Think Like A Hacker presents an information security topic from the point of view of a malicious attacker. This blog does not advocate illegal or unethical behavior. The purpose of this form of presentation is to encourage readers to think about information processing risks and to think about how to mitigate those risks.
Change and complexity are two things that excite hackers. With President Obama’s June 4th executive orders designed to curb patent trolls and with the March 16th inception of the America Invents Act, intellectual property within the U.S. has become a nexus of both. Knowledge is the key to exploitation. So let’s take a quick tour of these changes to see where the opportunity lies.
The Leahy-Smith America Invents Act is described by David Goldman from CNN Money as the “first significant change to the U.S. patent system since 1952”. It changes the criteria for granting a patent from a first to invent standard to a first to file.
That means that an existing patent application for an invention is enough to prevent the patent from being granted to anyone else… even the inventor. Adopting a first to file standard brings the U.S. into alignment with most of the rest of the world as far as the basic criteria for awarding a patent.
A provision of the AIA that differs from the way the rest of the world works is where the new law grants a grace period of one year to any inventor who publically discloses their invention. The grace period holds the same weight as filing as far as blocking a competing patent.
Finally, the AIA expands the ways that a patent application can be rejected for an invention that represents “prior art”. This prevents things that already exist, like the way people tie their shoes from becoming someone else’s property.
The new law increases the scope of prior art to include the entire world and extends the definition to include any application of the invention in a public setting. So if company X has a “trade secret” that has been used in their product and company Y “invents” the same idea and files for a patent then company X can challenge company Y’s patent and prevail.
This is all good news for hackers, especially the “little guys”, because it increases the value of as yet unpatented intellectual property. Prior to the AIA the options for a person in possession of exfiltrated secrets looked like this:
- Produce the product and sell it on the black market – too much work, wrong business.
- Sell the goods to criminal black marketeers or nation states that don’t respect the law.
Now with the AIA in effect the options look better:
- Be first to market – very risky and frankly too much work.
- File your own patent and maybe sell it to a patent troll – might work, but patent trolling may not be what it used to be.
- Extortion – adds a few felonies and a separate information trail to your identity.
- Sell the IP to the competition or a patent troll and let them file the patent – here’s where the rubber hits the road.
“Aren’t hackers already stealing IP?” you ask. “I keep hearing about how breaches constitute the largest transfer of wealth in the form of knowledge in human history“.
Yes and no. According to Verison’s 2013 Data Breach Investigations Report over 42% of the breaches in 2013 were espionage (502 of 1175 as indicated in Figure 35 titled “Breach Count by Data Variety and Actor Motive”). Out of those breaches, the DBIR states that “96% of espionage cases were attributed to threat actors in China and the remaining 4% were unknown”.
While individuals, activists and criminals are involved in financial breaches, they don’t do much theft of intellectual property. Why? Because prior to the AIA actual inventors were the beneficiaries of patent protections. Back then the best way to profit from stolen IP was to access the black market as a counterfeiter.
The America Invents Act tips the espionage tables in favor of smaller actors in three ways. The “first to file” standard puts a patent within the reach of anyone who possesses the intellectual property; finders keepers.
The uniqueness of the “grace period” will encourage IP holders not to disclose if they hope to pursue international patents. Under the Paris Convention the U.S. is bound by treaty to recognize patent filings and grants as if they were made natively. Also, it is conceivable that a foreign filing in response to a public disclosure under the AIA might even set up a condition in which the foreign filing constitutes “prior-art”.
Finally, although the AIA’s prior art protections sound good, kinda like a way to backdoor the original “First to Invent” standard, I think that in practice they will prove to be a false protection. The burden of proving that they’ve applied a “trade secret” in the public market will belong to the real inventor.
A patent jumper or their proxy in the form of a patent troll will be in a position to refute that claim; maybe even with information stolen from the inventor’s own servers. In the end the “prior art” provisions will encourage inventors to delay patent filings by giving them a false sense of security, will encourage them to store more IP on their servers to document their use of the idea and will encourage patent troll friendly litigation.
It is too early to tell whether or not President Obama’s executive orders will close down the patent troll end of things. Unless it presents some advantage to hackers we won’t be revisiting it in some future episode of Think Like A Hacker. Yet even without patent trolls, the AIA will give non nation-state hackers more bang for their buck and offer them a lucrative alternative to financial crimes.
The Other Side
What if you aren’t a hacker? The one thing that the AIA offers to inventors, especially small ones, is the ability to protect their inventions with patent filings. The best response to the new law is to scour your organization or closet for patentable inventions and file.
The next thing you should do is protect the ideas that you didn’t recognize by improving your information security posture. Security tools that make you aware of your system state, that identify vulnerabilities and that alert you to configuration weaknesses can do a lot to keep hackers with limited resources at bay. Tripwire can help.
P.S. Have you met John Powers, supernatural CISO?