CTO Challenge: Achieving Zero Crown-Jewel Intellectual Property Loss

With Judges Mark Anderson, Founder and Chair, INVNT/IP; and Steven Sprague, CEO, Wave Systems, and founding Member, INVNT/IP.

And CTO task force Barry Briggs, IT Chief Architect and CTO, Microsoft; Ty Carlson, Senior Manager, Technology Program Management, Digital Products Group, Amazon; Jeff Hudson, CEO, Venafi; Pete Nicoletti, Chief Information Security Officer, Virtustream; Eric Openshaw, Vice Chairman and US Technology, Media and Telecommunications Leader, Deloitte LLP; Larry Smarr, Director, Calit2, a UC San Diego/Irvine Partnership (HQ Qualcomm Institute), UCSD; Vaclav Vincalek, President, Pacific Coast Information Systems Ltd.; and Jerry Woodall, Founder, WoodallTech, and National Medal of Technology Laureate

Classification of crown-jewel IP differs from company to company.  In devising an approach to achieve zero crown-jewel IP loss, adaptive defensive measures are required to combat a constantly learning offense.  Moderator Ty Carlson started the session by pointing out that vulnerabilities in devices and networks are a function of human error in business as well as software and hardware design flaws.

Pete Nicoletti: People are typically the weakest link in crown-jewel IP protection.  Encryption and system administration ‘done right’ would require more selective application and key management.

How do you know when you’ve been hacked?  What recourse exists today to pursue attackers or prevent further attacks?  One set of eyes on the crown-jewel IP is not good enough.  Similar to a missile launch, split access would add a second layer of accountability and protection.

Mark Mahan:  If stolen crown-jewel IP is found somewhere it doesn’t belong, it should be identified and exposed.  Multi-layer protection and isolation may be the only real way to achieve zero crown-jewel IP loss.

Jan Bolt:  Identify and expose hackers and hold companies and individuals accountable.  Sanctions according to a multi-tier system of punishment are necessary depending on the severity of the IP theft.

Bob Anderson:  Keep a keystone aspect of the process proprietary.  IP thieves can passively acquire IP and sensitive information through observation.  Human carelessness is to blame many times (ex: CEO sharing sensitive information on an airplane).

Davis Brimer:  You can never know everything just as you can’t protect against every attack, but you can track and learn from every attack.

Randy Blotky:  IP theft is a cancer composed of many different interconnected pieces.  A network of solutions is necessary to deal with the varieties and combinations of digital threats.  Think of it as a fabric of problems that require an overlay fabric of solutions.

Steven Sprague:  Dual independent solutions are necessary.  Use a safe from one company and lock it in a safe from another company.

Barry Briggs:  We should do what we already know how to do, but we should do it better.

Vaclav Vincalek: Who do we trust to help us protect the IP?  The government?  Private organizations?  If there is no penalty for losing IP, professional accountability will also be absent.  Many US organizations are multinational organizations, making IP protection a global issue.  Solutions and regulations are fragmented across geographies.

Eric Openshaw:  Mutual deterrence should be considered (ex. Nuclear weapons).  Governments need bigger, more severe policies and responses to IP theft.  A structured approach to crown-jewel IP protection is necessary. All parties involved must speak the same language to better facilitate idea exchange.

Larry Smarr:  IP should be divided and kept in separate or ever-changing locations.  Have a constantly changing defense that is faster than the constantly learning offense.  There is not a way to get sanctions or have recourse unless the details of the attack are exposed.

Government, industry, academic, and organizational IP protection policies are defined by different interests and external forces.  A blanket solution to achieve zero crown-jewel intellectual property loss must provide equal value to IP owners as diverse and innovative as the IP itself.