“Never mistake activity for achievement.”
— Coach John Wooden
We’ve all seen him when driving by the strip mall. Trying to focus on the traffic, our eyes are diverted by “Tube Man,” a 10-foot tall hollow, collapsible stick figure with a fan at the bottom, adjusted so that the body repeatedly folds and then jumps upright, with arms whipping around in a constant frenzy, trying to grab our attention. And that’s the point. Tube Man accomplishes nothing except to demand that we look at what he’s doing.
I was led to Tube Man by a search for “flailing,” a word that seemed an apt label for a spate of new legislation introduced by politicians climbing on top of each other to showcase their zealous antipathy to China. More on that in a minute; but first let’s consider what “flailing” means. It’s a pretty interesting word, and it makes a perfect metaphor.
The original use of “flail” was as a noun, derivative of the Latin flagellum, to describe a threshing tool made of a handle with a “free-swinging stick” loosely attached to the end. The idea was to just wave the thing around and it would end up knocking the grains off the stalk. It didn’t much matter exactly how you moved, so long as you did it with a lot of energy. Now we use machines for threshing, and most of us are not farmers; but we have kept the word, to describe “aimless or ineffectual efforts.”
And that, in my view, describes very well the recent rush of legislative attempts to punish China. That is not to say that China is our best friend. We are in serious competition, and it’s obvious that our leading position in some critical technologies has been targeted. That “giant sucking sound” you hear in the direction of China may be some cutting-edge secrets being displaced. We should be deeply concerned. We need a thoughtful, long-term strategy to respond.
Instead, what’s happening looks more like theater. Here’s the playbill. Early this year, Senator Chris Van Hollen (D-MD) re-introduced the “Protecting American Intellectual Property Act of 2021,” which had passed the Senate in December. It would require the President to impose trade sanctions on “foreign persons” engaging in “significant theft” of U.S. trade secrets, including freezing property and banning visas of individuals and putting companies on the “Entities List” (which makes it hard to do business in the United States). It did not include any path for appeal to the courts.
In April, Senator Lindsey Graham (R-SC) proposed “The Combating Chinese Purloining (CCP) of Trade Secrets Act.” (In his press release he included that parenthetical in the title, presumably to draw attention to the clever word choice that matched the acronym for the Chinese Communist Party.) This bill would have increased jail time for trade secret theft from five to 20 years, and companies found to have participated in or benefited from such theft would be barred from applying for any U.S. patents (any patents, not just related ones). It would also have denied visas to Chinese nationals wanting to pursue graduate studies in certain technical fields.
In May, Senator Chuck Grassley (R-IA) introduced the “Stop Theft of Intellectual Property Act of 2021,” which would bar admission to the United States (or deport them, if already here) of anyone who violates or evades export control laws or commits trade secret misappropriation.
Many aspects of these proposals came together earlier this month, when the Senate passed, with a large bipartisan majority, the “United States Innovation and Competition Act.” Weighing in at 2,376 pages, the omnibus measure contained other bills that were directed at increased government investment in cutting-edge technologies: the “Endless Frontier Act” and the “Strategic Competition Act.” But plenty of room was left for the “Meeting the China Challenge Act of 2021,” which followed the approach of the Van Hollen bill, only with a longer list of sanctions and a requirement that the President must choose at least five from the list (I’m not making that up.)
Separately from this massive omnibus bill, Senators John Cornyn (R-TX) and Chris Coons (D-DE) introduced legislation to create a new committee within the International Trade Commission with the power to perform a very quick (30 days) investigation and then block imports into the country that “contain, were produced using, benefit from, or use any trade secret acquired through improper means or misappropriation by a foreign agent or foreign instrumentality.” Lest we wonder what specific countries the authors had in mind, they inelegantly named the bill the “Stopping and Excluding Chinese Rip-offs and Exports of the United States Trade Secrets Act.”
Even state politicians are jumping on the bandwagon. In the last few weeks, the Florida legislature passed by unanimous vote the “Combating Corporate Espionage in Florida Act,” which makes trafficking in trade secrets a serious felony, with enhancements if it is for the benefit of a foreign government. While lawyers express concern about how the risk of false accusations will discourage labor mobility and harm the economy, Florida’s governor announced his support for the law as a “major pushback against China” in response to its alleged coverup of the origins of the COVID-19 pandemic, as well as to its “infiltration” of universities and companies to steal trade secrets.
Back in 1998, I was part of a delegation of officials, scholars and industry representatives that visited China to help celebrate the opening of its Intellectual Property Training Center in Beijing. The facility was very impressive, and we were told that 600 people a month were receiving instruction in how to work with the country’s new IP systems. This was in the run-up to China’s bid to join the new World Trade Organization (WTO), and I can remember some in the U.S. group who were skeptical that all this activity was just for show, and that China didn’t really intend to make IP a priority.
As it turned out, not only did China join the WTO but it also built a world-class legal and administrative framework for IP rights. Nevertheless, a lot remains to be done, and special challenges persist, particularly in securing even-handed treatment of foreign companies that want to do business in China. Concerns about economic espionage and forced transfer of know-how are legitimate and need to be addressed. It seemed that we were on our way to dealing with a number of these issues through the negotiations that led to the Phase One Agreement early in 2000.
But at the multilateral level – that is, at the WTO, where sovereign countries are supposed to meet, iron out trade problems, and actually sue one another through a carefully negotiated dispute resolution process – the United States has more or less walked away. We have also withdrawn from the one regional trade agreement, the Trans Pacific Partnership (TPP), that we had proposed in order to offset China’s growing economic power in Asia. Simply put, we are not engaging with China.
Some commentators in and outside government suggest that the rise of China will necessarily lead to a “decoupling” of the world’s two largest economies, and that this is appropriate, given China’s anti-democratic approach to governance. But before we allow things to slip that far, we should consider very carefully how the world has benefited from increased trade in the years before tariffs were imposed, and the value of working within institutions like the WTO and agreements like the TPP.
Passing laws that can impose new trade sanctions, freeze property, and even deny companies access to our patent office might help us feel as though we’re solving a serious problem. But we could be creating more problems, as other countries like China watch what we’re up to and pass similar laws targeting U.S. businesses.
Addressing serious issues of IP theft should not lead us into our own corners where we vent and issue pronouncements, making political points with strong rhetoric. To actually achieve progress, we need to engage directly with China, ensuring that it keeps its commitments to respect IP rights and provide fair enforcement. Nothing less than global prosperity is at stake.
The Biden administration recently announced its support for a proposal before the World Trade Organization that would suspend the intellectual property protections on Covid-19 vaccines as guaranteed by the landmark TRIPS Agreement, a global trade pact that took effect in 1995.
The decision has sparked furious debate, with supporters arguing that the decision will speed the vaccine rollout in developing countries. The reality, however, is that even if enacted, the IP waiver will have zero short-term impact—but could inflict serious, long-term harm on global economic growth. The myopic nature of the Biden administration’s announcement cannot be overstated.
Even if WTO officials decide to waive IP protections at their June meeting, it’ll simply kickstart months of legal negotiations over precisely which drug formulas and technical know-how are undeserving of IP protections. And it’s unthinkable that the Biden administration, or Congress for that matter, would actually force American companies to hand over their most cutting-edge—and closely guarded—secrets.
As a result, the inevitable foot-dragging will cause enormous resentment in developing countries. And that’s the real threat of the waiver—precisely because it won’t accomplish either of its short-term goals of improving vaccine access and facilitating tech transfers from rich countries to developing ones. It’ll strengthen calls for more extreme, anti-IP measures down the road.
Experts overwhelmingly agree that waiving IP protections alone won’t increase vaccine production. That’s because making a shot is far more complicated than just following a recipe, and two of the most effective vaccines are based on cutting-edge discoveries using messenger RNA.
As Moderna Chief Executive Stephane Bancel said on a recent earnings call, “This is a new technology. You cannot go hire people who know how to make the mRNA. Those people don’t exist. And then even if all those things were available, whoever wants to do mRNA vaccines will have to, you know, buy the machine, invent the manufacturing process, invent creation processes and ethical processes, and then they will have to go run a clinical trial, get the data, get the product approved and scale manufacturing. This doesn’t happen in six or 12 or 18 months.”
Anthony Fauci, the president’s chief medical adviser, has echoed that sentiment and emphasized the need for immediate solutions. “Going back and forth, consuming time and lawyers in a legal argument about waivers—that is not the endgame,” he said. “People are dying around the world and we have to get vaccines into their arms in the fastest and most efficient way possible.
Those claiming the waiver poses an immediate, rather than long-term, threat to IP rights also misunderstand what the waiver will—and won’t—do.
The waiver petition itself is more akin to a statement of principle than an actual legal document. In fact, it’s only a few pages long.
As the Office of the United States Trade Representative has said, “Text-based negotiations at the WTO will take time given the consensus-based nature of the institution and the complexity of the issues involved.” The WTO director-general predicts negotiations will last until early December.
That’s a lot of wasted time and effort. The U.S. Trade Representative would be far better off spending the next six months breaking down real trade barriers and helping export our surplus vaccine doses and vaccine ingredients to countries in need.
When this waiver inevitably fails to boost production, supporters won’t meekly back off. No, they will step up their haranguing of the United States for having failed to deliver on its supposed promise. There will be lots of yelling and recrimination, and what the Biden administration surely intended as a relatively toothless show of solidarity will instead end up being seen as just another rich country head fake.
That’s a problem for all of us who deeply care about the state of global IP policy, because the damage will be worse and longer-lasting than a diplomatic donnybrook. The United States worked for many years to ratify TRIPS, and since then has been pushing back on the populist anti-IP agenda and trying to convince the rest of the world that robust IP regimes can deliver economic development over the long run. Now much of that work will be undone in the process of this chaotic, and ultimately fruitless, waiver discussion.
“Be careful what you ask for because you just might get it.”
— Anonymous
All the fuss surrounding the proposal by India and South Africa to suspend the TRIPS Agreement to help them produce vaccines to fight COVID-19 has obscured some critical truths. In spite of the rallying cry “Patents versus People,” it’s not really about patents. And merely lifting TRIPS obligations will do nothing to address the current suffering of the world’s poorer populations. In fact, it would hamper efforts to secure global distribution of vaccines, as well as cause real harm in the long term.
The Biden Administration has embraced the proposal in principle and has received plaudits for what many see as a humanitarian and diplomatic breakthrough: choosing people over patents. So how could something that looks so right be so wrong?
First, we have to understand what the TRIPS Agreement is and isn’t. Stay with me here. I know that treaties can be boring, but this one is more important than you may realize.
Since their introduction in 15th century Venice, patents have been strictly territorial, a grant of rights that stops at the country’s border. Indeed, if you found some invention being used in another country, you could bring it back home and get a patent even though you weren’t an inventor at all. We didn’t care much about what was going on next door, just what would benefit the local economy.
Beginning in the late 19th century, as global commerce got seriously underway, a spate of treaties made it easier to claim inventions – and other intellectual property – in multiple countries. For patents, the high-water mark of this business-driven improvement came in 1978 with the Patent Cooperation Treaty (PCT), which bound all signatory countries to accept the priority date of an invention filed in another member country, so long as it was presented within 30 months. This is one of those international treaties that actually works in a practical way to speed the spread of innovation around the world.
But still, patents and other IP protections are decided under national laws, and variations from one country to the next in the scope of rights – especially in enforcement – continued to cause a lot of inefficiency for companies trying to build global markets. So back in the early 1990s, when we all thought tariffs were bad and globalization was good, when everyone seemed to believe that a rising tide of cross-border commerce would lift all national economies, the United States led an effort to establish the agreement that would come to be known as TRIPS, for Trade-Related Aspects of Intellectual Property Rights.
Here’s the thing to remember about TRIPS: it only creates obligations of governments to pass laws supporting intellectual property rights of various kinds: patents, copyrights, designs, trademarks, and trade secrets. It doesn’t affect the private ownership of those rights. That’s an important distinction, especially for trade secrets (or “undisclosed information” as it’s called in TRIPS), because unlike the other “registered” rights, it doesn’t depend on a government grant. It just requires a legal system that enforces confidentiality.
The provisions of TRIPS were not new for industrialized countries. But for the developing world the agreement represented a tradeoff: adopt our framework for protecting IP (including our own, like drug patents), and you’ll get the benefit of increased wealth and productivity that comes with joining the club we’re going to call the World Trade Organization.
What seemed to sell this deal was the expectation that “technology transfer” from industrial north to agricultural, extractive south would happen as a result. Remember that phrase “technology transfer,” because it’s at the hidden heart of the current waiver proposal. You see, published patents are available for anyone to read and learn from, and developing countries still have the option to compel licenses from patent owners if needed to address serious domestic needs, including pandemics. But patents are only a part of most stories of technology transfer, because in order to actually build the factory and produce the goods, you need to know more than what’s in the patents.
When I managed the PCT in Geneva, I heard a lot about this from developing country delegates to WIPO. They expressed great disappointment in how TRIPS seemed to be a “bait and switch” scam, in which the promised benefit never materialized. Patents are fine, but that doesn’t tell you how to adjust the dials on the machines to get the best outcomes. They thought they would be getting all that “know-how,” too.
For some traditional pharmaceuticals, this lack of know-how may not be a showstopper. The patent claims may describe a particular small molecule that provides a certain therapeutic effect. If you already know how to make pills, then manufacturing it can sometimes be relatively straightforward. Sometimes, but not always.
Moreover, biopharma generally, and mRNA vaccine technology in particular, are quite different from traditional drugs. Developing a process to reliably produce these medications at scale is astonishingly difficult and depends on years of experimentation involving cell growth times, temperatures, and other variables. That body of knowledge represents the trade secrets of the developers. It is enormously valuable, and not just for making COVID-19 vaccines. Creating other therapeutics based on the mRNA platform would be much easier and quicker with the benefit of knowing what tends to work and what doesn’t.
So, this is why a temporary waiver of TRIPS—which would suspend national obligations to enforce IP rights—can’t possibly help countries like India get more vaccines to its citizens. The know-how required to manufacture at scale is owned by the companies like Pfizer and Moderna that are producing doses in record volumes. To effect the demanded “technology transfer,” governments would have to secure the agreement of those companies not just to hand over their entire “cookbook” but also to send qualified scientists and technicians to spend time at the foreign facilities, basically consulting on how to implement the secret processes to produce a safe vaccine. And even if that transfer happened tomorrow, getting to the point of actually manufacturing in volume would take more than a year.
Not only would the TRIPS waiver not produce the results the proponents want, it would likely reduce the current level of international distribution of vaccines, by interfering with access to the limited supplies of required ingredients. In fact, this supply chain disruption was recently cited by none other than the government of India in pushing back against popular demands for a compulsory license on Gilead’s Remdesivir and other COVID-19 treatments, noting that the “main constraint” was not intellectual property rights but preventing competition for scarce “raw materials and other essential inputs.”
But there’s more. A waiver would result in even greater harm over the long haul. Drugs typically are not discovered by governments. Instead, we rely on the private sector to respond to new diseases. It seems deeply ironic that while our IP system succeeded in incentivizing the development of a new vaccine only months after the SARS CoV-2 virus appeared, we would now be considering suspending that system. Congratulations and thank you! Now, hand over your trade secrets!
Another irony relates to the fact that these companies have not been producing all the vaccine on their own. Instead, they planned ahead and established collaborative relationships with other manufacturers, leading to quick and effective voluntary technology transfers through licensing. Those who clamor for a waiver seem to ignore that robust, reliable trade secret laws enable such transactions. It may seem counterintuitive, but it’s well established that enforceable secrecy leads to more dissemination of technology, not less. Indeed, without it there would be hoarding of know-how, slowing production of vital medications and other innovations.
It takes more than $1 billion to engage in the risky business of producing a new drug. The willingness of shareholders to invest that kind of money requires a predictable IP system, one in which rights are not imperiled just because some people mistakenly believe those rights are in the way of achieving some laudable goal. Broadly removing IP protections is something governments can do, but they can only do it once, because the next time there may be no innovations available to claw back. Without reliable incentives, private industry simply won’t be able to prepare us for the next pandemic.
Trying to suspend IP rights clearly will not solve the problem and, indeed, risks making it worse. Instead, the international community – including the United States – should focus on diplomatic solutions to the immediate problem by lifting export controls by rich countries and forcing more equitable distribution of the available supplies of vaccines.
For decades, the United States has been vigorously promoting the value to society of a strong, globally harmonized IP system. The success of Operation Warp Speed has demonstrated the value of that system. This is no time to see what it might be like without one.
Five years after legislation significantly improved trade secret protection in the US, Jim Pooley
tells IAM in an interview, more policymakers on Capitol Hill are advocating tough policing of
potential IP theft by Chinese entities - for good and not so good reasons
The current US Congress is still in its early days but if the first few months are anything to go by we can expect plenty of discussion and proposed legislation on the subject of IP theft and specifically on protecting their trade secrets.
Last week, Senators Grassley and Whitehouse issued the Stop Theft of Intellectual Property Act 2021. If enacted, this would see foreign nationals who engage in IP theft facing potential deportation from the US.
Another proposed bill comes from Senator Graham. He put out a news release last month about his introduction of “The Combating Chinese Purloining (CCP) of Trade Secrets Act”. Among other things, the bill would include “prohibition on applications for patent protections by US Patent and Trademark office” for foreign persons who misappropriate a trade secret.
“My legislation is designed to deter behavior, much of it from China, that results in the loss of trade secrets, intellectual property, and sensitive government research,” Graham announced.
Senators Van Hollen and Sasse have also had their say with their “Protecting American Intellectual Property Act”, which passed the Senate late last year and, last month, was reintroduced in the new Congress. That proposes levying economic penalties on companies or individuals who have been found to have engaged in the theft of US IP.
Whether any of these bills actually become law remains to be seen. It has only been five years since the Defend Trade Secrets Act (DTSA) was passed, handing rights owners a powerful new route to bring cases under federal law. There hasn’t been an indication yet that
this legislation hasn’t given US authorities enough powers to tackle the problem of IP theft - a message that trade secrets expert Jim Pooley reiterated in a recent interview with IAM.
“These [bills] were not generated from a sense of concern that trade secrets in general are not being sufficiently supported or that the DTSA is not working or that prosecutions under the Economic Espionage Act are somehow not hitting the mark,” Pooley remarked.
Perhaps not surprisingly, Pooley stressed that what had changed the dynamic are the geopolitical tensions between the US and the world’s most populous country. “China was a concern five years ago, now it’s an almost rabid concern on the part of a number of politicians for good reasons and not so good, in my view,” Pooley said.
“I think the elevated concern over China is largely justified but that part is more performative - that you want to be seen to be tough on China - and this is what has me worried because of the unintended consequences,” Pooley commented.
The danger, should some of the proposed legislations’ more radical ideas become law, is that it will prompt a tit-for-tat response.
“Whenever you take measures that are designed to punish and discourage behavior by a foreign country or coming from a foreign country, what you risk is that that country or other countries will enact similar legislation of their own,” Pooley stressed.
In recent years legislators on Capitol Hill have been making ever more radical suggestions around how the US could use the IP system to get tough on China’s leading tech players. In 2019 Senator Rubio even floated the idea of preventing Huawei from seeking damages in patent litigation after it emerged that the Chinese tech giant had asked Verizon to pay $1 billion in licensing royalties.
Graham’s proposal that transgressors should be prohibited from filing for US patents might raise alarm about a similarly harsh response affecting the legions of US companies that have significantly increased their Chinese patent portfolios in recent years. That may not be an appealing prospect for a business like Qualcomm which makes a huge chunk of its revenue from device makers in China.
The risk, Pooley underlined, is that ideas around a balanced playing field and rights owners being given due process in overseas courts, which have traditionally underpinned US policy, might be undermined if the US pursues lopsided measures.
“We want our companies that are engaged in litigation in China to be treated appropriately but what we’re risking here is that by putting up these kinds of barriers without due process we’re basically sending a contrary message,” he stated.
Pooley, who was a key voice in the passage of the DTSA, underlined that the legislation was working largely as was hoped when it was enacted in 2016. He pointed to the large number of trade secrets cases now being filed in federal courts and to developments in the case law such as the decision in Motorola v Hytera, which found that the DTSA could apply to IP theft outside of the US.
“At the moment we don’t need to fix the existing tool in some way to make it more effective,” Pooley insisted. “What I do think we need to do is, a little more broadly speaking around intellectual property, come up with a national strategy for innovation that will increase our competitiveness in a way that hoping additional blocking or punishment mechanisms might not.”
Pooley stressed that he is happy to see a focus on strengthening IP rights, particularly in trade secrets, but added that: “At the same time I worry that the long-term effects of these kinds of proposals may not be what we really want.”
Patents themselves are publicly accessible, noted James Pooley, intellectual property attorney and former deputy director general of the United Nations' World Intellectual Property Organization. But trade secrets developed by Pfizer/BioNTech, Moderna and others, "cook books" of manufacturing processes such as temperature and growing conditions, have not been made public. That may ultimately be a dual problem for negotiators. Before they protect the knowledge, U.S. officials would have to ensure access to it.
Those companies would need to be persuaded to come to the bargaining table to give up such trade secrets.
“What happens when it turns out that the U.S. can’t actually deliver the information that is critically important to implementing the inventions?” Pooley asked. “This will be seen as another failure by the U.S. and other rich countries to keep their promises.”
“In a networked world, trust is the most important currency.”
— Eric Schmidt
I recently finished Gen. Stanley McChrystal’s book, Team of Teams, in which he describes organizational lessons learned as Commander of the Joint Special Operations Command in Iraq. Arriving in 2003, when Al Qaeda in Iraq (AQI) was outsmarting the best special forces that NATO could muster, McChrystal later switched out the traditional military approach of hierarchical control over information and authority to a “shared consciousness” system that pushed authority “to the edges of the organization.” Within two years they had eliminated the head of AQI, Abu Musab al-Zarqawi.
This feat was made possible, McChrystal argues, because the various elite units making up this special force had been transformed into a single organization capable of making decisions without orders from headquarters. While the separate teams of Navy SEALs, Army Rangers and CIA analysts had each proven themselves the best at their particular tasks, they trusted only their own members, and coordination among them was a matter of top-down control by the generals. But to meet the challenge of the elusive, loosely-networked AQI, the Command had to empower these individual teams to work together seamlessly. And that required extreme transparency: each team was aware of the whole mission.
“Need to know” is a bedrock tenet of information security. You only get to see it if you need to see it. The reasoning is that the fewer people who know the details, the lower the risk that information will be compromised by reaching the competition. Another term used among professionals is the “principle of least privilege,” borrowed from the notion in computer science that a user account should be given only that level of privilege that is absolutely necessary to its operation within the system, making failures less likely. By whatever name, the principle increases control by limiting access.
The idea that any one person in an organization probably doesn’t need to know much is rooted in the industrial revolution. When we moved from the age of craftsmen who made an entire product to the assembly line, the worker mounting the wheel didn’t have to know anything about the rest of the car. In fact, mass production efficiency (and profits) resulted from breaking down every process into its predictable steps and assigning each step to a separate worker. The chief architect of this reductionist view of human behavior was Frederick Winslow Taylor, whose 1911 The Principles of Scientific Management has been described as the most influential management book of the 20th century.
Keeping secrets has long been viewed through the same lens: compartmentalization helps keep things under control. But interestingly, it doesn’t always make things more efficient or productive. For example, consider what may have been one of the most important government secrets of the modern age: the wartime Manhattan Project to develop the atomic bomb. Operators of uranium centrifuges at the military headquarters in Oak Ridge, Tennessee knew how to operate the machinery, but didn’t know why they were doing it, until the weapon had been dropped on Japan. In parallel, at the Los Alamos, New Mexico, labs where the physicists and engineers were racing against time and the Nazis, the complex calculations for their work depended on manual punch card inputs to IBM calculators. When management revealed to those clerical workers what all the numbers were for, productivity soared, and they even invented programs to speed the process.
What McChrystal learned in Iraq was that the long-held assumptions of the military about command and control started to break down in the complex, unpredictable environment of modern insurgent warfare. Despite having the best equipment, the most advanced technology and the most thorough training, his finely tuned teams couldn’t match the adversary’s lithe adaptability. The traditional approach of anticipating and carefully planning for every eventuality didn’t work when nothing was predictable, especially when permission had to come from headquarters and each team was operating independently. Instead, he had to scramble the organization chart and develop trust among the teams that equaled the trust they had for one another, so they could act together as a single, responsive organism.
Building trust requires sharing information, and that’s where the lessons lie for modern industry. The adversary is not AQI, but a global swarm of disrupters bent on displacing your business. They operate in a flexible, data-rich, technology-driven environment where the rules of engagement are neither clear nor static.
This is not to say that “need to know” is dead. Not at all. But we shouldn’t think that just because information is not immediately required for a task it should not be widely accessible. Let’s consider a couple of examples.
First, a member of the sales team is attending an industry show (yes, we are going to do those again). She runs into the representative for an important potential customer, who as it turns out has a need for what the company is offering, but only the new, as-yet-unannounced version with some compelling features would suffice. Should she reveal the confidential information she knows, even though there’s no nondisclosure agreement in place? Or should she pass on the potential sale?
Now consider the engineer who has left the company to join a competitor. He’s working in the same general technology. At a meeting with his new colleagues, they describe a challenge they’re facing to decide among several options that seem like fairly straightforward engineering choices. But this employee knows from his most recent experience that one of those options will likely lead to failure. Is that knowledge part of his general skill and experience that he can share, or does he need to take himself out of the conversation?
Whether or not the answers to these questions seemed straightforward to you, the issue is what that employee will decide in the moment. More specifically for management, the question is what you would want them to do, and whether you are confident they will make the right choice.
If your business applies the “need to know” principle in its restrictive sense, it’s possible that your training program does not prepare employees for these kinds of decisions. Companies that tend to lock down information across the board also tend to assume that employees know what to do about confidential information. And anyway, if they don’t have access to it, there can’t be any risk, right?
One of McChrystal’s innovations in Iraq was to conduct mandatory daily briefings with all relevant units connected by video, including back at the Pentagon. It took some time before everyone from the various branches and agencies attended, but they came to understand the value of broadly sharing information. Trust improved, and the previously independent teams began to work organically, anticipating each other’s moves and making on-the-ground decisions. In short, greater access to information made them more effective.
What does this mean for your organization? You likely will benefit from rethinking your approach to access controls. More restrictive is not always better. Trusting people with broader information can improve performance. But to open things up and take full advantage of the capabilities of your workforce, you’ll need to take a hard look at your education program. Expecting employees to exercise good judgment about business secrets requires more than just sharing detailed plans for the next quarter.
McChrystal started with some of the best-trained soldiers in the world. If you want an adaptable workforce able to make smart decisions about when and how to share information in a complex world, you need to educate them thoroughly and continuously. They need to know what the company’s most valuable data assets are. They need to know their role in protecting them. They need to know what everyone else is doing and how they can help. Then you’ll have a team of teams.
When COVID-19 came ashore, glaring gaps in the government’s pandemic preparedness became painfully obvious. Everything from inadequate stockpiles of personal protective equipment to confusing and uncoordinated guidance regarding closures hampered our early response.
But while the government floundered, America’s research scientists sprang into action. Moderna actually invented its vaccine mere weeks after the virus was genetically sequenced in January — though of course, it took months of clinical trials to prove the vaccine was safe and 94% effective.
Now, tens of millions of Americans have been vaccinated, and the end of the pandemic is in sight. The credit belongs to strong intellectual property protections, as they enabled scientists to move quickly and raise ample funding for vaccine research.
As a post-pandemic world nears — and we begin to prepare for future pandemics — bolstering America’s IP infrastructure will help equip us for whatever challenges lie ahead.
Decades of expensive and risky research projects have paved the way for today’s breakthroughs. Over the last 10 years alone, drug companies invested more than $1.5 trillion on global pharmaceutical research. And some of that went toward developing the technologies underpinning the leading COVID-19 vaccines.
Notably, that includes mRNA technology. mRNA directs our bodies to produce proteins. And for nearly three decades, researchers have posited that they could use synthetic mRNA to guide the production of proteins that help treat specific diseases.
When COVID-19 started spreading, pharmaceutical company researchers were actively working on mRNA vaccines for the flu, rabies, and Zika. The pandemic necessitated a shift in priorities — and within weeks, Moderna, a small biotech in Massachusetts, and BioNTech, a small biotech in Germany that had partnered with Pfizer a few years prior, began working on mRNA vaccines that essentially instruct cells to create a harmless version of the “spike” protein found on the surface of the coronavirus.
This, in turn, triggers an immune response, which produces antibodies and teaches our body how to fight off future infection. The FDA granted emergency use authorization to the mRNA vaccines from BioNTech/Pfizer and Moderna in December.
The fight against deadly diseases won’t end with COVID-19, of course.
Fortunately for us, America remains at the forefront of the global biopharmaceutical landscape. America is home to less than 5% of the world’s population but roughly half of all international pharmaceutical R&D spending.
That’s largely because of strong IP protections. These protections, including patents, give innovators a fair opportunity to recoup their investment costs before generics firms can manufacture copycat medicines. It takes years to develop a new medicine, conduct clinical studies, and navigate regulatory review. And it costs $2.6 billion, on average, to bring a new drug to market.
Patent protections make it possible for companies to chase state-of-the-art ideas. Ultimately, if a drug maker wants to stay in business, it’s imperative they manufacture innovative products that provide considerable benefit to patients. Those are the types of products that end up changing the world for the better — just like mRNA vaccines are doing right now.
Yet, inexplicably, some have proposed weakening — or outright dismantling — these critical protections. On the home front, these attacks have come from Sen. Bernie Sanders, I-Vt., and Rep. Jan Schakowsky, D-Ill.
It’s not an accident that the overwhelming majority of drugs are developed in countries with strong IP rights. Quite simply, there would be no COVID-19 vaccines without them. America’s pharmaceutical companies delivered the greatest breakthroughs in modern history precisely because our ecosystem incentivizes firms to pursue cutting-edge research.
When the next pandemic arrives, we will have no hope of defeating it if we weaken the one industry that’s best prepared to develop innovative treatments.
In over 40 years of handling trade secret disputes, I have seen plenty of “successful” results, but never a time when my client said, “Gee that was fun; let’s do it again!” They may tell me they’re happy with the outcome, but hey, I know that it also feels good to stop hitting yourself with a hammer.
It’s a fact that more than 90% of trade secret cases settle without a trial. But too often those settlements only happen after years of litigation. There are ways to make that process less painful, and in an earlier article we looked at the advantages and limitations of arbitration and private judging as means to recapture some amount of control over the dispute. But unless the parties already had an arbitration agreement before the problem arose, one of them will probably see an advantage to playing it out in court.
There are plenty of ways to spend time and money in these cases. They begin with a struggle over what the trade secrets actually are. That can take months, even years, while the lawyers also fight about each side making available its documents and witnesses. Sometimes millions of documents and dozens of witnesses. All this is to prepare for a possible trial where, as experienced lawyers will tell you, the outcome usually hangs on just a handful of records and a few critical bits of testimony.
Approaching closer to the actual trial, reality and exhaustion tend to combine, leading the combatants to settle, primarily as a way to avoid looming risk. But this comes at an enormous sunk cost of money, energy and distraction from the actual business. At the end, the silent regret in the room is about not having arrived at this same place a lot sooner. So why do otherwise smart, calculating managers wait so long, and suffer so much, to get to a settlement?
Some apologists for the status quo will tell you that it’s necessary to press every procedural point in order to test the adversary, and that only when you have collected all of the records and examined every possible witness can you engage in “informed” negotiations. Plaintiffs’ lawyers will add that trade secret cases are all about stealth, so there must always be more that the defendant is hiding. Defendants will point out that the lawsuit represents an existential threat to their business. Or, perhaps more likely, to their personal honor.
Why Emotions Drive Trade Secret Litigation
Anecdotal evidence from colleagues, and my own experience, suggests that trade secret warfare has such staying power because it is so often driven by the personal emotions of the participants. Here is the key distinction: unlike any other kind of intellectual property dispute, the trade secret case is all about fault in a relationship.
As I’ve said before, it was my very early experience handling divorces that prepared me for trade secret litigation. Whether it was about employees leaving to start a competing company or join a competitor, or between two companies that had been in some collaboration, there was a rupture in a relationship, and trust was shattered. Sometimes that trust had been built over years, as with the young engineer who was mentored by the company founder only to strike out on his own, or the start-up band of disrupters grown close by fighting the entrenched incumbents, only to see one of their siblings leave for greener pastures (or more stock options). Even in big companies, internal teams develop loyalties as they rely on each other through the tough times.
So when this happens, who feels hurt? Pretty much everybody. The colleagues left behind may include managers and co-workers who feel deceived and abandoned (probably not admitting a touch of envy). The accused misappropriator is startled and in deep denial that anything could be wrong. They may feel scapegoated by their former boss (that venal bastard who never liked my ideas anyway). And hanging over it all is that primal emotion called fear: how long can this go on, and what will happen to me? Again, even in the business-to-business environment, it’s tactically about blaming and avoiding blame, but emotionally about betrayal and treachery.
Not Just Stolen Code, But Bruised Feelings Too
Here lies the root of the problem: the dispute is not just about some software code or customer list, but (to varying degrees of course) about the need to resolve bruised feelings. And without thoughtful intervention, that resolution can take a lot of time.
This may be the point where you expect me to describe the wise and trusted lawyer riding in to solve the case. Sorry. Naturally, there are – ahem – wise and trusted lawyers out there, but often the most they can do is bring down the heat a bit and work to make the litigation process as efficient as possible. Again, emotions run high among the participants in the drama, and clients – at least at the outset of a trade secret fight – may expect their counsel to be warriors first, advisors second. And an outsider might say that the lawyers have a certain conflict of interest that may lead some of them (subconsciously) to want to prolong the struggle.
Indeed, there are lawyers who make themselves part of the problem by acting out, effectively channeling the emotions of their clients. My wife, Laura-Jean, who is a psychotherapist, tells me this is called “merger,” but a different kind than we think of in the corporate world. The lawyer, rather than acting the independent professional, “merges” with the client’s perceived emotional state and then acts on it. Thus, we have the lawyer who, a couple of years ago, threw a cup of coffee at her opponent in a deposition, deservedly leading to dismissal of the case.
Mediation is the Perfect Path to Settlement
In trade secret disputes it’s the responsibility of the lawyers not just to avoid tantrums, but to act in their clients’ interest by guiding them toward settlement early and often. Lawyers are in a position to appreciate when their clients have tunnel vision due to emotional overload, unable to see the actual costs and risks that lie ahead. It’s up to the professional to be practical and help the client look at the situation through a business lens. Naturally, it’s hard to make that shift in the midst of battle.
This is precisely why that other form of alternative dispute resolution, mediation, is the perfect method for resolving trade secret disputes. A neutral facilitator leads the process, allowing counsel to retain some attitude as an advocate. The mediator, as we all know from centuries of experience in relying on intervention from respected elders, is able to see alternatives that the parties can’t. While lawyers have their eye on a future trial, the mediator begins with the solid truth that there was a relationship here once, and so there are always opportunities to tap that reality and, in the process, satisfy some of the unspoken emotional needs that lurk behind the legal advocacy. And the mediator has a broader appreciation for the collateral damage that happens in litigation and can find ways to preserve third-party relationships that might otherwise be battered and lost.
Mediation is the natural, organic solution to the typical trade secret case that takes on a life of its own, becoming a soap opera for the participants. Properly engaged, even at the outset of a case, it supports the parties in identifying the real problems and preparing for solutions to emerge. And it doesn’t have to be a single event. Indeed, at its most effective, mediation is a process that begins as soon as the parties reach some inflection point in the case where it seems acceptable to involve a neutral.
Pick a Mediator Who Will Pick at Your Case
Unlike other, more procedurally predictable IP litigation, such as patent infringement, these inflection points can happen often in trade secret disputes, because judges make decisions that leave both sides dissatisfied, or some new piece of evidence looks like it might shift momentum. That doesn’t mean the litigation has to stop while talks go on. The first session with a mediator may lead to little more than an agreement to share certain information and prepare for a later conversation, while in the meantime the lawyers can consult with the mediator privately, building the kind of trust that will allow a deeper exploration of possibilities at the next stage.
Here’s an important tip: for trade secret cases you need a mediator that is “evaluative” rather than just “facilitative.” That means that the neutral will at some appropriate point share with each party in confidence their view of the merits of the case. Instead of just helping the participants listen to each other, the mediator proactively judges the direction that each side needs to take to find a solution, helping them to come closer – not necessarily to the middle, but to a place that will resolve all of the issues that led to the dispute. Often, the main issues are not about money, but about reputation, respect and cooperation.
Ultimately, the best mediators will help the parties restore some dimension of the trust that they had lost, perhaps discovering some opportunities that they never could have imagined if they had tried to resolve this on their own. And although my guess is that no one, regardless of the outcome, would ever want to re-enroll in Trade Secret University, we lawyers can improve the value of our services, and the happiness of our clients, by helping them to graduate early.
By Stefan Dittmer, Partner, Dentons, Germany, and James Pooley, Professional Law Corporation, USA, Members of the ICC Commission on Intellectual Property, International Chamber of Commerce (ICC)
Most kinds of intellectual property (IP), such as patents, copyrights, trademarks and designs, are rights granted by a government. But there is another right that depends only on the choice of an individual business: secrecy. The law protects someone who shares information in confidence with another, but does not require that it be registered with any agency. If there is a dispute, the legal system will sort it out.
Trade secrets have been part of commercial transactions for centuries, as a common and practical way for a business to maintain a competitive advantage. While other forms of IP are carefully limited to creative works that meet a very specific set of requirements, protection for secrets applies broadly to any information that is secret, that has some commercial value, and that the owner has taken some steps to maintain in confidence.
It is this breadth and flexibility of secrecy that make it so attractive, in particular to smaller organizations that may not have the budget to build a portfolio of registered IP rights. Every restaurant can have its secret recipes. Every beauty salon has its customer list and knows the individual preferences of its patrons. Every furniture maker has “tricks” to increase the efficiency or quality of the finished goods. More recently, secrecy has been identified as a means to protect unstructured data, for example, machine data produced in large quantities and used to fuel automation, or algorithms, another key component of the digital industry.
Trade Secrets: the other IP right, featured in an earlier edition of the WIPO Magazine, offers an introduction to trade secrets.
The laws of most countries, following the standards laid down in the Agreement on Trade Related Aspects of Intellectual Property Rights (the TRIPS Agreement) protect obligations of confidentiality in business transactions. The reality of continuing relationships means that the vast majority of those obligations are respected by the participants.
In the United States, trade secret laws had traditionally been a matter left to the individual states. A Uniform Trade Secrets Act was proposed to the states in 1979 and since then has been widely adopted, but with varying provisions that made enforcement on a national scale fairly complicated. In 1996, the federal government enacted the Economic Espionage Act, but it was limited to criminal remedies. Twenty years later, the US Congress passed the Defend Trade Secrets Act of 2016 (DTSA), which for the first time, gave trade secret holders the option to file civil claims in federal court, offering a number of procedural advantages over state courts.
Trade secrets have been part of commercial transactions for centuries, as a common and practical way for a business to maintain a competitive advantage.
In effect, the DTSA has harmonized the rules that apply to trade secret disputes, and the number of cases brought in federal court has surged. As is true in other areas of commercial litigation in the United States, a claim can be made based on circumstances that “plausibly” infer that the defendant has misappropriated a trade secret. After that, a broad array of “discovery” methods, including extensive document production and pre-trial taking of sworn testimony from witnesses, is used by both sides to uncover the relevant facts. Although this easy availability of discovery allows trade secret holders to more effectively enforce their rights, it makes litigation in the United States generally more expensive than in any other country. Coupled with the sometimes-uncertain outcomes and generous damage awards due to the availability of civil lay juries, this environment can be intimidating for companies from other jurisdictions that are used to the more modest cost and predictability of the civil law framework that does not allow for discovery or juries.
Almost at the same time as the DTSA was adopted in the United States, the Directive on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) against their Unlawful Acquisition, Use and Disclosure (Directive (EU) 2016/943 of 8 June 2016, or “EUTSD” for the purposes of this article) entered into force.
Before that, the national laws of EU member states, similar to the laws of any major economy, protected trade secrets one way or another. However, the fragmentation of the legal landscape across the EU was identified increasingly as an obstacle to cross-border technology transfer and R&D or, more generally, innovation.
Pressure from industry and business associations, but also growing political support for the idea of harmonization, not the least the “Europe 2020 Flagship Initiative Innovation Union,” paved the way for adopting the EUTSD. It has been implemented by EU member states. Although full harmonization was not intended or achieved, companies doing business in the EU can expect to find national legal regimes in the member states that are reasonably identical or similar across the entire EU.
Inevitably, the process of introducing the EUTSD reignited the discussion as to whether secrecy is an IP right, after all. It is, in many aspects, an academic issue because even those who question the quality of secrecy treat it in many respects like an IP right. Contrary to the prevailing legal doctrine in the United States, the EU decided against qualifying secrecy as an IP right. As a consequence, Directive 2004/48/EC on the enforcement of intellectual property rights, better known as the Enforcement Directive, does not apply. While individual EU member states, notably Italy and Slovakia, decided otherwise, the practical relevance of this inconsistent approach is limited in that the EUTSD stipulates an enforcement regime quite similar to that of the Enforcement Directive.
This seemingly coordinated effort on both sides of the Atlantic to improve trade secret enforcement was the subject of a study by the International Chamber of Commerce published in 2019.
Recent reform and upgrading of trade secret laws has not been limited to the EU and the United States. In 2018 and again in 2019, China made significant amendments to its Anti-Unfair Competition Law to expand the definition of a protectable trade secret and to increase penalties for theft, including the availability of punitive damages. China further refined its law to address the trade secret owner’s challenge of developing sufficient evidence by declaring a “preliminary” showing of misappropriation sufficient to trigger a requirement that the defendant prove independent development of the information.
What does all of this legislative activity directed at strengthening trade secret laws mean for SMEs? There are two general consequences. First, the subject of protecting competitive advantage by secrecy has received more attention than ever before, with the result that more resources are available to assist SMEs in managing this often-overlooked aspect of intellectual property. Second, businesses of all types and in all countries are challenged to take advantage of this easy-to-use approach, not only to protect their own data, but to avoid unwanted exposure to the trade secrets of others.
Protecting an SME’s competitive advantage by using secrecy requires awareness of what information needs to be protected to retain that advantage, and of the measures available to reduce the risks to its secrecy. Legislation poses virtually no limit to the kind of information that can be claimed as a trade secret; it can be any kind of information, as long as “it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question” (the TRIPS Agreement, Article 39), and derives from its secrecy some actual or potential commercial value. Of course, the information must be distinct from individual skill, which is outside the scope of legal protection.
Protecting an SME’s competitive advantage by using secrecy requires awareness of what information needs to be protected to retain that advantage, and of the measures available to reduce the risks to its secrecy.
The more challenging aspect is to identify and apply security measures that are “reasonable,” since every control brings with it a certain cost, either in money or efficiency or both (consider, for example, the annoyance of dealing with two-factor authentication, in which you have to wait for a unique code to be sent to your phone). What is reasonable under the circumstances will be decided ultimately by a court taking into account a company’s risk environment, the value of the information, the threat of loss and the cost of measures to mitigate the risks.
To identify its most important trade secrets, the business should consider the value of the information, measured by the investment made to develop it, the potential advantage it provides over the competition, the potential damage from loss of control, its exposure to any form of reverse engineering (which is, in principle, allowed in most jurisdictions), and/or the likelihood that a competitor might independently discover or develop it.
Once information has been identified as a valuable trade secret, the company needs to carry out realistic risk assessments to determine appropriate security controls. Introducing different classes of information with corresponding security measures can be useful to structure the process of managing trade secrets. Other parts of this process may include labeling the information in accordance with its classification, restricting access to those with a need to know, applying other physical and electronic safeguards and using properly drafted confidentiality (or non-disclosure) arrangements in situations where information must be revealed to a supplier or other business partner.
In the EU, the adoption of Regulation (EU) 2016/679 (General Data Protection Regulation) helped to raise companies’ awareness for data security. Technical and organizational measures, mandatory under the General Data Protection Regulation (GDPR), Article 32, to protect the secrecy and integrity of personal data, can also be “reasonable steps under the circumstances” to preserve the confidentiality of trade secrets.
SMEs, for the very reason that they often rely on secrecy rather than registered rights to protect their IP, are particularly prone to the threat of becoming targets of industrial espionage. For them, it is essential to not only apply high levels of cyber security, but to update and upgrade them regularly to remain on top of technical developments. After all, what is “reasonable under the circumstances” is subject to change due to technical progress and the relative value and threat variables, which may change over time.
While cyber-crime is on the minds of many businesses, the most prevalent threat to the preservation of secrecy are individuals who, while employed by the company (or by a trusted supplier), legitimately hold or have access to the information, but leave the company and carry the information to their new employer. In addition to contractual confidentiality obligations that should be standard in any employment agreement, IT surveillance within the limits of employment and data privacy legislation, frequent training on applicable duties, and a diligent exit process, including exit interviews, can help mitigate the risk. So can an established and well-communicated practice of strict enforcement in cases of security breaches. And not to forget that third party information illegally brought into the company by new hires also poses a threat to the company’s position, making it important that recruiting and on-boarding processes are reviewed.
Thanks to recent improvements in trade secret laws around the world, SMEs have more options and opportunities to increase enterprise value and prevent loss of data assets by using the IP right that is entirely in their control: trade secrets.
The Lord of the Rings trilogy ends in suitably spectacular fashion with a battle scene following the retreat of all the good people to “Helms Deep,” a tall stone fortress built into the recess of a massive rock mountain. Seemingly impregnable, the thick wall facing the invaders contains a small flaw: a drainage outlet about five feet high, large enough to pile in some spiny medieval bombs. That done, one of the bad guys in heavy armor but inexplicably looking just like the Olympic torch carrier, glides between lines of his cheering comrades and dives in with the flame to blow a hole big enough for the army to pour in.
Now, immediately shift your mind’s eye from New Zealand to New York: you are watching the scene from The Big Short where Ryan Gosling’s character overhears at a bar a secret trading strategy to bet against the subprime housing market (you know how that one turned out), and then proliferates it by making a call to a wrong number. And for something too improbable to qualify as a movie idea, consider this real-life drama from 2010: Apple, a company infinitely obsessive about the secrecy of unreleased products, finds out that an employee left an iPhone 4 prototype in a bar. Then (this is true) the same thing happens the next year with an iPhone 5 prototype, with a different employee, in a different bar.
Protect the Perimeter, or Guard the Core?
The managers of most companies tend to see information security as a Lord of the Rings problem, with the focus on protecting the perimeter. This reflects the popular view. Indeed, from reading headlines about hackers, you might think that cybercrime –malign attacks from evil outsiders – represents the most common way that commercial information is lost. And you would be wrong. It’s not the overlooked vulnerability in the company’s firewall that gets exploited by determined external enemies. Instead, it’s the careless employee who overshares on social media, brags at parties, or leaves a sensitive document in an airport lounge. (Remember traveling on planes?)
According to a 2013 study by Symantec, over half of departing employees believe it’s entirely acceptable to take company data when they go, and they tend to act on that belief. Forty percent have plans to use the information in their new position. This is not necessarily malicious behavior. Many (68%) just think the organization doesn’t care, given a lack of any apparent enforcement. Anyway, if the information is software, 44% believe that because they wrote it, it belongs to them. From my work with clients, I’d say the situation hasn’t changed.
So, it shouldn’t be surprising how often information is lost just because someone sends a sensitive email to the wrong person, or a group text instead of a private exchange, or because an employee decides that the company’s VPN is just too much trouble.
Nevertheless, when corporate managers think about information security, the first place they look at is the ramparts, when it’s what’s happening behind the walls that should keep them up at night. According to a 2017 Gartner report, businesses spend 62% of their security budgets on defending the network, compared to 18% for the “endpoint” devices in the hands of users.
All of this is not to say that we shouldn’t be guarding the perimeter against hackers, who are everywhere and apparently never sleep. Fortunately, the tools available to detect and react to cyberespionage are constantly improving, and despite the occasional disasters (most of which can be traced back to – ahem – human error), we seem to be staying slightly ahead in the cybersecurity arms race.
An Endless Supply of Human Folly
But clearly the more serious and pervasive threat is from insiders. Unlike the hackers who are trying to break into our systems, these are people that we trust with access to sensitive information, because we have to. Given the complexities of the globalized, digital economy, we have no choice but to share our secret data with employees, not to mention the anonymous employees of supply chain partners, all of whom stay connected remotely through multiple devices, and being human, can get easily fatigued or distracted.
Naturally, these risks are amplified as we have shifted to mostly remote work, where insider threats are dispersed and managers can’t always see them, including the subtle cues of individual behavior that might flag a problem. But increasingly, some of the same kinds of technologies that protect us against malicious outsiders are being developed to address the internal threat.
As we have observed before in this space, trade secret problems come in many different dimensions and circumstances, but all of them share a common feature: somebody did something stupid. Try as we might to create policy frameworks, management structures and training programs, the supply of human folly seems inexhaustible.
Machine Learning and Artificial Intelligence as a Possible Solution
The current hope is that machines will be the match for our failings. Artificial Intelligence (AI) has developed a reputation as aspirational, having fallen short of previous predictions. But it’s certainly much improved, and its ability to recognize patterns and make nuanced judgments provides reason for hope that it can be applied to predicting and managing human behavior.
That said, to deploy intelligence you have to first know some facts. And this is where Machine Learning (ML) comes in. While humans constantly demonstrate an inability to learn from their mistakes, for example by continuing to build houses in flood zones and forests, machines are terrific at it. They don’t get defensive when criticized, and like your dog, they just want to know what makes you happy.
So, combining ML’s talent for education with AI’s capacity for analytics and executive thinking seems an ideal way forward. And indeed, industry has stepped up and created some interesting possibilities. Perhaps inevitably, the security vendors seem to be innovating mainly in the area of new acronyms and other jargon designed to reinforce how much you don’t know. But stay with me for a moment and I think you’ll get a sense of where we’re headed.
An Alphabet of Defenses
Once upon a time there was plain old Data Loss Prevention (DLP) software, which sort of did it all and had a nice generic name. Now we have UAM, which stands for User Activity Monitoring, tools that gather data at its most granular, like individual screen captures, text messages and even keystrokes. UAM also sucks up data from DLP applications, as well as from systems engaged in Security Information and Event Management (SIEM) and User and Entity Behavioral Analytics (UEBA – which, wait, is now called SIEM 2.0). Got all that? No?
Okay, here’s a simpler explanation, through an example. We all deal with authentication by passwords, as well as the more annoying two-factor authentication, in which we wait for a code to be delivered to another device. With a process called Risk-Based Authentication (RBA, sorry), the system doesn’t only verify identity. Using a combination of AI and ML to create a baseline understanding of user behavior, it also examines context to search for anomalies and create warnings or blocks against dangerous behavior. It can examine emails from supposedly trusted sources to see if they align with previous messages, looking for very subtle differences in syntax and diction that might indicate a phishing scam.
So, while we’re sitting in front of our computer at home, far away from the office, we have the comfort of knowing that we’re not really on our own, that we have someone watching over us, protecting us against ourselves, and preserving the information assets that make this job possible.
In the final moments of The Lord of the Rings, despite the breach of its fortifications. Helms Deep was saved by the extreme heroics of its defenders. In business, the workforce may look a bit more like the careless traders in The Big Short. They could use some reinforcements.