As an Agency of the Department of Commerce, the United States Patent and Trademark Office (USPTO) in Alexandria, Virginia holds and maintains some of the nation’s most important and vital information. The 11-building campus holds more than 10,000 people and issues more than 150,000 patents and trademarks a year. The intellectual property (IP) contained in these patents represents great value to those who created the IP and is of great interest to a number of individuals who did not. The security of the information held by the USPTO is one of the greatest challenges the Federal Government faces. This is a challenge the USPTO addresses thousands of times a day, every day of the year – and one it will likely face forever.
Since the move to Alexandria, the USPTO has changed many of the day-to-day aspects of security. There are multiple levels of facility security: badging all visitors and employees, airport-level screening of everyone who enters the facility, video monitors and managed entrance and egress. But the USPTO has also created an increasingly sophisticated cyber security defense system to protect the nation’s patents and related information. In this multi-layered system, the USPTO guards against virtually every possible type of intrusion, protecting their systems against a multitude of potential denizens, from lone wolf to suspected nation-state Advanced Persistent Threat (APT) attackers.
The successful and persistent efforts of the USPTO to protect the information it holds can be a double-edged sword for IP attorneys and their law firms. Even though the USPTO is a constant target for the ‘bad guys’, its sophisticated data security efforts can force nefarious actors to seek easier access to the information they want.
Many times, when frustrated attackers are unable to gain entry to the USPTO, they go looking elsewhere for IP and related information. Unfortunately, this has led to an increase in the number of direct attacks to the corporate networks of the IP owners and increasingly, these actors are attacking the law firms working with corporate clients to develop and submit patent applications.
Law Firm Security
Compared to the USPTO, or even corporations, most law firms are easy targets and the client IP on their networks is low hanging fruit that is all too easily harvested. Too many law firms still view ‘reasonable’ security as signature-based (passwords) access and malware protection, like McAfee, as good enough. Today, it is not nearly enough.
What is enough? Without question, and perhaps most importantly, constant vigilance on the human side of the equation is vital to the success of any security plan. Most security breaches occur as the result of human ‘error’. An active security plan, and policies that are reviewed, modified and monitored with an awareness of each individual’s responsibilities is paramount. At the least, it should include simple practices like requiring aggressive password procedures and educating employees about cyber dangers, such as spear phishing attacks.
Law firms have begun to adjust to the dangerous cybersecurity environment they operate in. Today, law firms require layers of security, one often overlapping the functionality of the other, to protect against unwanted intrusion. Risk-based identity authentication has replaced signature-based password access, and best practices have replaced taping the passwords on the monitor or inside a drawer.
However, more must be done. Now, intrusion protection and detection must exist on the endpoint as well as on the network and must be constantly upgraded to stave off advanced and dangerous actors. It’s a different and scary world out there, and all attorneys must do everything they can to protect their client’s intellectual assets.
This is the first article, in a series of three postings designed to help lawyers become more knowledgeable in the area of cyber security. In the next article, we will describe what is ‘reasonable’ today and outline some ‘basic’ tools lawyers need as a minimum defense. The third article in this series will describe more ‘advanced’ approaches: additional layers law firms may employ to increase their internal defense.
Evolver provides IT, cyber security and litigation support to Federal, Commercial and Legal Clients and will be showcasing a variety of cyber technologies at their Cyber Security Technology Forum on May 12th in Washington, DC. Register Online.