Did you know April 26th is World IP Day? It was designated by the member states of WIPO, the IP forum of the United Nations, to increase the general understanding of intellectual property and how it enables technological innovation.
Let’s celebrate with a roundup post. Perhaps you enjoyed the recent discussion on this blog with GE Gas Power cybersecurity researchers Hillary Fehr and Chris Babie of the challenges involved with protecting IP in manufacturing? Or the insights shared by Markus Fischer, VP Engineering at ZF Group’s Active Safety Systems division, into IP theft and IP protection of CAD files in the automotive industry?
We know we did. For this World IP Day post, we asked more IP protection thought leaders what they think the biggest challenge is for manufacturers battling IP theft. Read their responses below:
“Fair is where you take your kids to eat cotton candy”
G. Mark Hardy, President, National Security Corporation
For manufacturing companies, the fight against IP theft is complicated by:
- lack of uniform laws throughout the world
- governments that “borrow” IP and control their own courts
- the expense of onshore manufacturing in the US
There is no “international patent.” To protect IP, one must file separately in each jurisdiction. Fees, different processes, and delays consume years while market opportunity erodes. Further, few comprehend the expenses and logistics involved in defending a patent overseas. Holding a patent only conveys the right to make a lawyer wealthy. It is no guarantee against unethical behavior.
Allegations of nation-states “borrowing” technology are well-founded. SolarWinds, Hafnium, and next week’s breach-to-be-discovered combine to yield varying estimates in the hundreds of billions of dollars.
Yet few executives invest in defenses against a phalanx of professional uniformed hackers. Contractors to the US Department of Defense (DoD) are getting religion in 2021, as failure to properly implement NIST SP 800-171 will result in sudden revenue loss. DoD realizes that wars are won on battlefields, not courtrooms. Denying unauthorized access to IP is the best form of offense.
Why not just manufacture everything domestically? In a word, cost. Salaries, benefits, regulation, liability, and lawsuits all encourage taking on the risk of overseas manufacturing. This creates a vicious cycle of race-to-the-bottom cost to beat out foreign competitors in a global market, who are enabled to achieve low cost without R&D expense through IP theft. Tariff wars offer temporary sanctuary but ultimately have adverse secondary effects.
Bottom line — don’t expect others to be fair. Fair is where you take your kids to eat cotton candy. The best offense is a powerful defense. Protect leading-edge IP like your life depended on it and relegate the other 95% to cheap manufacture.
Combine your protected, domestically managed IP at final assembly, and build in anti-tampering / anti-theft to drive up the cost of theft as much as possible.
You can’t totally prevent IP theft, but you can make the other guy have to work damn hard to earn a paycheck.
About the author:
G. Mark Hardy (LinkedIn profile) is founder and president of National Security Corporation, providing cyber security expertise to government, military, and commercial clients for over 35 years. A retired U.S. Navy Captain, he was entrusted with nine command tours throughout his career. A co-host of the CISO Tradecraft podcast, Mr. Hardy has presented at hundreds of events worldwide, providing thought leadership over a range of security fields. A graduate of Northwestern University, he holds a BS in computer science, a BA in mathematics, a master’s in business administration, a master’s in strategic studies, and holds the CISSP, CISM, GSLC, and CISA certifications.
From trusted employee to thief: When did they flip?
Josh Linder, Principal Value Consultant at OpenText
The “biggest challenge” when battling IP theft? It’s really three things that come together in the end.
The first challenge is knowing where content exists. You can’t protect what you don’t know. With a greater focus on electronic tools and the cloud, information is everywhere, and normally poorly classified and secured. The irony is that employees and trusted parties often struggle to find data, and then are much more haphazard than attackers, who clean up nicely and cover their tracks.
Second, detecting insider threats poses a particular challenge. Organizations struggle to determine who “flipped” from being trusted to thief now (and when did they “flip”?). The reasons for insider theft (of intellectual property) are many. They tend to result from selfish motives (profit, vandalism, or, as a growing vector, disagreement with corporate social justice positions).
The final challenge is the one which people most often jump to first – blocking external threat actors. However, the work of external adversaries is not a single challenge – it is the culmination of inadequate protections against IP theft, rather than the root cause.
Tracing external threat actors to their origin is nearly impossible. Stopping them – taking action – is even harder. China, India, and Russia are cited as the most common origins of illegal IP usage, but talented, well-funded thieves are spread across the globe.
Many foreign countries are ripe for theft, since they give little credit to intellectual property rights and patents, with difficult legal systems favoring local firms over companies from abroad. Stealing and using recipes, plans, and fabrications is profitable and benefits everyone but the rightful owner.
In summary – the three parts of the challenge are: 1) knowing where the IP lives, 2) understanding internal threats, and 3) guarding against external risks.
About the author:
Josh Linder (LinkedIn profile) is a principal value consultant at OpenText, the leader in information discovery. He has over 20 years in cyber security, information management, marketing and business strategy. Josh previously advised security startups in the areas of marketing, business development, sales, and architecture.
“IP risks don’t get no respect “
Paul Rohmeyer, Stevens Institute of Technology School of Business
Large-scale consumer data breaches are regularly chronicled by business media. However, risks to intellectual property don’t seem to get the same attention and scrutiny. Despite IP’s high intangible business value, this may be one of the most significant inhibitors to securing IP.
IP and consumer data are both intangible assets. Without proper monitoring, leakage of either can go unnoticed. In both cases, data owners and custodians are victimized without their knowledge, as neither are deprived of their respective data assets in a breach (exception: ransomware attacks).
Manufacturing organizations, by nature, are built upon foundations of innovation. They are the product of sustained focus on research and development as well as obtaining new IP via business acquisitions. It is hard to overstate the importance of protecting the IP base accumulated by most manufacturing enterprises, because the impact from IP theft can be substantial.
Lost business opportunities, disrupted customer relationships, and reputational damage can have catastrophic effects on an enterprise in the long term. The immediate dangers are considerable as well. One example is a reduction in company value. This could influence merger and acquisition discussions, as well as stock valuation.
So why does battling IP theft still present such a challenge? The answer lies in the complexities of our interconnected IT and supply chain environments. This may also be why IP theft doesn’t get the same media attention as, say, major ransomware attacks.
Starting with a data inventory may be fundamental in theory. In practice, it proves uniquely challenging for many manufacturers and often requires specialized technical capabilities. Ideally, the identification of IP assets that need protection stretches across the increasingly complex supply chains to account for third-party risks.
Knowing where IP resides allows organizations to focus their IP protection and IP theft prevention resources more precisely on the most valuable assets. To accomplish this, organizations can rely on fundamental risk management techniques, starting with identification of IP in all forms and locations, both logical and physical.
The clear threats to IP, commonly known cyber risks, and substantial consequences of IP breaches need to guide the creation of an appropriate controls architecture. On the operational level, this will enable more active monitoring for signs of an attempted breach. Deployed strategically, its capabilities provide a critical basis for periodic re-evaluations of specific risks to IP.
About the author:
Paul Rohmeyer (LinkedIn profile) is an Associate Teaching Professor at the Stevens Institute of Technology School of Business in Hoboken, New Jersey.
“Growing focus on regulatory compliance”
Dr. Emma Bickerstaffe, Senior Research Analyst, Information Security Forum (ISF)
Manufacturers have long been aware of the need to protect intellectual property, as it is often information of great value to the business that would cause a major impact if compromised.
However, efforts to secure IP have recently come under intense regulatory scrutiny, with a host of legal obligations that manufacturers must now adhere to as their IP traverses a tangled web of suppliers.
Legislative reform has meant that manufacturers are not only subject to stringent data protection laws, but must also comply with legislation that specifically governs the protection of trade secrets – a form of IP.
In the European Union, for instance, member states have all enacted legislation to implement the EU Trade Secret Directive into domestic law. In several jurisdictions, this marked the introduction of the first statutory definition of a trade secret, imposing strict legal requirements for confidential business information to qualify as a trade secret and benefit from legal protection.
This growing focus on regulatory compliance has compelled manufacturers to put in place technical, organizational, and contractual measures to safeguard their IP against cyber theft, corporate espionage, and misappropriation.
While a hefty challenge in itself, the real challenge lies in making sure IP receives the same level of protection when it is shared with third parties, such as business partners, suppliers and customers. Identifying exactly who has access to this sensitive data and how it is handled is a vital first step for manufacturers to protect their IP from adversaries and maintain their competitive advantage.
About the author:
Emma Bickerstaffe (LinkedIn profile) is a Senior Analyst at the Information Security Forum, leading its research on cyber insurance, information security laws and regulation, data leakage prevention and building successful SOCs. Prior to joining the ISF, Emma worked for the New Zealand Government, providing policy advice on defense and security issues. Emma holds a PhD in international law from the University of Cambridge.
For more information on document protection and enterprise digital rights management, and to learn about the steps manufacturing companies take to counter IP theft, check out IP Theft in the Automotive Industry: 10 Tips to Counter the Insider Threat on this blog.
Would you like to be included in Fasoo’s next IP protection-related roundup post? Drop us an email !