Archive for 'Insider Theft of IP and Intangible Assets'

Effectively Addressing Insider Threat To Proprietary Information, A Strategy!

August 28th, 2016. Published under Insider Theft of IP and Intangible Assets. No Comments.

Michael D. Moberly August 28, 2016 ‘A blog where intangible assets and IP meet business’!

Among information asset protection/safeguard specialists, there is an anecdotally rooted adage referred to as the ’20-60-20 rule’ which caught my attention 25+ years ago and still carries a timely relevance along with absolute (fiduciary) obligation to address it as effectively as possible.

Admittedly, there is nothing particularly scientific or legally defensible about the 20-60-20 rule, other than to note it evolved from experienced mixtures of anecdotal guesstimates that lead to plausible characterization of the persistent challenges posed by ‘insiders’ in a continuum fashion…

Group 1 – 20% of the people we work with…are inherently honest and trustworthy and possess consistently high levels of (personal, professional) integrity. It’s unlikely these individuals would be receptive to any circumstance that could influence them to engage in unethical or dishonest behaviors, acts, or violations of a company’s security or information asset safeguard policies or practices.

Research administrators, TTO’s, and security practitioners would have little or no concern regarding these individuals engaging in misappropriation – theft of proprietary information, trade secrets, or monetized elements of intellectual property (IP) and other forms of intangible assets (IA’s).

Group 2 – 20% of the people we work with…function at the opposite end of the honesty – integrity continuum. For these individual’s, their thin-shallow veneer of honesty-integrity is very permeable to reveal inherent dishonesty and/or unethical persona and little sense of personal loyalty to their employer or a project in terms of information assets. Even more so perhaps with respect to complying with company policies or government laws/regulations related to obligations to safeguard proprietary information and trade secrets embedded in valuable IP and other forms of intangible assets (IA’s).

Too, individuals functioning-operating at the adverse end of the honesty-integrity continuum will like be more receptive to, if not already possess propensities – proclivities when certain opportunities avail or influencers are present, to engage in unethical – illegal acts, i.e., theft or compromise of valuable, mission critical, and competitive advantage information (intangible) assets.

Group 3 – then there’s the 60% of the people we work with…who are essentially ’in the middle’, that is, they do not (overtly) demonstrate any particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employer’s proprietary information, trade secrets, or IP at risk or in jeopardy.

There is a frustrating nuance to individuals (subjectively) designated to lie in Group 3 however, which is anecdotal evidence suggests individuals functioning at the adverse fringe, i.e., closest to Group 2 on the continuum, recognize and likely acknowledge opportunities, rationales, and persistent overtures from external entities in the form of solicitation-elicitation to misappropriate or publicly leak their employers’ proprietary information assets.

This reality makes the 20-60-20 notion particularly worrisome…to information asset safeguard-protection specialists on many levels. One of which is that individuals may possess proclivities – propensities unknown – undetectable at the time of hire using conventional pre-employment screening and interview processes. In current parlance, they may be unwitting sleeper’s whose adverse proclivities may be awakened and/or influenced at some future point relative to how they interpret-assess…

• their employer’s reactions and sanctions imposed on colleagues who violated company information asset
safeguard practices and policies,’
• the degree, level, and consistency of employer monitoring of proprietary information asset safeguard
policies.
• the presence-persistence of external advances to engage in proprietary information compromise and the
potential lucrative outcomes for doing so.

I attribute one, rather practical, approach to addressing insider challenges to the always forward looking Esther Dyson, when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who have – can access the proprietary – competitive advantage information that necessitates safeguarding).

There is practical reality embedded in Ms. Dyson’s remark, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career, not just their first week of employment, but, after undergoing various ‘snap-shots-in-time’ pre-employment screenings, to engage in adverse acts! Too, there certainly is relevance to the hyper-competitive, aggressive, predatorial, and winner-take-all global business transaction environment. In that regard,

While most of my operational familiarity with ‘insiders’ is rooted in personal experiences, I respectfully attribute some of my current thinking and approaches for addressing this persistent challenge to the excellent work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.

Insider Threat Continuum

June 1st, 2015. Published under Insider Theft of IP and Intangible Assets, Insider Threats. No Comments.

Michael D. Moberly   June 1, 2015   A blog where attention span really matters!

In the information asset protection community, there’s an adage, or perhaps more aptly characterized as an anecdotally rooted ‘rule of thumb’, the ’20-60-20 rule’ that still carries a timely relevance since it initially caught my attention some 25+ years ago. Through my lens, this represents a reasonable and plausible characterization of the persistent ‘insider threat’ which I endeavor to explain below.

Group 1 – 20% of the people we work with…are inherently honest and possess consistently high levels of (personal, professional) integrity.  It’s quite unlikely individuals in this initial 20% would be influenced, inclined, or could be persuaded to engage in unethical or dishonest behaviors, acts, or violations of a company’s security or information safeguard policies or practices.

In other words, for these individuals there would be little or no concern they would be engaging in misappropriation – theft of proprietary information, trade secrets, or monetized elements of intellectual property (IP)..

Group 2 – another 20% of the people we work with…function at the opposite end of this continuum of honesty – integrity.  For these individuals, when their already thin sociological – psychological veneer is peeled back, it’s likely to reveal an inherently dishonest, unethical, and misguided persona with little, if any, sense of personal – professional integrity, or employer loyalty with respect to complying with company policies or government laws/regulations related to obligations for safeguarding proprietary information, trade secrets, or IP.

Too, these individuals would likely be receptive (have the internal propensity, proclivity) when certain opportunities avail or influencers are present to engage in unethical – illegal acts, i.e., theft or compromise of valuable, mission critical, and competitive advantage information (intangible) assets.

Group 3 – then there’s the 60% of the people we work with who are essentially ’in the middle’, that is, they do not (overtly) demonstrate any particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts or behaviors that would purposefully put their employers proprietary information, trade secrets, or IP at risk or in jeopardy. In other words, these individuals are likely to be honest and ethical.

There is a disappointing and frustrating nuance to Group 3 however. That is, anecdotal evidence which suggests individuals functioning at the fringe of this group, i.e., closest to Group 2 on the continuum, are recognizing the persistent overtures from external entities engaged in solicitation-elicitation initiatives to misappropriate or publicly leak their employers’ proprietary information assets.

This phenomenon is particularly worrisome…to information safeguard specialists on many levels, one of which is that such (highly personal and embedded) proclivities – propensities may be unknown at the time of hire, i.e., go undetected – unobserved in conventional pre-employment screening and interview processes. In current parlance, they may be unwitting sleeper’s who’s adverse proclivities may be awakened and influenced at some future point by the employee’s interpretation-assessment of…

  • their employer’s reactions and sanctions imposed on those caught violating company information safeguard practices and policies.
  • the degree, level, and consistency of monitoring which their employer engages relative to safeguarding its proprietary information, IP, and trade secrets.
  • the persistence of external advances and their potential lucrative outcomes.

Admittedly, there is nothing particularly scientific or legally defensible…regarding the 20-60-20 perspective, other than to say it probably evolved from well intentioned ‘anecdotal guesstimates’ and observed incidents. Regardless, those finding relevance in this phenomenon, does draw, and properly so, our attention to the persistent and very costly challenges presented by ‘insiders’, whomever they may be, and the necessity for more effective pre-employment screening and regular monitoring.

One rather practical approach to addressing such insider challenges can be attributed to the always forward looking Esther Dyson, when she remarked, ’it’s not about counting the number of copies anymore, rather, it’s about developing relationships with employees and users’ (who can access the proprietary – competitive advantage information that necessitates safeguarding).

I suspect Ms. Dyson may not be familiar with the ’20-60-20 adage described here and its relevance to the hyper-competitive, aggressively predatorial, entrepreneurial spirited, and winner-take-all global business transaction environment.

But, there is practical reality embedded in Ms. Dyson’s remark, at least in terms of ‘people we work with’ and their propensity – receptivity, at some point in their career, not just their first week of employment, but, after undergoing various ‘snap-shots-in-time’ pre-employment screenings, to engage in adverse acts!

While most of my operational familiarity with ‘insiders’ is a direct result of personal experiences, I respectfully attribute some of my current thinking and approaches for addressing this persistent challenge to the excellent work-research consistently produced by PERSEREC (Personnel Security Research Center, DoD) and Carnegie Mellon’s CERT unit.

Economic Espionage, Can There Be A Rationale?

November 15th, 2014. Published under Economic Espionage, Insider Theft of IP and Intangible Assets. No Comments.

Michael D. Moberly   November 15, 2014   ‘A blog where attention span really matters’!

Peculiarly perhaps, economic espionage has been an arena which I have devoted consistent interest and work for 25+ years when I began designing and conducting independent investigative research projects into global economic – competitive advantage adversaries stealing intellectual properties belonging to university-based R&D and their spinoff companies.

One obvious outcome to my work in this arena is that I would be hard pressed to conceive of any rationale whereby economic espionage would be portrayed in other than the most negative context, particularly how it has morphed today as becoming consistent and sophisticated barrages of cyber theft.

Industrial (economic) espionage and its close cousin product piracy and counterfeiting are certainly not new phenomena as each have presented consistent challenges since man first began etching distinguishing (trade) marks on their products.

I remain intrigued however by the boldness of Drs. Whitney and Gaisford (then) of the University of Calgary, in their 1999 paper titled ‘Rationale For Economic Espionage’. While their perspective is thoughtfully articulated, and not without some merit, economic espionage remain as acts which most countries’, institutions, and companies find repugnant and devote substantial resources to combating.

Whitney and Gaisford posit economic espionage can yield strategic, competitive advantage, and cost savings to the beneficiaries. On that point, no argument here! So, when technologically advanced entities are targeted and spied upon, it’s feasible, Whitney and Gaisford suggest, that both may ultimately be better off. The ‘better off’ in this instance, translates as the ‘transfer of technology’ which some argue has become the primary path to world’s greatest transfer of wealth.

As always, readers comments are welcome and respected!

Pre-Employment Screening Reversal Theory

April 25th, 2013. Published under Insider Theft of IP and Intangible Assets, Insider Threats. No Comments.

Michael D. Moberly   April 25, 2013    ‘A blog where attention span matters’.

In the Spring/Summer 2012 edition of the International Journal of Intelligence Ethics, the author of ‘Reversal Theory: Understanding the Motivational Styles of Espionage’ brought some very worthy and intriguing context to the relationship between insiders and economic espionage by way of ‘reversal theory’.

In the article, an obviously experienced and certainly forward looking author distinctively applied Dr. Michael J. Apter’s ‘reversal theory’ to the persistent – ever present challenge of insiders relative to their predilection to engage in insider theft and/or economic espionage at some point during their employment.

In short, reversal theory (RT) as well described in the aforementioned article is a model for personality analysis. The premise is that people and their behavior change, perhaps regularly, overtime.  In other words, people’s motivational states are not static, rather they’re quite dynamic.  As such, behaviors people may engage in to obtain, presumably personal satisfaction, are also dynamic and certainly not static.

More specifically, RT suggests one’s personality evolves from – is embedded in patterns of (dynamic) change, not ‘fixed traits’ which some psychometric practitioners and researchers continue to advocate.  The notion that there are particular ‘fixed (permanent) traits’ that people possess that in turn are associated with – linked to ‘predictable patterns of behavior’ is contrary to the principles of the RT model.

Put another way, as the author points out so effectively, is that RT actually ‘challenges the assumption that (fixed) personality traits or commonalities of behavior’ are linked to predictability.  Again, the author points out that RT, if practiced correctly, would allow more organizations to screen out vulnerable and/or suspect applicants.  But, my reality is, and I suspect the author may agree, continued reliance on conventional trait (employment screening) approaches have not produced the necessary consistency in identifying – distinguishing applicants who are vulnerable or otherwise, at some point in their employment tenure become receptive to engaging in adverse acts against their employer.  In this instance, we’re talking about theft, misappropriation, and/or infringement of intellectual properties, proprietary (trade secret) information and other forms of intangible assets.

More specifically, both the and Dr. Apter agree that the conventional ‘static trait theory’ has not, and does not account for, nor does it address the very real reality that people are receptive to behavioral – attitudinal changes over time, some of which adversely affects their receptivity, propensity, and proclivity to ‘voluntarily’ engage in insider theft and economic espionage.

As most practitioners serving in the arena of endeavoring to thwart insider threats and economic espionage know all too well, there are myriad of anecdotal accountings and well intentioned studies identifying gradations, motives, tenacity, and intensity of the risks posed by ‘insiders’.

Unfortunately, the same challenges remain, if not become intensified, with of course the proverbial tweaks and/or technological variations insofar as how targeted assets are accessed and acquired by bad actors.  What’s needed in my judgment, as has been noted multiple times in this blog, is that objective, replicable, and evidence-based research, beyond mere anecdotal reports or accountings, that present different, but certainly plausible explanations why particular employees, post hiring, willingly and voluntarily become ‘insiders’ and variously engage in economic espionage.

Through my lens, and the publication of well researched articles as summarized here, the private sector, as well as the intelligence community, are now absolutely obliged, more than ever before, to re-visit and re-think their personnel (pre-employment) screening processes and practices by, among other things, recognizing that periodic (in-employment) re-assessment is essential. At minimum, periodic re-assessment should include the means to identify and assess post-hires’ adverse (a.) receptivity, (b.) inclination, and/or (c.) newly acquired predispositions that may or may not have evolved since and be contrary to what was gleaned on or before the date-of-hire while having access to classified (proprietary, sensitive)  information, i.e., intangible assets.

I should think, in part, the author’s application of reversal theory as aptly described in this article certainly warrants broad attention and study because it serves as a very worthy starting point for some serious and thoughtful discussion on this increasingly critical matter.

Of course, the necessity for the private sector to comprehensively address risks posed by insiders is elevated in large part because of the economic fact – business reality that 80+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – directly evolve from often times readily available, perhaps even open source, intangible assets, many of which are rooted in – emanate from intellectual properties, proprietary information, and other forms of intellectual, structural, and relationship capital.  As for the application of RT to government agencies, one hardly needs to say more than PFC Bradley Manning!

This globally universal economic fact alone should, in my view, and I suspect that of the author as well, should prompt companies and organizations to find the will and the resources necessary to effectively mitigate insider risks and economic espionage, be it state sponsored or conducted by independent actors. In other words, RT theory, in my view, warrants attention and thorough discussion!

Inspiration for this post lies with an article published in the Spring/Summer 2012 edition of the International Journal of Intelligence Ethics, titled ‘Reversal Theory: Understanding the Motivational Styles of Espionage’.

Each blog post is researched and written by me with the genuine intent it serves as a useful and respectful medium to elevate awareness and appreciation for intangible assets throughout the global business community.   Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk.  As such, my blog posts are not intended to be quick bites of  unsubstantiated commentary or information piggy-backed to other sources.  Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com

Trade Secrets Are Intangible Assets: Leahy Fixes the Economic Espionage Act!

January 4th, 2013. Published under Economic Espionage, Insider Theft of IP and Intangible Assets. No Comments.

Michael D. Moberly    January 4, 2013

In April (2012) a decision by the Second Circuit court significantly impacted a key element of the Economic Espionage Act (EEA) by reversing the criminal conviction of Sergei Aleynikov, a former Goldman Sachs programmer who had been caught, as they say, ‘red handed’ stealing, trading software code.

The court refused to apply the EEA to this case because the stolen trade secret(s) failed, in Court’s judgment, to satisfy EEA’s interstate or foreign commerce provision, thereby overturning a jury verdict that found the defendant violated 18 U.S.C. § 1832(a) by stealing computer code from his employer, i.e., United States v. Aleynikov, 676 F.3d 71 (2d Cir. 2012).

In its reversal, the Circuit Court reasoned that ‘the high speed trading code stolen by Alevnikov from his employer, were not a product (presumably, originally) designed for interstate or foreign commerce’ which readers know, are elements required for EEA prosecutions.

So, Senator Leahy (Chair, Judiciary Committee) in response to this court’s decision, authored an amendment that slightly modified Section 1832(a) of the EEA.  Leahy’s bill brought timely (futuristic) clarity to the EEA by expanding its scope to protect all trade secrets related to a product or service that are used in interstate commerce, which duly repaired the now aptly named ‘Sergei Alevnikov gap’.

Simply stated, with the critical ‘word smithing’ in Senator Leahy’s bill now covers (trade) secrets related to a product or service that have come to be ‘used’, but may not have been originally/initially designed for interstate or foreign commerce.

An equally critical, but not formally acknowledged underlier to this important amendment to the EEA in my view, is the economic fact – business reality that today 65+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, profitability, and sustainability lie in – evolve directly from intangible assets, of which trade secrets are one!  So perhaps inadvertently, Leahy’s bill did much more than merely close the so-called ‘sergei alevnikov’ gap.

On December 28, 2012, President Obama signed the EEA amendment (SB 3642).

But, for intangible asset advocates, strategists, and security practitioners like me perhaps it’s a bit premature to engage in celebration, that’s because

  • it is quite conceivable a Constitutional challenge may be in the offing that contests Congress’s Commerce Clause authority to enact legislation that imposes criminal penalties, as Leahy’s legislation does, and
  • as most readers already know, earlier this year, PATSIA (Protecting American Trade Secrets and Innovation Act) was introduced in the Senate (SB 3389) which would provide a civil right action for trade secret theft under the Economic Espionage Act.

Many, including myself, remain unclear whether  PATSIA will actually confer (significantly) more protection than the existing USTA  (Uniform Trade Secrets Act) because both the USTA and PATSIA, (a.) define “misappropriation” in precisely the same way, (b.) both define “trade secrets” broadly, and (c.) both provide most of the same remedies, i.e., (1.) injunctive relief, (2.) actual damages, (3.) damages due to unjust enrichment, (4.) exemplary damages in the event of a willful misappropriation, and (5.) attorney’s fees for claims brought or resisted in bad faith.

That said, PATSIA does actually differ somewhat from the UTSA in two ways that would, in spite of the aforementioned similarities, make it a useful addition to companies and institutions seeking to develop – pose a more convincing and probable special deterrent to the various globally predatorial and economic – competitive advantage adversaries who are already inclined to mount increasingly sophisticated initiatives to steal competitor’s trade secrets.  Ultimately, it seems the amended EEA, along with PATSIA and USTA now collectively provide a substantial triad of potential remedies, when, not if, trade secret and/or intellectual property theft occurs.

Interestingly, PATSIA, unlike the USTA, would authorize federal courts to order (a.) the seizure for up to 72 hours of property related to the misappropriated trade secrets, and (b.) provide for an expedited hearing to determine the property’s disposition.

This seizure option would apply to “any property (including computers) used or intended to be used, in any manner to commit – facilitate the commission – violation of trade secret theft.

Importantly, the ability to seize misappropriated properties would allow victim companies to mitigate or possibly avoid some of the traditional frustrations of merely seeking redress after the fact, or of obtaining injunctive relief, which we know there is considerable uncertainty as to its effectiveness.

Another intent for addressing these distinctions and similarities (between the EEA, USTA, and PATSIA) is, as many readers painfully know all too well, is to draw attention to conventional TRO’s (Temporary Restraining Orders) and TRO’s that allow for the immediate seizure of theft-related property.  To be sure, when dealing with unscrupulousness, globally predatorial, and legacy free players engaged in IP and proprietary information theft regardless of their origins or motives, the (latter) strengthened TRO can be an effective tool.

Ultimately, it appears that victim companies of trade secret theft-misappropriation are going to have substantially enhanced and a wider range of remedies available which hopefully will (a.) produce the correct deterrent effects, and (b.) create more viable avenues for effective resolutions to such claims.

But, given these apparent positives in the persistent battle of safeguarding proprietary information and trade secrets, it will behoove every c-suite, board, and management team member to appreciate this well founded adage regarding trade secret theft, which is…

 ‘once stolen or misappropriated, its often challenging and certainly costly to secure the return of these intangible assets, and seldom are they fully intact if a victim company is fortunate enough to do so, and too, a victim company can count on a long, slow, expensive, and resource demanding path to return to a state of economic and competitive advantage normalcy’!

So, the takeaway is; devote resources to developing and executing superior information (intangible) asset safeguards designed specifically to sustain control, use, ownership, and monitor asset value, materiality, and risk at the outset.  Otherwise, the value, revenue, competitive advantages, and building blocks for (company) growth, profitability, and sustainability can quickly go to zero!

(This post was inspired by a piece in ‘Sullivan’s Trade Secrets’ authored by Todd Sullivan of Graebe, Hanna & Sullivan.)

My blog posts are researched and written by me with the genuine intent they serve as a worthy and respectful venue to elevate awareness and appreciation for intangible assets throughout the global business community.  Most of my posts focus on issues related to identifying, unraveling, and sustaining control, use, ownership, and monitoring asset value, materiality, and risk.  As such, my blog posts are not intended to be quick bites of information, unsubstantiated commentary, or single paragraphed platforms to reference other media. 

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of any of my posts, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance or business transaction.  I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com.

Intangible Assets…Prosecuting Theft – Misappropriation!

December 28th, 2012. Published under Enterprise risk management., Insider Theft of IP and Intangible Assets. No Comments.

Michael D. Moberly    December 28, 2012

An intriguing question was posed by Stuart Green, a Rutgers law professor, in a New York Times article (March 28, 2012), in which he frames in a very ‘forward looking’ manner whether the terms theft and/or stealing actually fit today’s business circumstances?  That is, when company’s most valuable assets likely to be stolen, misappropriated, or infringed, are intangible, (non-physical) in the form of intellectual, structural, and relationship capital, will the conventional (prosecutorial) definition and/or application of theft and/or stealing fit?  Or, do (will) prosecutors, to maximize court understanding, find it necessary to portray intangible assets in a tangible context?

This question, in my view, should not be misinterpreted as merely constituting an issue that best belongs in a law school lecture hall espoused as merely legal theory.  Rather, in my view, it actually underlies an important aspect to company’s ‘sustaining control, use, ownership and monitoring the value, materiality, and risk’ to their intangible assets.  In that sense, it should carry considerable relevance to the responsibilities associated with CSO’s (chief security officer), CIPO’s (chief intellectual property officer), CISO’s (chief information security officer), CTO’s (chief technology officer), CRO’s (chief risk officer), and corporate legal counsel alike.

Having developed and taught various asset protection courses in a university criminology department for 20 years, it’s widely recognized that acts of theft and/or stealing of ‘property’ have conventionally been taught and interpreted to mostly involve tangible-physical assets or property, with intangible (non-physical) assets seldom, if ever, being addressed.

I suspect some readers, particularly those in the security – asset protection profession, may find this question unnecessary, or perhaps worse, opening a much unwanted ‘legal can of worms’.

For a significant percentage of prosecutors, and presumably the music and film industries too, I assume they would prefer, and are quite willing to devote the necessary resources to ensure the relevant (criminal justice) institutions continue applying the conventional and time-honored language, i.e., (a.) an individual or entity acquires (takes) property belonging to another, (b.) without their permission, and (c.) with the intent to permanently deprive the rightful owner of its use. Or, what Professor Green and others characterize as a ‘zero sum game’.  That is, one party loses an asset (property) rightfully belonging to them, while another party gains that asset or property.

In other words, there is no significant distinction between tangible and intangible assets when it comes to theft and/or misappropriation.

However, in the current knowledge – intangible asset dominated global (business, transaction) economy in which, conservatively speaking, 65+% of most company’s value and sources of revenue lie in – evolve directly from intangible assets, it does beg the legal question; can those conventional, time-honored definitions regarding theft, misappropriation, and infringement be consistently applied to non-physical (intangible) assets, or will challenges be forthcoming?

To add complexity, but, perhaps reality to this position, Professor Green suggests, when particular types/categories of intangibles are stolen, the rightful owner is likely to retain some  use of those assets, albeit perhaps in a depreciated and/or undermined form insofar as reduced value and fewer sources of revenue.  Had, for example, music, video-based assets not been illegally downloaded, they presumably would have delivered greater sources of revenue to the rightful holder, i.e., artist, copyright holder, producer, etc.

The reality is, as readers know well, companies are producing, acquiring, and, inventing significantly fewer tangible or physical assets today in lieu of assets which are more likely to be intangible and non-physical. So how does this globally universal and irreversible circumstance mesh with the conventional perspective of prosecutorial ‘zero sum gain’ relative to (asset, property) theft and stealing?

As we know, various courts and legislative bodies have adjusted some of the conventional language found in theft and misappropriation statutes to accommodate growth in intangibles. Thus, has the time come, as Green posits, for specialized legal doctrines to be developed to specifically reflect the theft, misappropriation, infringement, and counterfeiting of intangible assets and its subset, intellectual properties, i.e., patents, trademarks, copyrights, etc.

Actually, in the mid-1960’s, some would-be reformers of criminal law became frustrated with how courts and legal practitioners were endeavoring to distinguish tangible and intangible property. One outcome of their frustration was that the American Law Institute developed a ‘model penal code’ which essentially defined property as constituting ‘anything of value.’ Personally, I remain unconvinced this was the most appropriate way to handle this problem. Admittedly though, in 1962, intangible (non-physical) assets were hardly part of mainstream business or legal vocabulary.

On a relevant note, a trust and estate attorney I met recently was asked about how she intended to address intangible assets clients had accumulated when drafting trusts, wills, or estate documents. The attorney expressed virtually no interest, nor seemingly a clue about how to identify, unravel, value, divide, or incorporate intangible assets in a will or trust other than to characterize them merely as issues which were referred to accountants, but only for asset valuation which she would accept without challenge. This perspective prompted me to wonder if this attorney was indeed operating in the 21st century, or perhaps worse, had her clients’ best interests in mind, and worse, understood intangible assets at all.

Today, of course, intangible asset intensive – driven businesses have sprouted globally, brimming with all forms of intellectual, relationship, and structural capital, intellectual properties, brands, and reputation interests, each of which play critical economic and competitive advantage roles relative to a company’s profitability, sustainability, and growth potential.  So, if intangibles are not addressed in wills, estates, and trusts, it’s quite possible there will be many opportunities for same to be contested and challenged, thereby minimizing the significance attached to otherwise well constructed documents.

So, for me, and my colleagues in the information asset protection and insider threat – risk arena, it seems, the more engaged we become in intangible assets and businesses and transactions in which intangibles are routinely in play, the more complex and broader the dilemma becomes.

This post was inspired and adapted by Michael D. Moberly from a piece authored by Stuart P. Green published in the NYT’s on March 28, 2012.

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of this post, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance. And, I always welcome your inquiry at 314-440-3593.

 

Dyson v Bosch: Insider Threats and Risks…

November 5th, 2012. Published under Insider Theft of IP and Intangible Assets, Insider Threats. 1 Comment.

Michael D. Moberly     November 5, 2012

Just how much importance should an organization’s c-suite and security management team attach to an insider’s (a.) nationality, (b.) motive(s), and (c.) possible conspiratorial and/or state-sponsored components effecting a successful act in which…

….valuable, competitive advantage, and market space delivering information-based (intangible) assets are stolen or misappropriated?

Would it be more useful to devote time, energy, resources, etc., to executing the most effective enterprise-wide policies, practices, and procedures to…

  • identify and sustain control, use, ownership, and monitor the value and materiality of a company’s most valuable and revenue producing (intangible) assets, and
  • ferreting out would be insiders regardless of their nationality or country of origin?

Willie Sutton, the infamous bank robber, according to urban legend, responded when asked, ‘why do you rob banks’ in very straightforward and simplistic fashion, ‘it’s because, that’s where the money is’!

In a perverse sort of way, and, of course, setting aside classified national security assets, Sutton’s view and mine are similar in this context; U.S.-based intangible (intellectual property) assets are frequently, if not wholly targeted because, globally speaking, this is where large percentages of such assets originate and developed.

So, why should it come as any particular surprise that U.S.-based intangibles are targeted by insiders, trusted, or otherwise, by various nationalities.  Generally, the suspects (by nationality) are demonized in the media and other sources, when in fact, it’s virtually certain the victim organizations – companies will seek new/additional trading opportunities or business transactions with those countries (nationalities) tomorrow and for the foreseeable future.

In all the research I have and continue to conduct and experiences I have had in various aspects of economic/industrial espionage and addressing insider threats and risks, I am familiar with very few companies which have elected to withdraw their business associations with a country and/or its government following a theft and/or misappropriation of proprietary intangible assets.  That’s not to suggest victim companies overlook or dismiss such events.  Rather it is to suggest lucrative business opportunities associated with numerous countries in which insiders frequently originate can be discounted literally and figuratively.

One example, among countless others, bears this out quite nicely.  Several years ago, a U.S. based computer manufacturer established three new assembly sites in Asia.  Before the sites’ became operational a senior executive projected her company would lose in excess of $125 million dollars in ‘IP’ during the relatively short life cycle of these particular assembly plants.

There is, to be sure, more ‘ink and talking heads’ focusing on the China link, as being the primary initiator, collector, and beneficiary of stolen and misappropriated IP.

What is disconcerting about this in my view, are the increasingly sophisticated technologies used by an ever expanding range of state sponsored and independent brokers that, in many respects, render the term ‘insider’, as it is conventionally applied, outmoded, if not obsolete.  That is, (human) presence is simply no longer an absolute requisite to the range of illegal acts which insiders can successfully engage.

However, will – would a company who reports being victimized by an insider, e.g., Dyson v Bosch, for example, in which, it so happens, the alleged perpetrator is of Chinese origin, done anything differently in terms of how they designed and implemented their insider threat mitigation practices, policies, and procedures?

In today’s increasingly interconnected global business transaction environment, there is a high level of universality in the economic fact that 65+% of most company’s value, sources of revenue, and ‘building blocks’ for growth, sustainability, profitability, market space, and competitive advantages  lie in – evolve directly from a range of intangible assets.

Companies may have far greater success in mitigating insider threats and risks when such acts/behaviors are characterized in particular relationship contexts, i.e., vendors, trusted personnel, or more specifically, relationship, structural, and intellectual capital.

But, a question remains, for me at least, can insider threats – risks be more effectively mitigated if they focus on an employee’s nationality and that nationality’s propensity, receptivity, and/or proclivity to be part of, or engage in insider acts in a state sponsored context?  And, if one believes it can, would the product of the overall insider threat/risk mitigation initiatives, i.e., implementation of policies, procedures, and practices really look any different?

More specifically, is there a need to design/execute insider threat – risk mitigation practices differently if the target company assumes the threat evolves primarily, if not solely from state-sponsored sources, independent (legacy free) brokers, or disgruntled employees?  The answer to this question, in my view, is a prudent and somewhat cautious yes!

The business reality I have come to know, is that very few companies are eager or willing to jeopardize relationships with several billion potential  consumers and those country’s rapidly rising middle class, based solely on the inevitability they will lose certain amounts of their valuable intangible – intellectual property assets.

Of course, I am certainly not implying that companies should be less prudent in designing and executing any market entry planning and/or business transaction with firms in other countries.

But, readers please recognize, it’s not solely a company’s IP which a large percentage of insiders are seeking, i.e., patents, copy rights, trademarks, rather it’s the intellectual and structural capital, the knowhow, and the processes and procedures necessary to achieve economic and competitive advantage.  I’m quite confident, for those who disagree, will be constantly engaged in uphill skirmishes in which periodically a war or two may be one, but seldom, if ever will the persistent and asymmetric (insider threat-risk) battles be won!

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of this post, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance. And, I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com

Insiders and Moles: Stealing Company Secrets…

November 1st, 2012. Published under Insider Theft of IP and Intangible Assets, Insider Threats. No Comments.

Michael D. Moberly   November 1, 2012

As reported by the AP last week, Dyson, a large UK-based firm, known most for its bag-less and ball mounted home vacuum cleaners, filed legal proceedings against Bosch, a German competitor.

The legal action accused Bosch of having illegally obtained Dyson secrets, i.e., ‘digital motor technology’ through the efforts of an ‘insider’ working in Dyson’s R&D unit for perhaps as long as two years, according to the AP report.

Dyson spokesperson characterized this insider as a ‘rogue engineer or mole’.  On behalf of myself and numerous highly experienced (insider threat) colleagues, I’m confident we would all be hard pressed to suggest the term ‘rogue’ is an appropriate descriptor for such acts and/or behaviors.   For us, ‘rogue’ implies a single or otherwise one-off experience, whereas we, based on sound research and personal experience are inclined to characterize insider threat(s), in which there is no shortage, as being persistent, globally asymmetric, generally sophisticated technologically and personally, and come embedded with numerous tangible – intangible (personal) motivators for doing what they do.

Interestingly, the AP reported, Dyson had confronted Bosch with evidence of the wrongdoing but Bosch…

  • refused to return the alleged misappropriated (digital motor) technology, i.e., intellectual property, and
  • failed to promise it would not to use the acquired know how or technology for its benefit, even though reports indicated Bosch had already benefitted.

These adverse responses from Bosch obviously left Dyson’s legal representatives – advisors with few reputation saving options, other than to take the legal action it did.

Is the term ‘mole’ an appropriate descriptor of insider threat today?   To be sure it is!  In the court filings, Dyson also alleged that Bosch paid this individual (aka the mole) through a separate (unincorporated) business that apparently had been created precisely for such purposes, which is, presumably to exploit – execute insider risks and threats, which it is further alleged, certain senior Bosch management were well aware.

Bosch disputed, or at least tried to mitigate some of the allegations, one of which pointed out that Dyson had employed this individual, i.e., the mole, with a preexisting consultancy agreement with Bosch Lawn and Garden Ltd. in relation to garden products, and not vacuum cleaners or hand dryers.  Too, Bosch, expressed regret that Dyson had elected pursue legal action in this matter, saying it has been trying to establish what happened and what, if any, confidential information was supposedly passed and/or actually received.

Should Dyson’s allegations eventually be established (proven), it would be no great surprise to see some manner of economic settlement in advance of a trial.

Before finishing though, I hold a somewhat different view about what Dyson’s competitor was likely (actually) targeting in this instance, and it should not be simply described as intellectual property!.

As stated numerous times in this blog, I have worked, studied, and conducted much research on intangible assets relative to economic/industrial espionage in many different circumstances over the past 25+ years.  A deep understanding (business appreciation) of global economic – competitive advantage adversaries, suggests any insider threat – risk equation should absolutely include an adversary’s ability to understand and/or replicate the intangible assets they frequently target and successfully acquire, i.e., the intellectual and structural capital and know how that’s embedded in any alleged misappropriated or stolen intellectual property.

After all, it is an economic fact – business reality that intangible assets today, comprise 65+% of most company’s value, sources of revenue, and building blocks for growth, sustainability, and profitability. It seems quite correct then to state with much conviction, that the intangible assets which are absolutely essential to achieving competitive advantages, building product/service quality, creating efficiencies, and achieving market position are what’s being targeted, not merely IP, other than, of course trade secrets.

There’s no question, companies – competitors engaged in using stolen intangibles, do so because they have, in most instances, an equally strong desire to compete globally and in the same market space as the rightful holder, owner, and/or developer of the valuable and competitive advantage driving intangible assets being targeted.

Know how (intellectual capital) can, to be sure, be classified as proprietary information or trade secrets (providing the holder consistently executes and meets the six requisites of trade secrecy). Either way, I can confidently report that companies would be well served if they identified and safeguarded the contributory value of the intangible assets that underlie all of their IP, because that’s what the adversaries need, want, and seek most!

So, to effectively mitigate insider risks-threats, the contributory value of intangible assets companies produce, should become a routinely visited, if not a permanent fixture on every company’s c-suite agenda!

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of this post, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance. And, I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com

 

 

Prosecuting Intangible Asset Losses…

October 18th, 2012. Published under Insider Theft of IP and Intangible Assets, Intangible asset strategy, Intangible asset training for management teams.. No Comments.

Michael D. Moberly    October 18, 2012

This post represents  an issue every CSO, CIPO, CISO, CTO, CRO, and corporate legal counsel should, if they haven’t already, fully consider.  Having taught in a university criminology department for 20 years, it’s less than rocket science to know that theft – stealing of property have conventionally been taught (interpreted) to involve some manner of misappropriation of ‘things’ i.e., real, tangible, physical property.

However, an intriguing question was posed by Stuart Green, a Rutgers law professor, in a NYT’s (March 28, 2012) piece, one which many of us have thought about. Basically, he asks, at least in my interpretation, whether the terms theft and/or stealing fit today’s circumstances, particularly when the assets stolen or misappropriated, are likely to be intangible, i.e., non-physical in nature?

Respectfully, I presume some readers of this blog and certainly my colleagues in the security – asset protection profession, find such a question unnecessary or perhaps worse, opening an unwanted and ill-timed ‘can of legal worms’.

For most prosecutors, and obviously the music and movie industries, it’s quite easy to assume they prefer, and are quite willing to devote the necessary resources to ensure the relevant institutions continue to apply the terms theft, stealing, and misappropriation using conventional and time-honored language that essentially does not distinguish tangible from intangible assets.

Conventionally (and intuitively) speaking, an act of stealing and/or theft have traditionally been interpreted as when either an individual or entity acquires (takes) property belonging to another, without their permission with the intent to permanently deprive the rightful owner of said property.  Or, what Green and others characterize as a ‘zero sum game’, that is, one party loses an asset (property) rightfully belonging to them, while another party gains that asset or property. Bottom of Form

However, in the current knowledge – intangible asset-based global (transaction) economy in which, conservatively speaking, 65+% of most company’s value, sources of revenue, ‘building blocks’ for future growth, sustainability, and profitability lie in – evolve directly from intangible assets, it does beg the legal question; are those conventional, time-honored definitions about theft – stealing relevant to intangible (non-physical) assets?

To add complexity, but, perhaps reality, to this position, again, in the context of the permanence of the knowledge – intangible asset based business economy, in some sense, as Professor Green suggests, when particular types/categories of intangibles are stolen, the rightful owner is likely to retain some or perhaps even complete use of those assets, albeit perhaps in a depreciated and/or undermined form insofar as reduced value and sources of revenue had those (music, video-based) assets not been illegally downloaded, because had they remained intact, they presumably could have delivered additional sources of revenue.

The reality is, as readers of this blog know well, we (companies) are producing, acquiring, and, inventing significantly fewer tangible things or assets in lieu of assets which are more likely to be intangible and non-physical.  So how does this very real circumstance mesh with the conventional perspective of prosecutorial ‘zero sum gain’ relative to (asset, property) theft and stealing?

Various courts and legislative bodies have periodically adjusted some of the conventional theft, stealing, misappropriation laws (language) according to Green.  Presumably that’s done to try to accommodate an economy and more business and personal possessions that are intangible (non-physical) in nature. Thus, has the time come, as Green posits, for specialized (presumably) legal doctrines to be developed to specifically reflec the (theft, stealing) misappropriation of intangible assets?

In the mid-1960’s, some criminal law reformers became frustrated with how courts and legal practitioners were endeavoring to distinguish tangible and intangible property.  One outcome of this frustration was that the American Law Institute developed a ‘model penal code’ which essentially defined property as constituting ‘anything of value.’  Personally, I remain unconvinced this was the most appropriate way to handle this.  Admittedly however, in 1962, intangible (non-physical) assets were hardly in mainstream business or legal vocabulary.

Presumably then, when-if tangible, intangible, real, or personal property succumbs to theft and/or misappropriation, they would be treated uniformly.

On a relevant note, a trust and estate attorney I met recently was asked about how she intended to address intangible assets her clients had accumulated when she was drafting their respective trusts, wills, or estate documents.  This particular attorney expressed virtually no interest, nor seemingly a clue about how to identify, unravel and value, or incorporate intangible assets in a will or trust other than to characterize it merely as an issue for an accountant to untangle.  Her stated preference was to consult with an accountant only – primarily for asset valuation purposes and accept whatever the accountant reported.  In my view, this perspective prompted me to wonder if this attorney was indeed operating in the 21st century?  She certainly, had not read any of my blog posts!

Today, of course, intangible asset intensive – driven businesses have sprouted globally, brimming full of intellectual, relationship, and structural capital, patents, brand, reputation, and often copyrighted material and patents, each of which play increasingly important economic and competitive advantage roles in profitability, sustainability, and growth potential, and hence should and must be addressed in wills, estates, and trusts.

There is, of course, a range of empirical studies, which, among other things, reveal that a significant moral distinction exists between (illegal) file sharing and theft of presumably tangible – physical property, even when the value of the intangible – tangible property is approximately the same.

So, for me, and my colleagues in the information asset protection and insider threat – risk arena, it seems, the more engaged we become in intangible assets and businesses and transactions driven by or have intangible assets routinely in play, the more complex and broader the dilemma becomes.

Illegal downloading is, of course, a real and persistent problem, that in all likelihood, will not be going away anytime soon.  Individuals work hard to produce creative works and are entitled to enjoy legal protection as well as reaping any economic benefits from their efforts.  If others want to enjoy those creative works, it’s reasonable to make them pay for the privilege.

Continuing to frame illegal downloading as a form of stealing, probably warrants some review by companies.  Companies may better position themselves if they consider a range of legal concepts that fit the nature and elements of the problem more appropriately; first one being, fully understanding intangible assets.

The most effective fix does not lie solely in terminology!  Rather, what we collectively come to call a particular type of crime is obviously important as is coming to grips with the notion that treating different forms of property theft, misappropriation, etc., be it tangible or intangible property, while it may seem clumsy for a while, it’s probably what we should be considering.

This post was inspired and adapted by Michael D. Moberly from a piece authored by Stuart P. Green published in the NYT’s on March 28, 2012.

Comments regarding my blog posts are encouraged and respected. Should any reader elect to utilize all or a portion of this post, attribution is expected and always appreciated. While visiting my blog readers are encouraged to browse other topics (posts) which may be relevant to their circumstance. And, I always welcome your inquiry at 314-440-3593 or m.moberly@kpstrat.com

 

Pre-Employment Screening: An Insider’s Propensity – Receptivity Can Change After Date Of Hire

March 27th, 2012. Published under Analysis and commentary, Insider Theft of IP and Intangible Assets, Insider Threats. 1 Comment.

Michael D. Moberly    March 27, 2012

The findings of numerous well researched studies, most notably those produced by DoD’s Personnel Security Research Center (PERSEREC) and Carnegie-Mellon University’s CERT unit, describe significant and persistent challenges (risks, threats) posed by insiders, primarily employees, to company’s intangible (information, IP) based assets.

The risks ‘insiders’ pose to a company’s intangible assets, i.e., trade secrets, intellectual property, and proprietary know how, reputation, goodwill, etc., are most troubling and challenging too me, because of their persistence, stealthy ingenuity, and non-reaction to conventional (general and/or specific) deterrents.  Therefore, companies should not be too celebratory when a single insider is apprehended and the risk/threat they posed is neutralized or mitigated.  The reason, it’s highly probable numerous other insiders are already engaged in comparable or more detrimental acts which merely have yet to surface.

Both PERSEREC’s and Carnegie-Mellon’s published research on insider risk/threat matters brings much needed clarity and understanding about who, what, how, and the various influences and circumstances which information asset compromises and/or losses occur.  Most importantly too me however, are insights the research sheds on the proverbial and sometimes not-so-obvious why insiders engage in the illegal acts, i.e., their rationale and/or motives.

The research clearly suggests that (a.) the challenges associated with effectively safeguarding the increasing amounts of valuable proprietary information-based intangible assets, e.g., IP,  trade secrets, and know how, etc., and (b.) the losses-compromises attributed to insiders, is on the rise.

However, the insider threat-risk findings revealed by PERSEREC, Carnegie-Mellon, and others, indicate there are three aspects that remain somewhat blurred or perhaps incomplete, i.e., the

  1. precise number of insider executed incidents
  2. actual value of those losses measured in dollars, competitive advantages, reputation, goodwill, etc., and
  3. who the real end user – beneficiary of the information loss and/or compromise is, i.e., a state sponsored entity, an industry/sector competitor, or one of a myriad of legacy free players or brokers.

Some key reasons such revelations are not as clear and/or complete as needed is the:

  • evidence of insider executed threats/risks is largely anecdotal and/or company specific
  • victim companies/organizations are occasionally predisposed to assume the culprit is a foreign national, i.e., an economic or national security adversary
  • instructive evidentiary-investigatory elements of an unknown number of incident(s) are classified because the victim – target is a government agency, thus there is no public report of the incident
  • self (public) admission of a successful insider attack can rapidly diminish a victim company’s reputation, goodwill, image, etc., therefore companies seldom find it in their interest to report such events unless mandated by state/federal law.

Every company – organization today should be vigilant about the risks-threats posed by insiders. The actual level of vigilance that’s necessary today largely lies, in my judgment, in the nine attributes of insiders who engage in ‘IT sabotage’ which Carnegie-Mellon researchers identified.   Vigilance should ultimately be operationalized (translated) into effective practices, policies, and procedures to address, mitigate and/or counter the following:

  1. Access – an insider can target a company from behind its primary defensive wall, i.e., perimeter and may not arouse suspicion…
  2. Knowledge, trust, familiarity – of both a company’s IT system and the targeted assets within that system permits insiders’ to engage in acts of discovery, again, frequently without arousing suspicion…
  3. Privileges – an insider (employee) often can obtain the privileges necessary to conduct their attack…
  4. Skills – insiders can engage in an attack by working within a target’s (company’s existing) domain of expertise…
  5. Risk – insiders tend to be risk averse in preparing for and conducting their attack…
  6. Method – insiders are likely to work alone, but may recruit and/or co-op a trusted colleague for facilitation and/or enabling purposes…
  7. Tactics – the attack tactics applied by an insider are various and can include  (a.) an attack, hit and run, (b.) attack, and eventually run, (c.) attack until caught, and/or (d.) economic/industrial espionage…
  8. Motivation – an insider may engage in an act for (a.) profit, (b.) getting paid to disrupt the target, (c.) provoke change in a/their company and/or target, (d.) blackmail, (e.) subvert/undermine the mission of the target, (f.) a personal motive, or (g.) revenge…
  9. Predictable Processes – the motivation for an attack by an insider can evolve from (a.) a particular, usually adverse, event, (b.) personal sense of discontent, (c.) being ‘planted’ in a company to conduct an attack at some future time, (d.) adversary identifies a target and mission that meets their (or, another parties’) needs…

These nine attributes still give rise to three important questions:

First – with respect to the nine attributes above, can they be extrapolated – are they applicable to the risks/threats presented by insiders to a company’s information assets, in addition to IT system sabotage?

Second – if so, can these attributes be consistently identified and assessed (legally) using existing pre-employment screening – interviewing techniques?

Third – presumably, while each attribute need not be present in every incident, can each attribute be validly translated (converted) into pre-employment screening processes?

What’s at stake for companies when insider threats – risks materialize is substantial financial losses, civil actions, and diminished reputation etc.   Management teams who remain dismissive about their asset protection fiduciary responsibilities and elect to either not put in place safeguards to prevent and/or mitigate insider threats-risks do so at their own peril.

On the other hand, it would again seem useful if CERT’s nine attributes associated with IT sabotage could be validly translated-converted into pre-employment screening practices.  Presumably then, the presence of certain proclivities, propensities, and/or an applicant’s overall receptivity to engage in such adverse acts or policy violations could be revealed in advance.

But perhaps, that’s too much to ask or expect at this point!

While visiting  my blog, you are respectfully encouraged to browse other topics/subjects (left column, below photograph) .  Should you find particular topics of interest or relevant to your circumstance,  I would welcome your inquiry at  314-440-3593 or m.moberly@kpstrat.com