Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/2/2021
10:00 AM
Joe Payne
Joe Payne
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

US Tech Dominance Rides on Securing Intellectual Property

A recent, mostly overlooked pardon points to a big problem in the US tech industry: Intellectual property offers a lucrative golden ticket for insiders.

In January 2021, on his last day in office, President Trump quietly pardoned autonomous vehicle engineer Anthony Levandowski. He had been sentenced to 18 months in prison for stealing trade secrets from his former employer, Google. With everything else going on that month, including the Capitol riot and the inauguration, this news didn't receive much media attention.

Related Content:

Over-Sharer or Troublemaker? How to Identify Insider-Risk Personas

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

Despite how little coverage this case got, it shouldn't be overlooked. In reality, it was a travesty of justice. We need to talk about Levandowski's pardon because it points to a foreboding problem in the US tech industry: Intellectual property (IP) offers a lucrative golden ticket for insiders. That's why there are thousands of security professionals and companies working behind the scenes to secure valuable IP in this country — and the US has some of the best IP laws and enforcement in the world. When the president pardons insider thieves, it sets a dangerous precedent and sends the wrong message to the larger international tech community as well as to those who create IP for companies.

First, some background on Levandowski: In 2016, he left his job on the Waymo team at Google — after receiving $127 million for his work there — to start a trucking company called Otto. Within six months, Otto was acquired by Uber. Over a year later, Google discovered that when Levandowski left Waymo, he exfiltrated 15,000 files on a thumb drive. These files contained some of the company's most important autonomous vehicle IP. He just walked out the door with the proverbial keys to the kingdom.

After a lengthy legal battle, Uber and Google agreed to a $250 million settlement. But Levandowski's time in the spotlight was not over. In August 2020, federal prosecutors convicted him of IP theft, then he was pardoned just a few months later.

Stolen IP can be worth staggering amounts of money. Here's just one example: Hackers attempting to steal COVID-19 vaccine IP in December could have gained billions of dollars if successful. IP theft isn't always as high profile as Levandowski's thumb drive full of self-driving car secrets, but smaller thefts still have an enormous impact on companies' bottom lines. In reality, IP theft happens every single day. Employees frequently download customer lists on their personal computers or email themselves source code. In fact, they are 85% more likely to leak files today than they were before COVID-19.

The Levandowski pardon sends a very negative signal to the international tech community. US competitiveness in the tech space depends on our ability to secure trade secrets. If anyone can gain insight into innovative new projects American companies are working on, how will those businesses stand out against the competition?

Fighting Back
If our government is going to override our IP law with pardons, business leaders have to take the bull by the horns. Here are some steps to take now. 

First, American companies need to be way more transparent about data ownership. A report from my team at Code42 found that in recent years, more and more employees have started to believe that they — and not their employers — have ownership over the product of their work . Yet there is no doubt that employers own the work they pay their employees and contractors to produce. This is the case even if skilled, hard-working employees like Levandowski feel entitled to ownership of the project. Your legal team needs to write a clear data-use policy outlining your company's ownership over its data, and then leadership needs to remind employees of it regularly.

Training is the next step, and it's an area where I believe companies will invest heavily this year. It's not enough for HR to mention data ownership policies during onboarding — employees need consistent, effective security training. Make sure the training is engaging so employees don't lose interest.

Finally, there's insider risk management technology. It took Google over a year to file its lawsuit against Uber. That's a long gap between theft and action. With effective technology, companies can hang onto their data before it leaves and the damage is done. [Editor's note: The author's company is one of a number of vendors that sell such technology.]

IP is the greatest asset any country has, including the US. It's what sets us apart in the free world. The ending of the Levandowski story is a tragedy because someone who disrespected that whole idea was pardoned with no explanation as to why. Without intervention, employees will continue to harbor the belief that they are entitled to ownership over what they do at work. If businesses aren't aware of data theft, and government officials continue to let it slide, many people will continue viewing trade secret theft as low risk and high reward — and the US will fall behind in the race to global tech dominance.

Joe Payne is the President and CEO of Code42 Software. Joe is a seasoned executive with more than 20 years of leadership experience and a proven track record leading high growth security and technology companies. With a passion for identifying and solving emerging market ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20859
PUBLISHED: 2021-12-01
ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-19...
CVE-2021-20860
PUBLISHED: 2021-12-01
Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and ...
CVE-2021-20861
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC...
CVE-2021-20862
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-175...
CVE-2021-20863
PUBLISHED: 2021-12-01
OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GS...