Economic Espionage in Saudi Arabia: The Unrevealed Threat
Chapter Three: The Upcoming of This Threat on Saudi Arabia
3.1 The Unrevealed Threat of Economic Espionage to Saudi Arabia's Investments and Its Economic in General
Oil and gas producing nations such as Saudi Arabia have invested substantially in supercomputing, especially because this is a technology intensive activity that provides numerous opportunities for obtaining crucial information from different sectors. In fact, the difficulty of oil and gas exploration is frequently compared with space exploration due to the nature of extracting deposits from thousands of feet underground to the surface. These drilling techniques require computational innovation, which has led to the ever-increasing need for massive supercomputing resources. However, companies in the Saudi oil and gas production sector face serious issues about cyber security. Since the most important oil and gas production companies are state-owned, the threat of economic espionage is quite persistent. Cyber-attacks can result in major loss of intellectual property, and business intelligence intensifies the costs of security, deteriorates the flow of work, and harms business reputation.
Corporations reporting significant attacks endure a 1-5 percent decline in the value of their stock. Although there are companies that recover in this situation, others lose everything. For instance, Nortel Networks Ltd., a Canadian telecom giant, was compromised by Chinese hackers for almost 10 years before it went bankrupt in 2009. The infiltrations were so buried that it took investigators a number of years to establish the magnitude of damage to key information.
In 2012, the Saudi Aramco or the Saudi Arabian Oil Company, which is the Kingdom’s national oil producer, refiner and marketer of crude oil, was attacked by a virus. The virus was self-replicating, and it allowed unknown people to start overwriting files that perhaps spread across thirty thousand computers connected to the corporation’s network. Aramco took over two weeks to reinstate its network and recover from an interruption of its daily business processes instigated by a loss of data and incapacitated workplaces that originated from the occasion. Studies conducted after the attack indicated that the virus spread across the company’s network Shamoun. Although there have been cases of virus attacks on networks of various multinational corporations, an occurrence against Aramco corporation, a company that holds much of the global spare oil production capacity, represents the serious threat of economic espionage. The company is key to the global petroleum markets. It is the leading oil producer, it holds 10% of the world supply and 13% of crude oil production, and its sales surpass $200 billion per year.
The outbreak of the Shamoun virus probably had an impact on the operation of Personal Computers (PC) within the company, with the primary function of the malicious software being deletion of data from PC hard drives. Despite the fact that the attack did not result in explosion or oil spill hazards that could have impeded the company’s operations, it is apparent that the incident posed a serious concern about information security issues, particularly the protection of critical production details. The Shamoun-Aramco case occurred after years of cautioning about the dangers of economic espionage, particularly cyber-threats against key infrastructure. The security of petroleum infrastructure in Saudi Arabia has been a primary concern for both the U.S. and Saudi administrations for years because a slight disruption on the production facilities would immediately affect the prices and supply of oil. Furthermore, this would have a significant impact on the world economy. While the attack did not cause physical damage to key infrastructure in Saudi Arabia, it had a secondary effect on risk assessment for critical service providers globally.
In August 2017, another attack, which was identified as an instance of economic espionage, was carried out against a Saudi oil and gas company. This time the attack was not intended to just extinguish data or shut down the company, but it was designed to disrupt all the operations in the company and make an explosion. This was a serious occurrence in international cybercrime because these anonymous adversaries showed both the skill and determination to wreak severe physical destruction. Though the attack was countered, the United States stated that the attackers could still carry out their attack in different countries, because there are several industrial plants globally that depend on the same compromised computer systems that were engineered by the United States.
The August 2017 attack was serious and investigators have been silent about the issue because they could not identify the country or company where the virus originated from. However, the assailants were sophisticated and invested substantial resources and time, which implies that they were probably backed by an outside government administration according to experts who investigated the case. In this way, the attack emerged as an example of economic espionage with significant consequences for the Saudi administration.
The only thing that prevented the occurrence of the blast was that the assailants made a mistake in their coding. Though, the attack is viewed as a serious one when compared to a series of hacking attacks that have been carried out on oil production plants in Saudi Arabia. For instance, in January 2017, Tasnee or the National Industrialization Company experienced an incident where all its computers went black. This is an attack of economic espionage that targeted one of the few private petrochemical companies in the region. Upon the occurrence of the attack in Tasnee, the organization’s computers were destroyed, and the information was manipulated by presenting the picture of a Syrian child who attempted to escape the conflict in his native country.
According to Symantec, a global security company, as well as other experts, the intent of the assailants was to leave a lasting destruction on the oil companies and pass across a political message. This shows how the threat of economic espionage is extensively spread and targets key economies including the Saudi one. The recovery process following this attack was prolonged, which is associated with the complex nature of the incident. It appears that the described attack had a hidden agenda in the sense of challenging the plans of Crown Prince Mohammed bin Salman to modernize the country’s economy. His intention was to diversify the Saudi economy and generate jobs for the increasing youth population in the Kingdom. The assailants not only targeted the private sector, which is intended to enhance growth in the Saudi economy, but they also focused on the petrochemical sector, an essential part of the Saudi economy.
In recent years, the Saudi Kingdom has made an effort to support global oil prices by reducing its oil exports, an approach that is key to its endeavors to make a possible public offering of stocks for Aramco appealing to international investors. The Saudi Kingdom has claimed its intention to compensate for the lost returns by growing its refinery and petrochemical sector. There was specific technical information released about the Tasnee attack as well as other attacks carried out against Saudi companies. However, the August 2018 attacks were still under investigation though the investigators were convinced that the attacks were intended to trigger an explosion that would have killed a significant number of people. In the past, several explosions were reported at petrochemical companies in Mexico and China, and the consequences of these attacks were quite severe in terms of considering the death of several employees and the injury of many others.
An important issue pertinent to these attacks is that they infiltrated the Scheneider’s Triconex controllers, which contributed to the safe operation of the equipment by performing various normal functions. It is important to note that more than 18,000 plants around the world utilize these controllers, as those plants are mostly described as water treatment facilities and oil and gas refineries. The fact that the attackers developed their weapon against the Schneider equipment in Saudi Arabia means that they can also use the same method against Saudi allies, which is a quite insidious form of economic espionage. The Triconex system is viewed as a lock and key operation, which implies that the controllers can only be adjusted by physical contact. Therefore, the hackers accessed the system by creating a bug or an odd digital file, which resembled a legitimate copy of the system, though it was designed to harm the system.
Saudi Arabia also faces another problem regarding information technology vendors that they do business with because the vendors are targeted by the Tortoiseshell, a group that has not been previously documented. The Tortoiseshell sneaks into the IT networks of companies that provide IT services through the supply chain, and launch their attacks. Their primary goal is to take confidential data from end customers. It has been demonstrated that approximately 11 companies were impacted by these attackers, and most of them are in Saudi Arabia. In approximately two companies, the attackers were able to acquire domain admin-level access. Recent years have seen a rise of these attacks where assailants damage organizations by targeting elements that are less secure in the supply network. When these attacks of economic espionage occur, they take several forms. The most common form is the one in which attackers exploit services of third parties and software to infiltrate their target. Such attacks take place in numerous ways, mostly by high jacking software updates and adding malicious codes into legitimate software.
In the Saudi Arabian context, having anti-cyber crime law turns out insufficient. The Kingdom should have separate law that criminalizes the practice of economic espionage. This means that law reform is necessary in the country so that trade secrets can be adequately protected. The problem is that religion plays a significant role in enforcing laws in the Kingdom since the country is governed by Islamic laws. Thus, the law pertaining to trade secrets in Saudi Arabia was established under major Islamic principles and beliefs. Saudi Arabia enacted this law upon joining the World Trade Organization (WTO) in 2007. It is important to note that the Kingdom has demonstrated substantial efforts to enforce and protect intellectual property rights, which has been done with the purpose to make the country more attractive to foreign investors.
3.2 Overview of the Economic Espionage Act of 1996 and Other Convention
The Economic Espionage Act 1996
As noted in the previous section, the threat of economic espionage is upcoming on Saudi Arabia considering the numerous attacks carried out on state-owned and private oil and gas companies. Therefore, a common aspect emerging in this context is the protection of the country’s economy. In the United States, this aspect starts with every household, security personnel, as well as individuals from public entities up to the president. Several people from the political arena utilize this platform as they run for various offices. However, it should be noted that the Economic Espionage Act of 1996 is not a current issue, as it dates many years back after the United States had made a formal entrance into the First World War. The Economic Espionage Act of 1996 refers to different issues and situations that assume the use of economic espionage techniques. The condition of theft of trade secret should be met in order to classify a particular attack as an instance of economic espionage. In other words, the Act turns the theft of a trade secret into a federal crime.
Maintaining a high level of confidentiality of trade secrets is essential in order to apply specific legal provisions in cases involving economic espionage. Ideally, the Economic Espionage Act of 1996 is perceived as a ‘six title’ Act of Congress that was developed to deal with issues of intending and knowingly to use misappropriation of trade secrets of America. In other words, the Act of 1996 was implemented by the Congress to act upon industrial espionage (theft or misappropriation of a trade secret) . Whereas, the Act has a mutual focus, as the government typically does, additional issues were included related to insanity defense. Although the Act covers a number of issues, the analysis in this section is mainly focus on the element of economic espionage.
Under this Act, economic espionage is defined as the act of spying with the intention of unveiling the secrets of a competitor manufacturer or other industrial company. This process involves collecting data regarding the natural occurrence of a rival within the world of business. Therefore, it is the specific type of data, as well as the way this information is utilized, which matters especially where the lines of the law had been crossed. Under the Economic Espionage Act (EEA), the practice of misappropriation or theft of trade secrets is clearly classified as a crime. This apparently has important legal implications in terms of protecting national defense information.
In line with the assumptions made in the Economic Espionage Act of 1996, the trade secrets are associated with the general accepted legal types and forms of business, social, and economic information. The main intention of the 1996 Act was not intended to criminalize every kind of misappropriation of trade secrets, but it was implemented because of the increasing significance of intellectual property value. Thus, the enactment ensured that there is an initiation of prosecuting the offenders based on the scope of criminal activity, the type of trade secrets, and the scope of criminal activity, among other factors. Therefore, the Act is implemented not only to provide protection of intellectual property by prosecuting competitors with compromised trade secrets, but also to discipline organizations that tend to have trade secrets from their rivals.
3.2.1 Paris Convention
It has been indicated that the Paris Convention is applicable to cases of protecting industrial property. In fact, this convention is identified as one of the initial treaties providing specific guidelines on industrial property. Since the respective convention has 177 contracting members, it is considered one of the most extensively adopted legislations internationally. Within the category of national treatment, the convention suggests that every contracting member state has to offer similar protection to nationals of other member states. In addition, the right of priority provided by the convention goes to the case of patents, industrial designs, and marks. Ideally, the right is based on the regular first application of one of the contracting member states. In this case, the applicant may, within a certain period, apply for protection in other states.
These resulting applications will be viewed as they had been documented on a similar day as the principal application. Additionally, these ensuing applications, being founded on the primary application, will not be influenced by any occasion that occurs, for example, the distribution of a creation or the offer of articles bearing an imprint or consolidating a modern plan. One of the favorable circumstances of this arrangement is that candidates looking for insurance in a few nations are not required to introduce the entirety of their applications simultaneously. Yet they have at least an year to choose in which nations they wish to look for assurance and to sort out with due consideration the means vital for making sure about security.
Where an imprint has been enlisted appropriately in the nation of starting point, it must, on demand, be recognized for documenting and ensured in its unique system in the other nations that are subjected to the contract. In this context, enlistment might be declined in all characterized cases, for example, where the imprint would encroach the gained privileges of outsiders; where it is without unmistakable character; where it is in opposition to profound quality or open request; or where it is of such nature as to be at risk to compromise the general population. In any contracting state, when the utilization of an enrolled mark is obligatory, the enlistment cannot be dropped for non-use until a particularly set period, and afterward just if the proprietor cannot legitimize this inaction.
Each contracting state must decline enrollment and preclude the utilization of imprints that comprise generation, impersonation or interpretation, at risk to make disarray, of an imprint utilized for indistinguishable and comparable merchandise and considered by the respective authority of that state. Each contracting nation ought to reject enrolment and deny the use of imprints that contain, without consent, armorial course, state insignias, authority signs, and the approval of contracting nations. Similar arrangements apply to armorial orientation, banners, different seals, shortenings and names of certain intergovernmental associations, suggesting that aggregate imprints must be allowed security.
Additionally, modern systems must be protected in every state that contracts, and guarantees cannot be surrendered on the basis that statutes joining the idea are not fabricated in that nation. Despite what might be expected, there is allowance for insurance to exchange names in each contracting state without having a commitment to document or register the names. At the same time, there is need for measures to be taken by every contracting state against backhanded use of a counterfeit sign of the source of the commodity or the make-up of their producer or merchant. Therefore, each contracting state must ensure viable security against inexcusable competition.
In this context, it is important to note that the clause of unfair competition should be considered under the Paris Convention. The basic idea is to provide protection of the members against unfair competition. This is because a proper line should be drawn between fair competition and unacceptable behavior in terms of competition. Yet it has been indicated that the provision cannot explain what could constitute proper legal measures. Article 10 of the convention provides a quite generic view of unfair competition. A more extensive debate is needed to clarify different provisions pertaining to the clause of unfair competition.
3.3 Comparative Approach
It is important to compare the Economic Espionage Act of 1996 and traditional trade secret protection in Saudi Arabia. It is apparent that the Kingdom needs to transplant laws and regulations from the respective Act in order to have better protection against economic espionage. The two major provisions of the Economic Espionage Act of 1996 are focused on the prevention of trade secret theft by a foreign government and overall protection from theft of trade secrets by any entity. Since a significant gap exists in trade secrets law in Saudi Arabia, it is essential to understand better the Economic Espionage Act of 1996, and how its laws and regulations can be transplanted to the Kingdom’s legal system.
Based on the assumptions under this Act, Saudi Arabia should expand its list of potential types of trade secrets. The definition of trade secrets should be expanded to represent information in any form, both tangible and intangible. It is also relevant to understand the implications of the owner of trade secrets. According to the definition presented in the Economic Espionage Act of 1996, there is a single rightful owner of trade secrets. This implies a possibility to take reasonable precautions. The failure to consider such precautions obviously threatens the overall status of the trade secret information. Saudi Arabia should rethink the specific way in which it needs to identify and protect trade secrets in order to decrease the possibility for economic espionage.
In the process of defining misappropriation under the Economic Espionage Act of 1996, the creation of a new definition of what constitutes misappropriation seems reasonable. There are two provisions that should be taken into consideration while reforming Saudi Arabia’s trade secrets law, particularly prohibited conduct and affected parties. From the perspective of prohibited conduct, the provisions are quite broad in the sense of identifying specific acts and conditions of misappropriation. There are various ways in which trade secrets can be improperly acquired, thereby Saudi Arabia’s trade secrets law should be updated on the grounds of such diversity in the interpretation of trade secrets. In general, there are references to stealing, concealing, fraud and deception which emerge as aspects of the civil law’s prohibition against illegal business conduct.
Nevertheless, an important provision under the Economic Espionage Act of 1996 is to make it a crime to appropriate secrets without obtaining authorization from the owner of those trade secrets. The owner of those trade secrets should obviously meet the requirements of secrecy. In this context, it is important to take into consideration the development of a highly confidential relationship between the trade secret owner and the society at large. Yet it appears that some provisions under the Economic Espionage Act of 1996 turn out to be outside the normal reach of trade secrets law. Such provisions are associated with the prohibition against changing or destroying trade secrets.
In relation to the provision of affected parties under the Economic Espionage Act of 1996, it is specified that anyone, who knows that a particular offense will benefit any foreign government or foreign agent, should be punished. Saudi Arabia’s trade secrets law should be reformed around these lines in terms of refining the scope of action of the country’s legal system. The original intent mentioned in the Economic Espionage Act of 1996 was the focus on the problem of foreign business espionage. Yet defining the term ‘foreign agent’ appears problematic since the interpretation offers a quite narrow focus. This is because foreign agents are managed and dominated by a foreign government.
In transplanting laws and regulations from the Economic Espionage Act of 1996 to Saudi Arabia’s legal system, it is crucial to demonstrate a thorough understanding of the specificity of trade secrets. There is a substantial amount of self-effort that should be manifested by the trade secret owner, which should serve as a precondition for court protection. It is challenging to define trade secrets in different events, thereby the laws regulating these secrets actually result in significant uncertainty. In this case, all of the stakeholders involved in Saudi Arabia’s legal system should consider the issues pertinent to trade secrets strategically.
Nondisclosure agreements emerge as a common way in which trade secret owners tend to protect confidential information. Such agreements are an inseparable part of information protection programs, considering the agreements’ focus on improved protectability in litigation. The implementation of an appropriate trade secret protection plan is helpful for clarifying some of the issues and inconsistencies in the interpretation of trade secrets in the Saudi Arabian legal context. Along with nondisclosure agreements, the respective plan should include an effective policy for document protection, retention, and destruction. This will keep the parties adequately informed about the steps that can be undertaken in case the information in trade secrets is threatened.
3.4 Protection of Saudi Arabia’s Anti-cybercrime Law
Saudi Arabia enacted the anti-cybercrime law in 2007 to address different harmful activities taking place in cyberspace, including identity theft. This law contains 16 important provisions that address the relevance of setting key definitions, the strategic objective of the law, along with applicable sanctions in case the law is not followed. Article 1 from the Saudi anti-cybercrime law provides relevant guidelines on recognizing and understanding specific terms and phrases, particularly person, information system, information network, data, computer programs, computer, unauthorized access, cybercrime, website and reception. The list of terms and phrases is quite extensive, which demonstrates the intention of the Saudi authorities to ensure a thorough understanding of how the Kingdom’s legal landscape should be expanded by providing adequate protection against cybercrimes. It is important to note that Article 1 provides a solid basis of setting the context for developing strong anti-cybercrime law.
Furthermore, Provision 2 of this law clearly specifies the aim behind enacting the legislation. The aim of Saudi Arabia’s anti-cybercrime law is to combat cybercrimes that can be identified as instances of economic espionage. In this way, it is possible to ensure a high level of information security, which is helpful in protecting trade secrets. Saudi Arabia’s anti-cybercrime law aims to protect the legitimate use of computers and information networks, implying a relevant focus on the Kingdom’s national security interests. By considering Article 2 of the law, it is possible to gain a better understanding of protecting public interest and common values and principles. In turn, such protection is reflected in the national economic level in the sense that the Saudi anti-cybercrime law safeguards the country’s economy.
Article 3 of the law provides details about the punishment for a person who commits clearly specified cybercrimes. Spying on an information network is subjected to punishment under the law, along with the acts of interception or reception of data on a similar network. The invasion of privacy through different information technology devices also should be considered a potential threat to the integrity of information technology networks. In Article 4, there is more specific clarification on the types of cybercrimes that may be committed. One of these crimes is identified as acquisition of movable property or bonds, as such bonds are usually signed using a false name or identity.
The unlawful access to computers is mentioned in Article 5 of the law. Obstructing access to computers can cause significant disruptions in the services being provided. In order to prevent breakdown of services, organizations and individuals in Saudi Arabia should be thoroughly prepared not only to identify such risks and vulnerabilities but also to determine the best course of action, which is to focus on refining the existing anti-cybercrime law. Since there is a wide range of problems and issues mentioned in Article 6 of the law, it is advisable to understand the practical implications of such matters in order to improve individuals’ decision-making skills. The persistent problems described in Article 6 mostly refer to the production and transmission of materials on religious values, public moral principles, human trafficking, pornography, gambling, and drugs.
Article 7 of the law is dedicated to the construction and publicizing of websites for terrorist purposes. The idea behind such websites is to serve as communication platforms for leaders and members of terrorist organizations. Since similar websites can be designed to promote the ideologies and methods adopted by terrorist organizations, they significantly threaten cybersecurity and overall national security. In this context, Article 8 describes the punishment for individuals committing organized crime. It is clarified in Article 8 that offenders who hold a public office tend to use their power or influence.
Article 9 of the Saudi anti-cybercrime law further clarifies the conditions under which the previously described cybercrimes are committed. It is pointed out that the punishment for these crimes should not exceed the maximum punishment designated. Article 10 is similar to Article 9 in recognizing persons’ attempts to commit any of the previously discussed cybercrimes.
Article 11 of the law has a preventive function in the sense that it is related to the prevention of cybercrimes. This means that an offender may be exempted from the punishment intended for a particular crime if they inform the respective authority of the crime prior to any damage that may take place. In this way, more relevant insights can be gained into the precise means utilized in the perpetration of cybercrimes. Article 12 clearly indicates that the application of the law should not prejudice the provisions of other laws. These other laws are usually recognized as legal provisions pertaining to intellectual property rights.
Article 13 of the Saudi anti-cybercrime law is related to the confiscation of equipment and software used in the perpetration of cybercrimes. In addition, any websites used for the criminal purposes listed above should be shut down either permanently or temporarily, depending on the severity of the crimes. Article 14 of the law emphasizes the role of the Communications and Information Technology Commission in terms of its technical assistance provided to various security agencies in the Kingdom. The information generated in the collaboration among those agencies can significantly facilitate the investigation of cybercrimes.
In Article 15 of the law, the emphasis is upon the role of the Bureau of Investigation and Public Prosecution. The respective authority is responsible for carrying out the investigation and prosecution of cybercrimes. Based on the final Provision 16 of the law, there is clear information that the respective legislation should be published in the Official Gazette as part of the enforcement process. This aspect implies a high level of compliance, which guarantees sufficient accountability and transparency.
Another important development in the legal context of Saudi Arabia took place in 2012 when the Arab Cybercrime Agreement was enacted. This agreement aims to address the substantial increase of cybercrimes in Saudi Arabia. Another important aim outlined in the agreement is to strengthen the cooperation between Arab countries in responding to cybercrimes. Such changes to Saudi Arabia’s legal system implies the significance of enforcing the copyrights law in the country.
It has been pointed out that Saudi Arabia’s anti-cybercrime law tries to secure the safe exchange of data and the public interest in light of the growing threat of economic espionage. By addressing the urgency of the situation, Saudi Arabia’s authorities are focused on reviewing and updating the respective law to offer the protection presented in the Economic Espionage Act of 1996. The reason for undertaking major anti-cybercrime law reforms is that cyber economic espionage presents an emerging strategic threat. Ensuring a high level of cybersecurity is vital to the survival of the Kingdom’s economy. Yet is should be noted that the nature of cybercrimes has become more sophisticated, which makes it challenging for Saudi legislators to respond adequately to each threat.
The laws and regulations that should be implemented in the Saudi legal system should cover several areas. From the perspective of data interception, laws must prohibit the intentional interception of computer data for non-public use. In the process of intercepting transmissions of computer data, it is apparent that the communication channels lose a significant amount of their confidentiality. At the same time, individuals tend to decrease their trust in the respective communication channels. There should be more sufficient balance in governing laws pertaining to data interception.
Another important component related to the protection of Saudi Arabia’s anti-cybercrime law is described as data interference. Legislation in the Kingdom must be developed in such a way to prohibit any person from deleting, damaging, and changing another person’s computer data intentionally. When this act is done without authorization, it is apparent that it constitutes a criminal offence under Saudi Arabia’s anti-cybercrime law. It has been indicated that the act of data interference is associated with the use of a malicious code to delete or alter the specificity of computer data in another individual’s computer.
In relation to the aspect of system interference, legislation in Saudi Arabia on cybercrime, particularly economic espionage, should be based on the notion of prohibiting an individual from deleting, damaging and changing data in another person’s computer without having authorization or right. In this context, legislators should discuss the implications of illegal access. The perspective of cyberspace should be adequately taken into consideration in order to produce more valid inferences regarding the nature of changes under Saudi Arabia’s anti-cybercrime law.
In the context of existing state laws pertaining to cybercrime and economic espionage, substantial improvements should be made in the Kingdom’s legal system. A thorough exploration of existing laws and regulations in the country demonstrates the existence of persistent vulnerabilities that should be eliminated. In this way, Saudi Arabia will be able to carry out the prosecution of criminal activities without providing opportunities to criminals to evade the Kingdom’s justice system, especially if these activities comprise instances of economic espionage.
In revisiting anti-cybercrime law implications in Saudi Arabia, it is important to consider the link between cybersecurity and economic espionage. In other words, it has been noted that the cyberspace has been extensively utilized for conducting economic espionage attacks, which threaten the national security and economic interests of the Kingdom. Thus, it has been pointed out that cyber espionage carried out in the economic domain is a persistent threat to the national security of Saudi Arabia. Yet ongoing technological advancements and the process of economic integration occurring in the Kingdom have substantially changed the perception of national security in the intelligence area. The problem is that cyber economic espionage is part of a quite lucrative field in which all nations seem to participate.
In considering the legal aspects pertaining to the threat of economic espionage to Saudi Arabia, there should be greater emphasis on the increasing level of interconnectedness. Different governments around the world, including the Saudi one, have altered the way in which they perceive the issue of national security. The problem is that traditional acts of espionage have merged with the phenomenon of cybersecurity. In turn, this increased the complexity of understanding the new threat of economic espionage, including the laws and regulations that are being implemented in this context. The issue of cyber interconnectedness should be further explored in order to enable Saudi Arabia to understand the threat of economic espionage in a more holistic manner.
As illustrated in the Saudi anti-cybercrime law, there are substantial provisions that are focused on ensuring a high level of cybersecurity. Yet the Kingdom needs a law to cover all of the aspects outlined in the anti-cybercrime law. In other words, the current anti-cybercrime law in Saudi Arabia is not sufficient to address the multiple components of cybersecurity and national security. The need for developing a more comprehensive law is urgent than ever considering the substantial threat of cyber economic espionage.
3.5 Notable Economic/Industrial Espionage Cases
As indicated, the Economic Espionage Act of 1996 was enforced to protect the theft of U.S. trade secrets. U.S. organizations are losing billions of dollars per year as a result of economic/industrial espionage. Foreign intelligence activities are being carried out to steal U.S. corporate marketing information and specific details about technological advancements. There are several notable economic/industrial espionage cases that should be adequately explored to identify the level and scope of threat of this type of espionage.
An important case constituting an example of economic/industrial espionage is the one of Plant Cell Culture Technology. In considering the background of the respective case, it should be noted that the FBI arrested two naturalized U.S. citizens in 1997 who tried to steal a trade secret from a company about the utilization of the Taxol technology. One of the charged persons in this case was Hsu Kai-lo, as he was a Technical Director of the company in which he worked. In an attempt to obtain the Taxol formulate, Hsu cooperated with Chester Ho, another naturalized U.S. citizen, and Jessica Chou, a Taiwanese citizen. The three involved people in this economic espionage case obviously had a substantial experience in business development, biotechnology, and biological science and technology. However, they used this experience for malicious intentions since they planned extensively how to steal a particular trade secret.
In his attempt to steal the Taxol formula, Chou contacted a technological information broker to collect more relevant details about the formula. This indicated a well-developed plan to achieve specific goals. In fact, Chou presented the Yuen Foong Paper Manufacturing Company of Taiwan as having a substantial interest in the biotechnology field. As a result, the respective company demonstrated its strategic objectives pertaining to diversification. However, the technological information broker with whom Chou made contacts was an undercover FBI agent. After the indictment, it was concluded that the Taiwanese government was not involved in this case. Nevertheless, it turned out challenging to determine the foreign actors’ goals in the respective act of economic espionage.
Another notable case of industrial espionage involves Gillette. This case is from 1997 when an attempt was made to steal a trade secret about a new shaving system introduced by the company. Since Steven Davis, the person who committed this crime, was a former
employee of Wright Industries Inc., there are significant implications of intense competition in this case of industrial espionage. After pleading guilty, Davis was charged for playing an important role in this industrial espionage case, and he served 15 years and prison and solid fines.
The respective case prompted the FBI to introduce strong countermeasures developed to address the complexities in economic/industrial espionage cases. The most important countermeasure promoted by the FBI referred to the recognition of economic espionage as a real, substantial threat. As specified, this threat could either come from inside or outside the United States. As noted in the case involving Gillette, the threat of industrial espionage came from inside. In the case with Gillette, a domestic competitor was involved, as Davis stole important technological secrets from the respective corporation.
Another relevant countermeasure proposed by the FBI to respond to cases of economic/industrial espionage is to identify and specify trade secrets. It appears that companies are optimally qualified to value the sale of their products and services in the future. In the case of Gillette, there was a projected future sales valuation amounting to more than $1 billion. In this case, it was mentioned that in order to convict a person under the Economic Espionage Act of 1996, the government must demonstrate that the victim organization took the necessary steps to protect its trade secret. The respective trade secret is expected to have an independent economic value.
Moreover, the FBI emphasized the importance of developing and executing a comprehensive plan to safeguard trade secrets. From this perspective, it was indicated that clients’ proprietary information was not treated as a trade secret under the law when the organization failed to threat such information as a trade secret. Official guidelines pointed out that trade secrets should be adequately protected with important policies and procedures. Employees should be constantly updated on any changes pertaining to newly adopted rules and practices in addressing the threat of economic/industrial espionage.
In this context, it seems that cases of economic/industrial espionage represent a quite demanding area of practice. It is expected that stakeholders at organizations need to improve their knowledge of corporate security programs, which can help them identify and understand better certain aspects related to economic/industrial espionage. Such programs are comprehensively developed to include various components of security, safety, and fraud prevention. At the same time, it is vital to implement effective risk mitigation controls, which can help organizations address the growing threat of economic/industrial espionage.
In discussing notable cases of economic/industrial espionage, it is also important to consider how Kodak also became a victim of industrial espionage in the 1990s. The person who was charged in this case was Harold Worden, who was identified as a former employee of Kodak. It has been indicated that he stole a property of the company that amounted to millions of dollars. It has been considered quite problematic that this employee worked for the company for more than 30 years. During this long period, the employee gained a substantial experience in hiding important documents and utilizing them for malicious objectives. Upon leaving the company in 1992, Worden did not return the sensitive information back to Kodak.
It is also important to note that Worden attempted to sell his illegally obtained gains to competitors of the company. Moreover, this person tried to develop his own consultation company. Yet his attempts were unsuccessful. In analyzing the consequences from this case of economic/industrial espionage, it appears that many gaps and inconsistencies should be addressed in federal law. Once such clarification is achieved, the improved legal practices and regulations can be transplanted to Saudi Arabia in order to help the country become more consistent with the implications of solid laws pertinent to economic espionage.
An important recent case from the Economic Espionage Act of 1996 is the United States v. Kolon Industries, Inc. et al. in which the Department of Justice brought criminal trade secret misappropriation charges pertaining to the alleged theft of DuPont’s Keviar technology. These charges were pursuant to the respective Act, as Kolon Industries was accused of engaging in intense industrial espionage over the period of six years. It is apparent that the theft of the mentioned technology posed a significant risk to continuing the further operations of DuPont, especially in terms of considering the security implications associated with this trade secret theft.
Furthermore, the Economic Espionage Act of 1996 was used for the conviction of Samarth Agrawal in 2013. While working for the French bank Societe Generale, this person stole a High Frequency Trading (HFT) source code and provided it to a rival hedge fund in New York. Agrawal was found guilty on two major counts: trade secret theft and transportation of stolen property. The fact that this person was charged under the Economic Espionage Act of 1996 is indicative of the significant power given to courts to prosecute individuals, groups, and organizations that involve in the theft of trade secrets.
In 2013, another notable case of industrial espionage emerged in the United States. In United States v. Clark Alan Roberts and Sean Edward Howley, there were seven counts pertaining to the theft of trade secrets under the Economic Espionage Act of 1996, as well as three counts associated with wire fraud. Roberts and Howley were employees at Wkyo Tire Technology, and they violated important confidentiality agreements of the company by leveraging the organization’s business relationship with Goodyear Tire. As it can be seen in this case of industrial espionage, the Economic Espionage Act of 1996 provides clear guidelines for sentences, which are linked to the precise value of the misappropriated trade secrets. Yet the District Court in the respective case emphasized that the trade secrets had no value, which resulted in sentences of four months spent in home confinement.
Another case of economic espionage is from 2014, and it is related to the charges regarding the trade secret theft of Oreo’s whitening recipe. DuPont has taken drastic measures to keep the whitening formula as a trade secret, but the coveted recipe was stolen by Walter Lian-Heen Liew and Maegerle. Once the defendants stole the respective trade secret, they sold it for the colossal amount of $20 million. It is important to note that in this case of economic espionage, the government was provided with a powerful tool to protect intellectual property interests in the United States.
In 2014, the U.S. government filed numerous charges against Chinese officials for the theft of trade secrets. These Chinese officials stole important sensitive information from various U.S. organizations. For example, confidential and proprietary technical information for pipes and pipe routing was obtained illegally. At the same time, the Chinese officials exploited a series of vulnerable servers, which resulted in the theft of network credentials. In this context, it should be noted that assessing the precise cost of cyber espionage and its impact on the U.S. economy is rather challenging. However, it has been discussed by some economists that the damages claimed from economic espionage are substantial.
One of the most recent cases of industrial espionage is identified as United States v. Sazonov. Sazonov was arrested in 2017 for allegations of stealing an important computer code from his employer, Susquehanna International Group. This attempted theft took place through a trading platform since the respective organization’s primary business operations are in the sector of securities trading. In the course of the investigation against Sazonov, it was revealed that he took quite comprehensive steps to conceal his theft. For instance, he utilized a camouflaging strategy to cover the stolen source code with harmless emails. This case of economic espionage illustrates that the defendant’s maximum sentence of ten years in prison and maximum fine were in line with the provisions made under the Economic Espionage Act of 1996.
The most recent case of economic espionage is United States of America v. United Microelectronics Corporation, et al. This case clearly illustrates the tense relationship between the United States and China, especially with regards to trade issues. In this context, it has been observed that China-United States trade secrets tensions started to escalate. In the mentioned case, a Taiwanese organization backed by China was accused of a substantial increase in economic espionage activities against U.S. companies. During the course of the investigation in this case, it was revealed that attempts were made to steal trade secrets from Micron. The U.S. government took all relevant measures to address the issue of economic espionage as diligently as possible. The impact of economic espionage on U.S. organizations was adequately taken into consideration in order to determine strategic options of how these companies will continue functioning in the conditions of increased trade tensions between the United States and China. The problem is that the situation with economic espionage is already out of control, which means that more drastic measures should be implemented to address the issue.
As illustrated in these cases of economic espionage, the enactment of the Economic Espionage Act of 1996 aimed to develop key strategic partnerships between representatives of the U.S. intelligence community and the law enforcement sector, which could improve investigative efforts on economic/industrial espionage cases. The direct effect of the Act implies the prevention of a substantial economic loss for the companies involved in different economic/industrial espionage cases. However, such prevention is not always possible despite the significant efforts of stakeholders in different fields. In terms of indictment and prosecution, as illustrated in Gillette’s case, the close cooperation between the U.S. government and the U.S. industry was apparent.
3.6 Conclusion and Recommendations
This chapter focused on describing important implications related to the upcoming of economic espionage as a significant threat to Saudi Arabia’s cybersecurity and national security. The unrevealed threat of economic espionage to the Kingdom’s investments was adequately discussed, emphasizing particular economic aspects in the sense of considering the economic impact of this threat. A substantial part of the chapter was dedicated to examining the Economic Espionage Act of 1996 and other relevant conventions, particularly Paris convention in its clauses on unfair competition.
In addition, the chapter illustrated the significance of adopting a comparative approach to transplanting laws and regulations from the Economic Espionage Act of 1996 to Saudi Arabia by highlighting the provisions Saudi Arabia needs to protect from this Act. As part of the discussion on the legal implications of economic espionage in the Saudi context, it was important to explore the protection of the Saudi anti-cybercrime law. After reviewing the respective law in detail, the next step was to move toward emphasizing the need for Saudi Arabia to cover all aspects of the crime act. It has become important to take provisions of the Economic Espionage Act of 1996 into consideration, as a discussion of numerous notable and recent cases of economic/industrial espionage was included at the end of the chapter.
Based on the information presented in this chapter, it is essential to recognize the need to transform Saudi legislations pertaining to cybersecurity and the protection of important trade secrets. An important conclusion discussed in the chapter related to the link between rapid technological advancements and economic integration. Yet in the context of Saudi Arabia, the main problem is that national security agencies do not always present an accurate overview of national security threats such as the one of economic espionage. This leads to improper decisions being made in relation to the legal provisions associated with the protection of the trade secrets of numerous Saudi organizations.
As repeatedly noted throughout the chapter, Saudi Arabia needs to enforce a law of trade secrets in order to implement more effective and transparent measures in the fight against economic espionage. This means that greater clarity is needed in the Saudi context regarding the specificity of trade secrets and the requirements that should be met. As discussed in the chapter, trade secrets are those that have economic value and represent substantial efforts to safeguard the secrets. By following the examples set under the Economic Espionage Act of 1996, Saudi Arabia should have a larger and more refined scope of the specifics of trade secrets.
The Saudi regulations for the protection of confidential and sensitive business information are largely considered insubstantial. The legal requirements outlined in the Saudi anti-cybercrime law are not enough to accomplish the objectives of the proposed legal reform in the Kingdom in responding to the increasing threat of economic espionage. In improving the anti-cybercrime law in the country, a relevant recommendation would be to consider multiple definitions of trade secrets which will facilitate understanding of this phenomenon. At the same time, it should be noted that the protection of confidential and classified information would be different from one case to another. This can be explained with the diverse forms of trade secrets and measures considered for the protection of those secrets.
Another aspect that has been observed in the context of economic espionage is associated with the dominant position of unfair competition and the powerlessness attached to property rights. The Saudi regulations are focused on protecting trade secrets due to the existing threat of economic espionage. It has been noted that trade secret owners demonstrate their willingness to preserve the valuable information pertaining to these secrets. The legal mechanism related to the protection of trade secrets in Saudi Arabia should be revised in order to become more flexible and efficient.
The damages incurred by businesses as a result of economic espionage cannot be adequately assessed for only losses. The disclosure of trade secrets in Saudi Arabia will obviously lead to the loss of commercial value, as the latter will be used by competitors. Trade secret owners in the Kingdom should be provided with various remedies to ensure optimal protection against economic espionage. In this way, there will be fewer chances for the disclosure of such trade secrets.
In the context of improving Saudi Arabia’s laws related to the protection of trade secrets, appropriate statutory provisions should be considered. Since the Saudi law lacks a proper definition of trade secrets, it is crucial for the Saudi legal authorities to consider the provisions from the Economic Espionage Act of 1996 in relation to defining optimally trade secrets. Such definitions should be comprehensive enough to list all types of information classified as trade secrets. It is advisable to have a broad and a narrow definition of trade secrets considering the continuously changing circumstances that may lead to economic espionage.
Another provision that should be taken from the Economic Espionage Act of 1996 and applied to the Saudi legal context is associated with the precise cause of action and vital definitions. Key terms should be further clarified, particularly misappropriation, improper means, and cause of action. In other words, it is recommended to adopt the definitions provided under the Economic Espionage Act of 1996 for achieving greater clarity and consistency in the process of ensuring better protection of trade secrets.
As previously noted, the reforms targeting the Saudi legal system should be properly structured to consider the inclusion of more comprehensive remedies to recover from the disclosure of trade secrets. An extensive list of remedies should be explored by paying attention to the implications of monetary damages and injunctive relief. In this context, recovery damages may be related to actual loss. It can be concluded that the unrevealed threat of economic espionage to Saudi Arabia should encourage the Kingdom to seek more relevant options to update and improve its anti-cybercrime law. As a result, this threat can decrease in terms of intensity when it comes to disclosure of trade secrets in the Kingdom. Below is a summary of the recommendations provided to Saudi Arabia:
• To develop a law of trade secrets in order to ensure greater transparency in the Kingdom’s fight against economic espionage;
• To improve the protection of confidential and sensitive business information by considering multiple definitions of trade secrets as outlined in the Economic Espionage Act of 1996;
• To improve the flexibility and efficiency of the trade secret mechanism in Saudi Arabia by adapting major provisions of the Economic Espionage Act of 1996 to the Kingdom’s legal system;
• To provide various remedies to trade secret owners in the Kingdom in order to be protected against economic espionage through decreasing the risk of trade secret disclosure;
• To consider appropriate statutory provisions by consulting the provisions of the Economic Espionage Act of 1996;
• To properly structure the reforms of the Saudi legal system by considering major lessons obtained from notable cases of economic espionage
Bibliography
Almerdas, Suhail, 2014. “The Criminalisation of Identity Theft under the Saudi Anti-Cybercrime
Law 2007.” Journal of International Commercial Law and Technology, vol. 9, no. 2: 80-93.
Alqahtani, Saeed, 2016 [online] Cyber Crimes Committed by Social Media Users in Saudi
Arabia. Available at: https://www.tamimi.com/law-update-articles/cyber-crimes-committed-by-social-media-users-in-saudi-arabia/ [Accessed 26 July 2020].
Alsaif, Maryam, Nura Aljaafari, and Abdul Raouf Khan, 2015. “Information Security
Management in Saudi Arabian Organizations.” Procedia Computer Science, vol. 56: 213-216.
Alshammari, Tareq and Harman Singh, 2018. “Preparedness of Saudi Arabia to Defend against
Cyber Crimes: An Assessment with Reference to Anti-Cyber Crime Law and GCI Index.” Archives of Business Research, vol. 6, no. 12: 131-146.
Alsharif, Dimah, 2018 [online] How Saudis Are Protected against Cybercrime. Available at:
https://www.arabnews.com/node/1282571 [Accessed 26 July 2020].
Bodenhausen, G.H.C., 1968 [online] Guide to the Application of the Paris Convention for the
Protection of Industrial Property as Revised at Stockholm in 1967. Available at:
https://www.wipo.int/edocs/pubdocs/en/intproperty/611/wipo_pub_611.pdf [Accessed 10 July 2020].
Brenner, Joel, 2013. “Eyes Wide Shut: The Growing Threat of Cyber Attacks on Industrial
Control Systems.” Bulletin of the Atomic Scientists, vol. 69, no. 5: 15-20.
Bronk, Chris, and Eneken Tikk-Ringas, 2013 [online] Hack or Attack? Shamoon and the
Evolution of Cyber Conflict. Available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2270860 [Accessed 10 July 2020].
Capellupo, Lisa, 2015. “The Need for Modernization of the Economic Espionage Act of 1996.”
Journal of International Business and Law, vol. 15, no. 1: 59-85.
Casetext, 2018 [online] United States v. Sazonov. Available at:
https://casetext.com/case/unitedstates-v-sazonov [Accessed 26 July 2020].
Danielson, Mark, 2009. “Economic Espionage: A Framework for a Workable Solution.”
Minnesota Journal of Law, Science & Technology, vol. 10, no. 5: 503-548.
Dehlawi, Zakariya, and Norah Abokhodair, 2013 [online] Saudi Arabia's Response to Cyber
Conflict: A Case Study of the Shamoon Malware Incident. Available at:
https://ieeexplore.ieee.org/document/6578789 [Accessed 10 July 2020].
Doyle, Charles, 2016 [online] Stealing Trade Secrets and Economic Espionage: An Overview of
the Economic Espionage Act. Available at: https://fas.org/sgp/crs/secrecy/R42681.pdf [Accessed 10 July 2020].
Dreyfuss, Rochelle and Orly Lobel, 2016. “Economic Espionage as Reality or Rhetoric:
Equating Trade Secrecy with National Security.” Lewis & Clark Law Review, vol. 20: 419-475.
Education Center, 2014 [online] Protecting Inventions Internationally-Paris Example. Available
at: https://ladas.com/education-center/protecting-inventions-internationally/ [Accessed 10 July 2020].
Johnson, Leighton, 2015. Security Controls Evaluation, Testing, and Assessment Handbook.
Berkeley, CA: Elsevier.
Kingdom of Saudi Arabia Bureau of Experts at the Council of Ministers, 2009, “Anti-Cyber
Crime Law, Royal Decree No. M/17/ 26 March 2007.” Official Translation Department.
Trade Secrets Institute, 2012 [online] United States v. Agrawal. Available at:
http://tsi.brooklaw.edu/cases/united-states-v-agrawal [Accessed 26 July 2020].
Trade Secrets Institute, 2012 [online] United States v. Kolon Industries, Inc. et al. Available at:
http://tsi.brooklaw.edu/cases/united-states-v-kolon-industries-inc-et-al [Accessed 26 July 2020].
Trade Secrets Institute, 2013 [online] United States of America v. Clark Alan Roberts and Sean
Edward Howley. Available at: http://tsi.brooklaw.edu/cases/united-states-america-v-clark-alan-roberts-and-sean-edward-howley [Accessed 26 July 2020].
Trade Secrets Institute, 2018 [online] United States of America v. United Microelectronics
Corporation, et al. Available at: http://tsi.brooklaw.edu/cases/united-states-america-v-united-microelectronics-corporation-et-al [Accessed 26 July 2020].
U.S. Attorney’s Office, 2014 [online] Walter Liew Sentenced to 15 Years in Prison for Economic
Espionage. Available at: https://www.fbi.gov/contact-us/field-offices/sanfrancisco/news/press-releases/walter-liew-sentenced-to-15-years-in-prison-for-economic-espionage [Accessed 26 July 2020].
Watkins, Bryan, 2014 [online] The Impact of Cyber-Attacks on the Private Sector. Available at:
http://www.amo.cz/wp-content/uploads/2015/11/amocz-BP-2014-3.pdf [Accessed 10 July 2020].
Wazzan, W., 2018. “Updating the Law of Trade Secrets in Saudi Arabia.” Indonesian Journal of
International & Comparative Law, vol. 1: 43-73.
Western Region Security Office, n. d. [online] Notable Industrial Espionage Cases. Available at:
https://www.wrc.noaa.gov/wrso/security_guide/industry.htm#:~:text=Plant%20Cell%20Culture%20Technology&text=Ho%2C%20naturalized%20U.S.%20citizens%2C%20were,culturing%20Taxol%20from%20plant%20cells.&text=Chou%20contacted%20a%20technological%20information,to%20obtain%20the%20Taxol%20technology. [Accessed 16 July 2020].
Whitman, Michael, and Herbert Mattord, 2017. Management of information security. Boston,
MA: Cengage Learning.
Sample Solution