Cyber Espionage: Legal Considerations for the Private Sector

APT32 (OceanLotus Group) – a cyber espionage group whose operations are aligned with Vietnamese state interests and who recently was observed carrying out intrusions into private sector companies across multiple industries – is a perfect example of a threat group that is widely successful despite limited technological investment.

The number of countries carrying out highly effective low-cost cyber operations is on the rise, and private sector organizations – regardless of industry vertical – need to be particularly aware of the cyber threat from emerging nation states. Whenever a significant cyber espionage group such as APT32 is identified, especially one that is associated with a nation state, private sector companies face potential legal ramifications.

To help get organizations thinking about the potential legal issues that could arise from newly identified threat actors, FireEye, in conjunction with full-service law firm Pillsbury Winthrop Shaw Pittman, has come up with some questions that organizations should be asking:

  • Does the threat actor’s host country now constitute a known “cyber hostile environment,” requiring companies to take additional security measures to protect any information systems they have in the country or that their employees may bring along on travel?
  • Will the newly identified cyber espionage group become subject to possible sanctions put in place by the U.S. government, thereby limiting the ability of private sector companies to do business with that state?
  • Should threat assessments, including the collection and analysis of shared threat information, be modified to take into consideration the threat posed by the newly identified cyber espionage group (and thereby limit possible legal exposures)?
  • Should private sector companies reassess the terms and conditions used with companies involved in their global supply chain, particularly those components that are either located in or impacted by the newly identified cyber espionage group?
  • How involved should executive leadership be in deciding if additional security measures need to be implemented surrounding business ventures that may be affected by this threat intelligence?

Although this list is not exhaustive, it illustrates the types of legal issues that a private sector company should consider when a new cyber espionage group is identified. We recommend organizations have procedures in place to identify the risks posed by any new cyber threat and that they implement appropriate legal and technical management measures.

For more information, please contact the FireEye team at cyberrisk@fireeye.com or Brian Finch at Pillsbury at brian.finch@pillsburylaw.com.