect cybersecurity, meaning that vulnerabilities—weaknesses in a system that can be exploited by an attacker—exist in any system.18 18.Jay Pil Choi, Chaim Fershtman & Neil Gandal, Network Security: Vulnerabilities and Disclosure Policy, 58 J. Indus. Econ. 868, 869 (2010).Show More Rather than hacking into a system and selling the data or information located within, some cybercriminals try to monetize these flaws by selling hacking tools, hidden exploits, or discovered system vulnerabilities on the black market.19 19.See, e.g., Kate O’Flaherty, Notorious Hacking Forum and Black Market Darkode is Back Online, Forbes (Apr. 10, 2019, 12:06 PM), https://www.forbes.com/sites/kateoflahertyuk/20‌19/04/10/notorious-hacking-forum-darkode-is-back-online/ [https://perma.cc/‌LX4Y-HY8J] (discussing a site on the black market which “serves as a venue for the sale & trade of hacking services, botnets, malware, and illicit goods and services”).Show More This market for previously undiscovered software flaws (otherwise known as zero-day vulnerabilities) is of particular concern because, unlike data theft, it is unregulated.20 20.Tom Gjelten, In Cyberwar, Software Flaws are a Hot Commodity, NPR (Feb. 12, 2013, 3:25 AM), https://www.npr.org/2013/02/12/171737191/in-cyberwar-software-flaws-are-a-ho‌t-commodity#:~:text=In%20the%20context%20of%20escalating,inside%20his%20‌ene‌my%‌27s%20computer%20network [https://perma.cc/JT9J-NZSL].Show More

Currently, there is a private market for weeding cybersecurity vulnerabilities out of companies’ systems. Some cyber specialists, often dubbed “white hat hackers,” search company systems and equipment for vulnerabilities and report their findings to the company, sometimes for a small reward.21 21.Chris Teague, White Hat Hacker Cracked Toyota’s Supplier Portal, Autoblog (Feb. 8, 2023, 9:35 AM), https://www.autoblog.com/2023/02/08/white-hat-hacker-toyota-supplier-po‌rtal/ [https://perma.cc/B8V2-7NPE].Show More More proactive companies hire hacking specialists to find weak spots in their systems so they can address these issues before they are exploited.22 22.David Rudin, Safety Net: Hackers for Hire Help Companies Find Their Weak Spots, Fin. Post (Mar. 3, 2023), https://financialpost.com/cybersecurity/hackers-help-companies-find-we‌ak-spots [https://perma.cc/HPV2-H3D9].Show More

But the private market goes both ways: just as some hackers choose to sell their findings back to the company whose system is at risk, others choose to sell the information to competitor companies, foreign governments, or other interested parties.23 23.Andi Wilson, Ross Schulman, Kevin Bankston & Trey Herr, New Am., Cybersecurity Initiative, Open Tech. Inst., Bugs in the System: A Primer on the Software Vulnerability Ecosystem and Its Policy Implications 15–18 (2016), https://www.newamerica.org/oti/policy-papers/bugs-system/ [https://perma.cc/53AM-DYRN].Show More And for good reason—the price on the black market for vulnerabilities is often ten to one hundred times higher than on the white market.24 24.Lillian Ablon, Martin C. Libicki & Andrea A. Golay, Markets for Cybercrime Tools and Stolen Data: Hacker’s Bazaar 26 (2014).Show More As the black market for vulnerabilities grows, companies’ proprietary information is put increasingly at risk.

Unfortunately, due to the lack of regulation of this market, there has been little stopping the growth in corporate espionage. Existing suggestions in academic literature for tackling the global trade in zero-day vulnerabilities include criminalization,25 25.Mailyn Fidler, Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis, 11 I/S: J.L. & Pol’y for Info. Soc’y 405, 424 (2015).Show More regulation through export controls,26 26.Id. at 432.Show More and “increasing the payouts offered on the white market through a combination of liability protections, tax benefits, and subsidies.”27 27.Nathan Alexander Sales, Privatizing Cybersecurity, 65 UCLA L. Rev. 620, 620 (2018).Show More This Essay offers a simple alternative—or supplement—to these options: protecting cyber vulnerabilities through trade secret law.

By correctly applying trade secret law to zero-day vulnerabilities, companies will be afforded many options to protect their cybersecurity weaknesses from falling into the hands of their competitors or the public. A company whose system has been poked and prodded for vulnerabilities could bring trade secret claims under the applicable law, which could award them not only damages but also an injunction to prevent disclosure or use of the weakness. Federal trade secret law also allows for courts to issue warrants for property seizure, which could prevent the offending individual or organization not only from disseminating the vulnerability but also from conducting further operations.28 28.18 U.S.C. § 1836(b)(2)(A)(i).Show More Under the Economic Espionage Act or Computer Fraud and Abuse Act, an offending hacker—or competitor who knowingly uses stolen information—could be held criminally liable.29 29.Id. §§ 1832, 1030(a), (c).Show More Trade secret law provides companies with many powerful tools for combatting the growing vulnerability black market. By treating vulnerabilities as trade secrets, the legal system will provide companies with far more protections for their systems’ weaknesses than currently exist. This, in turn, will help protect their underlying research and data.

One case has contemplated the application of cybercrime law to system vulnerabilities. In 2008, three undergraduate students at the Massachusetts Institute of Technology (“MIT”) planned to present research at a cybersecurity conference that exposed “weaknesses in common subway fare collection systems,” particularly the Massachusetts Bay Transportation Authority (“MBTA”).30 30.Complaint at 1, 7, Mass. Bay Transp. Auth. v. Anderson, No. 08-cv-11364 (D. Mass. Aug. 8, 2008).Show More Their demonstration promised to “present several attacks to completely break the CharlieCard” (the MBTA’s subway card), “release several open source tools [they] wrote to perform these attacks,” and reveal “how [they] broke these systems.”31 31.Id. at 7.Show More

Ironically, the students’ presentation included a slide with the text: “What this talk is not: evidence in court (hopefully).”32 32.Complaint, Exhibit 7 at 3, Mass. Bay Transp. Auth., No. 08-cv-11364 (emphasis added).Show More But before they could give their presentation, the MBTA sued, alleging the students’ research violated the Computer Fraud and Abuse Act (“CFAA”).33 33.Complaint, supra note 30, at 12.Show More Though the MBTA was initially granted a temporary restraining order, the U.S. District Court for the District of Massachusetts later denied the MBTA’s request for a preliminary injunction and dissolved the restraining order, finding that discussing the system’s vulnerabilities was likely not the sort of “transmission” covered by the CFAA.34 34.Transcript of Motion Hearing at 60, 65, Mass. Bay Transp. Auth., No. 08-cv-11364(D. Mass. Aug. 19, 2008).Show More

But the District of Massachusetts’s ruling is not the end-all-be-all for legal protection of vulnerabilities. The MBTA brought suit under the Computer Fraud and Abuse Act, not the Uniform Trade Secrets Act, as Massachusetts had yet to adopt the UTSA.35 35.Complaint, supra note 30, at 12.Show More Nearly a decade later, the Massachusetts legislature passed the Massachusetts Uniform Trade Secrets Act, bringing it up to speed with forty-eight other states.36 36.Aaron Nicodemus, Massachusetts Adopts Uniform Trade Secret Law, Bloomberg L. (Aug. 16, 2018, 5:29 PM), https://news.bloomberglaw.com/ip-law/massachusetts-adopts-unif‌orm-trade-secrets-law [https://perma.cc/FYS3-QAG4]. New York has not adopted the Uniform Trade Secrets Act and instead still relies on common law tort claims. Though North Carolina has not adopted the UTSA, it is counted as one of the forty-nine because its state trade secrets law is very similar to the UTSA. See Christopher T. Zirpoli, Cong. Rsch. Serv., IF12315, An Introduction to Trade Secrets Law in the United States (2023).Show More

Under the UTSA, the court’s decision to dissolve the temporary restraining order and deny preliminary injunctive relief could have come out very differently. A vulnerability or weakness in a company’s cybersecurity could qualify as a trade secret under the UTSA. Not only will recognizing vulnerabilities as trade secrets protect against innocent disclosures of proprietary information, as in the MBTA case, but it will also help reduce the growing threat of cyber espionage and weaken the market for vulnerabilities.

Part I of this Essay explains why vulnerabilities ought to qualify for trade secret protections under the definition of a trade secret in the Uniform Trade Secrets Act. Part II makes a normative argument for including vulnerabilities in trade secret protection. The Essay concludes by briefly revisiting the MBTA case to show how affording vulnerabilities protection under the UTSA would prevent future harms to the MBTA.

  1.  Fed. Bureau of Investigation, Executive Summary—China: The Risk to Corporate America (2019), https://www.fbi.gov/file-repository/china-exec-summary-risk-to-corporate-america-2019.pdf/view [https://perma.cc/93BF-FGZR].

  2.  See, e.g., Nicole Sganga, Chinese Hackers Took Trillions in Intellectual Property from About 30 Multinational Companies, CBS News (May 4, 2022, 12:01 AM), https://www.cbs‌news.com/news/chinese-hackers-took-trillions-in-intellectual-property-‌from-about-30-multi‌national-companies/ [https://perma.cc/WT93-T5HL] (noting that “[t]he CCP continues to increase its theft of U.S. technology and intellectual property” via hacking operations).

  3.  Tim Maurer & Arthur Nelson, The Global Cyber Threat, Fin. & Dev. 24, 25 (Mar. 2021), https://www.imf.org/en/Publications/fandd/issues/2021/03/global-cyber-threat-to-financial-systems-maurer [https://perma.cc/6DN4-3YQR].
  4.  See, e.g., Phil Mercer, China Accused of Economic Espionage on an Unprecedented Scale, VOA News: East Asia (Oct. 18, 2023, 2:39 AM), https://www.voanews.com/a/china-accused-of-economic-espionage-on-an-unprecedented-scale/7315625.html [https://perma.cc/5ZPY-K‌4EV].
  5.  Corporate Espionage Is Entering a New Era, Economist (May 30, 2022), https://www.‌economist.com/business/2022/05/30/corporate-espionage-is-entering-a-new-era [https://perm‌a.cc/8NJ3-S4T8].
  6.  Id.
  7.  Id.
  8.  Steve Morgan, Global Cybercrime Damages Predicted to Reach $6 Trillion Annually by 2021, Cybercrime Mag. (Oct. 26, 2020), https://cybersecurityventures.com/annual-cyber‌crime-report-2020/ [https://perma.cc/JG3C-Q8WL].
  9.  See E. I. duPont deNemours & Co. v. Christopher, 431 F.2d 1012, 1013 (5th Cir. 1970).
  10.  Eamon Javers, Inside China’s Spy War on American Corporations, CNBC (June 21, 2023, 9:10 PM), https://www.cnbc.com/2023/06/21/inside-chinas-spy-war-on-american-corporatio‌ns.html [https://perma.cc/LXB2-3MCU].
  11.  See, e.g., United States v. Genovese, 409 F. Supp. 2d 253, 255 (S.D.N.Y. 2005) (describing defendant’s charges for attempting to resell Microsoft source code on his personal website).
  12.  Corporate Espionage Is Entering a New Era, supra note 5.
  13.  President William J. Clinton, Statement on Signing the Economic Espionage Act of 1996, 32 Weekly Comp. Pres. Doc. 2040 (Oct. 11, 1996), reprinted in 1996 U.S.C.C.A.N. 4034.
  14.  18 U.S.C. § 1030(a)(1).
  15.  Trade Secrets Act Enactment Map, Unif. L. Comm’n, https://www.uniformlaws.org/‌committees/community-home?CommunityKey=3a2538fb-e030-4e2d-a9e2-90373dc05792 [https://perma.cc/ML7V-BSCT] (last visited Feb. 26, 2024).
  16.  Defend Trade Secrets Act, Pub. L. No. 114-153, 130 Stat. 376 (2016).
  17.  Matt Kapko, Global Cybersecurity Spending to Top $219B This Year: IDC, Cybersecurity Dive (Mar. 17, 2023), https://www.cybersecuritydive.com/news/cybersecurity-spending-increase-idc/645338/ [https://perma.cc/6TV9-D7QT].
  18.  Jay Pil Choi, Chaim Fershtman & Neil Gandal, Network Security: Vulnerabilities and Disclosure Policy, 58 J. Indus. Econ. 868, 869 (2010).
  19.  See, e.g., Kate O’Flaherty, Notorious Hacking Forum and Black Market Darkode is Back Online, Forbes (Apr. 10, 2019, 12:06 PM), https://www.forbes.com/sites/kateoflahertyuk/20‌19/04/10/notorious-hacking-forum-darkode-is-back-online/ [https://perma.cc/‌LX4Y-HY8J] (discussing a site on the black market which “serves as a venue for the sale & trade of hacking services, botnets, malware, and illicit goods and services”).
  20.  Tom Gjelten, In Cyberwar, Software Flaws are a Hot Commodity, NPR (Feb. 12, 2013, 3:25 AM), https://www.npr.org/2013/02/12/171737191/in-cyberwar-software-flaws-are-a-ho‌t-commodity#:~:text=In%20the%20context%20of%20escalating,inside%20his%20‌ene‌my%‌27s%20computer%20network [https://perma.cc/JT9J-NZSL].
  21.  Chris Teague, White Hat Hacker Cracked Toyota’s Supplier Portal, Autoblog (Feb. 8, 2023, 9:35 AM), https://www.autoblog.com/2023/02/08/white-hat-hacker-toyota-supplier-po‌rtal/ [https://perma.cc/B8V2-7NPE].
  22.  David Rudin, Safety Net: Hackers for Hire Help Companies Find Their Weak Spots, Fin. Post (Mar. 3, 2023), https://financialpost.com/cybersecurity/hackers-help-companies-find-we‌ak-spots [https://perma.cc/HPV2-H3D9].
  23.  Andi Wilson, Ross Schulman, Kevin Bankston & Trey Herr, New Am., Cybersecurity Initiative, Open Tech. Inst., Bugs in the System: A Primer on the Software Vulnerability Ecosystem and Its Policy Implications 15–18 (2016), https://www.newamerica.org/oti/policy-papers/bugs-system/ [https://perma.cc/53AM-DYRN].
  24.  Lillian Ablon, Martin C. Libicki & Andrea A. Golay, Markets for Cybercrime Tools and Stolen Data: Hacker’s Bazaar 26 (2014).
  25.  Mailyn Fidler, Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis, 11 I/S: J.L. & Pol’y for Info. Soc’y 405, 424 (2015).
  26.  Id. at 432.
  27.  Nathan Alexander Sales, Privatizing Cybersecurity, 65 UCLA L. Rev. 620, 620 (2018).
  28.  18 U.S.C. § 1836(b)(2)(A)(i).
  29.  Id. §§ 1832, 1030(a), (c).
  30.  Complaint at 1, 7, Mass. Bay Transp. Auth. v. Anderson, No. 08-cv-11364 (D. Mass. Aug. 8, 2008).
  31.  Id. at 7.
  32.  Complaint, Exhibit 7 at 3, Mass. Bay Transp. Auth., No. 08-cv-11364 (emphasis added).
  33.  Complaint, supra note 30, at 12.
  34.  Transcript of Motion Hearing at 60, 65, Mass. Bay Transp. Auth., No. 08-cv-11364 (D. Mass. Aug. 19, 2008).
  35.  Complaint, supra note 30, at 12.
  36.  Aaron Nicodemus, Massachusetts Adopts Uniform Trade Secret Law, Bloomberg L. (Aug. 16, 2018, 5:29 PM), https://news.bloomberglaw.com/ip-law/massachusetts-adopts-unif‌orm-trade-secrets-law [https://perma.cc/FYS3-QAG4]. New York has not adopted the Uniform Trade Secrets Act and instead still relies on common law tort claims. Though North Carolina has not adopted the UTSA, it is counted as one of the forty-nine because its state trade secrets law is very similar to the UTSA. See Christopher T. Zirpoli, Cong. Rsch. Serv., IF12315, An Introduction to Trade Secrets Law in the United States (2023).