Black Hats Look for Low Hanging Fruit: Law firms are the new target for IP theft

hacker-laptop-hoodieAs an Agency of the Department of Commerce, the United States Patent and Trademark Office (USPTO) in Alexandria, Virginia holds and maintains some of the nation’s most important and vital information. The 11-building campus holds more than 10,000 people and issues more than 150,000 patents and trademarks a year. The intellectual property (IP) contained in these patents represents great value to those who created the IP and is of great interest to a number of individuals who did not. The security of the information held by the USPTO is one of the greatest challenges the Federal Government faces. This is a challenge the USPTO addresses thousands of times a day, every day of the year – and one it will likely face forever.

Since the move to Alexandria, the USPTO has changed many of the day-to-day aspects of security. There are multiple levels of facility security: badging all visitors and employees, airport-level screening of everyone who enters the facility, video monitors and managed entrance and egress. But the USPTO has also created an increasingly sophisticated cyber security defense system to protect the nation’s patents and related information. In this multi-layered system, the USPTO guards against virtually every possible type of intrusion, protecting their systems against a multitude of potential denizens, from lone wolf to suspected nation-state Advanced Persistent Threat (APT) attackers.

 

Upstream Targets

The successful and persistent efforts of the USPTO to protect the information it holds can be a double-edged sword for IP attorneys and their law firms. Even though the USPTO is a constant target for the ‘bad guys’, its sophisticated data security efforts can force nefarious actors to seek easier access to the information they want.

Many times, when frustrated attackers are unable to gain entry to the USPTO, they go looking elsewhere for IP and related information. Unfortunately, this has led to an increase in the number of direct attacks to the corporate networks of the IP owners and increasingly, these actors are attacking the law firms working with corporate clients to develop and submit patent applications.

 

Law Firm Security

Compared to the USPTO, or even corporations, most law firms are easy targets and the client IP on their networks is low hanging fruit that is all too easily harvested. Too many law firms still view ‘reasonable’ security as signature-based (passwords) access and malware protection, like McAfee, as good enough. Today, it is not nearly enough.

What is enough? Without question, and perhaps most importantly, constant vigilance on the human side of the equation is vital to the success of any security plan. Most security breaches occur as the result of human ‘error’. An active security plan, and policies that are reviewed, modified and monitored with an awareness of each individual’s responsibilities is paramount. At the least, it should include simple practices like requiring aggressive password procedures and educating employees about cyber dangers, such as spear phishing attacks.

Law firms have begun to adjust to the dangerous cybersecurity environment they operate in. Today, law firms require layers of security, one often overlapping the functionality of the other, to protect against unwanted intrusion. Risk-based identity authentication has replaced signature-based password access, and best practices have replaced taping the passwords on the monitor or inside a drawer.

However, more must be done. Now, intrusion protection and detection must exist on the endpoint as well as on the network and must be constantly upgraded to stave off advanced and dangerous actors. It’s a different and scary world out there, and all attorneys must do everything they can to protect their client’s intellectual assets.

This is the first article, in a series of three postings designed to help lawyers become more knowledgeable in the area of cyber security. In the next article, we will describe what is ‘reasonable’ today and outline some ‘basic’ tools lawyers need as a minimum defense. The third article in this series will describe more ‘advanced’ approaches: additional layers law firms may employ to increase their internal defense.

Evolver provides IT, cyber security and litigation support to Federal, Commercial and Legal Clients and will be showcasing a variety of cyber technologies at their Cyber Security Technology Forum on May 12th in Washington, DC. Register Online.

The Author

Ellen Blanchard, Esq. & Rodney Blake

Ellen Blanchard, Esq. & Rodney Blake   

Ellen Blanchard is the associate general counsel and director of eDiscovery consulting for Evolver. Ms. Blanchard brings deep knowledge of the intersection of litigation, big data and technology. Ellen regularly works with clients from a wide variety of industries to help them assess, select and implement enterprise technology to support their legal and compliance needs. Prior to joining Evolver, Ms. Blanchard was an associate at Boies, Schiller & Flexner LLP, where she represented several Fortune 50 companies in a variety of complex litigation matters.

Ms. Blanchard earned her J.D. from American University, and Bachelor's degrees in International Business, Japanese Studies and Psychology from Ohio Wesleyan University. She is admitted to the Washington State Bar, Virginia Bar, and District of Columbia Bar.

Rodney Blake is the Program Manager for Evolver’s contract with the United States Patent and Trademark Office (USPTO). He is responsible for the personnel, budget and strategy of network and security operations. Mr. Blake has over twenty years of experience in the information technology field. Prior to USPTO and 2010 Census contracts with Evolver, Mr. Blake spent five years at Freddie Mac, lastly as an Operational Risk Management Director. He holds an MBA from Virginia Tech and a Bachelor of Engineering Technology from University of South Florida.

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently 4 Comments comments.

  1. Michael May 5, 2015 6:38 am

    I must be missing something. Patents (and patent applications, after 18 months) are by their nature public documents. Why would “the bad guys” want to hack into the USPTO to target “the intellectual property contained in these patents” when the IP is published? The “great value” of patents is protected by legal enforcement of exclusive IP rights, not by data security measures.

  2. John White May 5, 2015 8:49 am

    Many applications do not publish. For example, provisionals and designs, and some folks routinely opt out of publication. Lastly, in the real world 18 months is a long time! Any advantage is leverage.

  3. Gene Quinn May 5, 2015 10:21 am

    Michael-

    As John White points out, patent applications do not publish until 18 months after the earliest priority date. During the time there is no publication the application can remain a trade secret provided the applicant does not publish or disclose. Even when a company discloses that they have filed an application via press release I can tell you first hand that it is practically impossible to get any useful information about the underlying technology until the patent application publishes. They refuse to say anything, which makes the many press releases touting filings of dubious value to say the least.

    In the world of investing having any kind of an advantage can translate into big money. Furthermore, if you know a company has filed an application on an exciting innovation you can rest assured that there is other information they possess that was not incorporated into the application.

    -Gene

  4. Karen Bannan May 5, 2015 11:26 am

    This just shows how important it is to be covering all your bases and making sure you’re ahead of the criminals — not behind them. There’s a great FireEye blog that looks at how to judge the success of your security measures: http://bit.ly/1D2nEvR

    But the end result is really that security needs to be more proactive than reactive. And right now most organizations function in a reactive way.

    –KB

    Karen J. Bannan, commenting on behalf of IDG and FireEye.

    –KB