Zero Loss of Crown Jewel IP: CTO Design Challenge Answers
The Challenge: Getting to zero loss of crown jewel IP.
The Challenge Judges: Mark Anderson, Founder and Chair, INVNT/IP; Richard Marshall, CEO, X-SES; Steven Sprague, CEO, Wave Systems, and Founding Member, INVNT/IP;
The Challenge Team: Barry Briggs, IT Chief Architect and CTO, Microsoft; Ty Carlson, Senior Manager, Technology Program Management, Digital Products Group, Amazon; Jeff Hudson, CEO, Venafi; Pete Nicoletti, Chief Information Security Officer, Virtustream; Eric Openshaw, Vice Chairman and US Technology, Media and Telecommunications Leader, Deloitte LLP; Larry Smarr, Director, Calit2, a UC San Diego/Irvine Partnership (HQ Qualcomm Institute), UCSD; Vaclav Vincalek, President, Pacific Coast Information Systems Ltd.; and Jerry Woodall, Founder, WoodallTech, and National Medal of Technology Laureate
Ty Carlson reports on the team’s progress. There is no silver bullet, he says, but the key is that we communicate that we are broadly under attack and that we must take very clear and measured steps to address this. Unless individuals within companies and organization and government understand the value of information, we won’t be able to address this at scale.
- Our response must be both policy and technological.
- Crown Jewels
- Create fake crown jewels with code that looks real, compiles, but that gathers information about where it is, who is responsible and calls home. It essentially becomes its own virus.
- Create traceable “Honeypots” with signatures that would prove material is stolen when it is recovered
- Prevent single points of failure with multiple access needs; require two people to approve.
- Frequent, inconsistent movement of crown jewels through IP shell game
- Protect by physical isolation
- Isolate jewels and distribute components. Withhold the “keystone” offsite.
- Trade Policy
- Leverage transpacific partners to manage this
- Import tariffs on stolen IP-based products: delay imports, deny entry or seize ships or goods
- Prevent companies from trading technologies for access
- enforce Wassenaar Arrangement with is specific about export controls on arms and dual-use tech
- Penalize companies selling stolen IP
- Arrest, charge execs of offending companies: “That plastic wall, the phone thing, really doesn’t work when you’re trying to close deals,” explains Ty Carlson
- Deny or revoke visas to other company representatives
- Deny access to stock exchanges
- Deny ownership in US companies
- Industry Policy
- Create industry-specific consortia
- establish industry-specific private networks
- Think SABREnet- an industry-specific Internet
- Create and leverage an industry CSO organization
- Discuss and share threat information and observations
- Establish threat levels
- Create industry-specific consortia
- Governmental policy
- CSO: SEC compliance statement
- Separate from financial audit
- Security compliance and reporting
- Data classification and marking information
- Microsoft has 3-tiered level of classification
- “I think there’s an enormous opportunity to actually do something on this front,” – Steven Sprague. “It’s called a hashtag.”
- Watermarking and digital leakage prevention
- CSO: SEC compliance statement
- Academic Policies
- Jerry Woodall: We have to reform our patent system and start thinking IP at a university level.
- Those most likely of being able to assist in developing new IP are those most likely to be blocked
- Organization Policies
- Implement dual networks within an organization. Red network is where business is conducted. Green network is where Internet applications can be used.
- There are ways around this, but raising the bar and setting high expectations is important.
- There is a tradeoff between usability and security
- Require training
- Implement dual networks within an organization. Red network is where business is conducted. Green network is where Internet applications can be used.
- Organization IT’
- Machines and devices locked down
- This must be a national priority
- Sequestration is a national security damper
- it needs to be an open and direct dialogue
- “It would be rare for me to say we need more government, but in this case I think government should carry a big stick.” – Eric Openshaw
The Response:
Richard Marshall advises the team not to rely on government response. Instead, he says, we should be leaning on ISPs, even bribing them.
Larry Smarr: The companies that have crown jewels to protect can get together and share information.
Steven Sprague: Prosecute this list backwards. “I guarantee there’s somebody on the planet that thinks Microsoft’s stolen some IP from them.” “The list is excellent. The problem is it’s not what we should do. We need to lead. We need to lead from the top.” Our top companies are using voyeurism as their business model. “‘We’re pregnant’ is crown jewel IP” and all the advertising that results.
Voyeurism is in every start-up business proposal.
Mark Anderson liked the separate nets idea. “I think that’s what the military does and that’s the only thing that I’ve ever seen work.” Likes idea of payloads and phone-home. Likes separate keystone, parsing ideas out into separate entities. “It’s a propaganda campaign that we need to mount here so that people feel good about protecting IP.”
Could we create a world where all data has GIS tags so that it knows where it can be?
Instead of encrypting the data, could the operating system play a shell game?
What can we do that will enforce not giving IP to China?
Ty Carlson says we need to become consistent about what our message is and how we portray it. Until we take a stand, until someone’s actually under lock and key, it’s not going to change.
For the first time in the history of the CTO Challenge, the majority of judges (Marshall and Sprague) gave the team a thumbs down. They did not create a checklist that would allow a CIO to fully protect crown jewel IP. However, they did create an excellent and full ecosystem of the challenges that exist and an excellent first take at a seriously hard problem.
View the CTO Challenge Powerpoint Slides:
Fire 2013 CTO challenge IP Protection vFinal [PPT]