Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
Joe Payne
Joe Payne
Connect Directly
E-Mail vvv

US Tech Dominance Rides on Securing Intellectual Property

A recent, mostly overlooked pardon points to a big problem in the US tech industry: Intellectual property offers a lucrative golden ticket for insiders.

In January 2021, on his last day in office, President Trump quietly pardoned autonomous vehicle engineer Anthony Levandowski. He had been sentenced to 18 months in prison for stealing trade secrets from his former employer, Google. With everything else going on that month, including the Capitol riot and the inauguration, this news didn't receive much media attention.

Related Content:

Over-Sharer or Troublemaker? How to Identify Insider-Risk Personas

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

Despite how little coverage this case got, it shouldn't be overlooked. In reality, it was a travesty of justice. We need to talk about Levandowski's pardon because it points to a foreboding problem in the US tech industry: Intellectual property (IP) offers a lucrative golden ticket for insiders. That's why there are thousands of security professionals and companies working behind the scenes to secure valuable IP in this country — and the US has some of the best IP laws and enforcement in the world. When the president pardons insider thieves, it sets a dangerous precedent and sends the wrong message to the larger international tech community as well as to those who create IP for companies.

First, some background on Levandowski: In 2016, he left his job on the Waymo team at Google — after receiving $127 million for his work there — to start a trucking company called Otto. Within six months, Otto was acquired by Uber. Over a year later, Google discovered that when Levandowski left Waymo, he exfiltrated 15,000 files on a thumb drive. These files contained some of the company's most important autonomous vehicle IP. He just walked out the door with the proverbial keys to the kingdom.

After a lengthy legal battle, Uber and Google agreed to a $250 million settlement. But Levandowski's time in the spotlight was not over. In August 2020, federal prosecutors convicted him of IP theft, then he was pardoned just a few months later.

Stolen IP can be worth staggering amounts of money. Here's just one example: Hackers attempting to steal COVID-19 vaccine IP in December could have gained billions of dollars if successful. IP theft isn't always as high profile as Levandowski's thumb drive full of self-driving car secrets, but smaller thefts still have an enormous impact on companies' bottom lines. In reality, IP theft happens every single day. Employees frequently download customer lists on their personal computers or email themselves source code. In fact, they are 85% more likely to leak files today than they were before COVID-19.

The Levandowski pardon sends a very negative signal to the international tech community. US competitiveness in the tech space depends on our ability to secure trade secrets. If anyone can gain insight into innovative new projects American companies are working on, how will those businesses stand out against the competition?

Fighting Back
If our government is going to override our IP law with pardons, business leaders have to take the bull by the horns. Here are some steps to take now. 

First, American companies need to be way more transparent about data ownership. A report from my team at Code42 found that in recent years, more and more employees have started to believe that they — and not their employers — have ownership over the product of their work . Yet there is no doubt that employers own the work they pay their employees and contractors to produce. This is the case even if skilled, hard-working employees like Levandowski feel entitled to ownership of the project. Your legal team needs to write a clear data-use policy outlining your company's ownership over its data, and then leadership needs to remind employees of it regularly.

Training is the next step, and it's an area where I believe companies will invest heavily this year. It's not enough for HR to mention data ownership policies during onboarding — employees need consistent, effective security training. Make sure the training is engaging so employees don't lose interest.

Finally, there's insider risk management technology. It took Google over a year to file its lawsuit against Uber. That's a long gap between theft and action. With effective technology, companies can hang onto their data before it leaves and the damage is done. [Editor's note: The author's company is one of a number of vendors that sell such technology.]

IP is the greatest asset any country has, including the US. It's what sets us apart in the free world. The ending of the Levandowski story is a tragedy because someone who disrespected that whole idea was pardoned with no explanation as to why. Without intervention, employees will continue to harbor the belief that they are entitled to ownership over what they do at work. If businesses aren't aware of data theft, and government officials continue to let it slide, many people will continue viewing trade secret theft as low risk and high reward — and the US will fall behind in the race to global tech dominance.

Joe Payne is the President and CEO of Code42 Software. Joe is a seasoned executive with more than 20 years of leadership experience and a proven track record leading high growth security and technology companies. With a passion for identifying and solving emerging market ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...