Cybersecurity Innovation and the Patent Landscape
It can be expected that costs associated with cybercrime will rise in the near to medium term and have a material impact on the global economy – while putting individual citizens’ and corporations’ important data at risk by cyber criminals. The White House estimates that in 2016, malicious cyber activity cost the U.S. economy between $57 and $109 billion. Since then, we have seen significant data theft and system intrusions, Yahoo, the NSA and of course Equifax, among many others. According to a Cybersecurity Ventures report issued in late-2017, cybercrime damage is estimated to reach $6 trillion annually by 2021.
Due to the convergence of an escalation in the number of security vulnerabilities, an increase in hacker capabilities and tools as well as new legislation being enacted in the European Union, the estimated costs due to cybercrime may be conservative.
Increase in the Number of Vulnerabilities
According to the Common Vulnerabilities and Exposures database, the number of known security vulnerabilities reached a record level in 2017 of more than 14,700. In 2018, the number climbed to more than 16,500 known vulnerabilities. It is clear from this trend that it is becoming an increasingly challenging exercise to harden information technology infrastructure from cyber-attacks.
More Sophisticated Hackers and Tools
As the number of software vulnerabilities increases, hackers are becoming more sophisticated, accessing tools and knowledge that were previously the exclusive domain of nation states. Criminal groups can now easily utilize advanced hacking techniques and tools through the Dark Web. Going forward, Artificial Intelligence (AI) and Machine Learning-powered hacking kits will proliferate, placing dangerous new tools in the hands of everyone from criminal hacker groups to teenagers.
European Union’s General Data Protection Regulation (GDPR)
The GDPR is a law to “protect all E.U. citizens from privacy and data breaches in an increasingly data-driven world.” Not only will the GDPR affect any organization located or doing business in the E.U., it will also impact organizations processing data of EU individuals, regardless of their geographic location. So, its reach is broad and “it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.” The penalties are non-trivial, “organizations in breach of GDPR can be fined up to four percent of annual global turnover or €20 Million (whichever is greater).”
To date, there have been minor fines imposed by the E.U. regarding GDPR violations. Most have been due to how businesses handle, or mishandle, citizens’ data and their consent to collect data. However, it is only a matter of time before a major hacking incident occurs and the information of E.U. citizens is compromised.
Businesses are not sitting still. As the hackers and their tools have become more sophisticated, so too have the cybersecurity teams inside government organizations and corporations. Companies are investing in and utilizing tools that run the gambit from finding and reporting vulnerabilities in software applications and platforms to blocking cyber-attacks in real-time and nearly everything in between.
According to Gartner, worldwide spending on information security products and services were more than $114 billion in 2018, an increase of 12.4 percent from last year. For 2019, Gartner estimates the market will grow 8.7 percent to $124 billion. Additionally, the firm believes that by 2020, more than 60 percent of organizations will have invested in multiple data security tools such as data loss prevention, encryption and data-centric audit and protections tools, up from approximately 35 percent today.
Cybersecurity Ventures estimates that between 2017 and 2021, more than $1 trillion will have been cumulatively spent on cyber security products and services. In order to meet the cybersecurity challenges of tomorrow, information security companies, venture capitalists and governments must invest and rapidly deploy new, innovative systems. A potential impediment is the growth of cybersecurity technology-related intellectual property lawsuits.
Cyber Security Patent Lawsuits on the Rise and the Need for Shared Innovation in Cyber Security
Unlike other areas of the information technology industry, cybersecurity is a relatively young and fast developing segment where a licensing culture has not taken hold. Once dominated by several enterprise and consumer-focused companies, today thousands of cybersecurity software vendors exist, as well as more than 60 open source software security platforms hosted on GitHub. With the industry’s growing market size, many aggressive entrants and an open source software model that is fast becoming the standard way of moving innovation forward, there is a potential for established vendors to look to impair these growth drivers through the use of intellectual property.
The expected growth in the cybersecurity software industry has the potential to be significantly disrupted and its innovation impaired by patent lawsuits. Finjan Holdings Inc., a security technology company turned Non-Practicing Entity (patent troll), has been the most litigious actor in the cybersecurity market. They have successfully sued for awards and licensing fees from Symantec, FireEye and Sophos, among others. They have also brought patent infringement lawsuits against Rapid 7, Check Point Software Technologies and Carbon Black, and continue to pursue software vendors for aggressive licensing deals.
Additionally, there are competitor-based lawsuits. For example, cloud-based cybersecurity company CUPP Computing AS and its American counterpart CUPP Cybersecurity, filed a patent lawsuit against security industry heavyweight Trend Micro.
Open Source – An Irreversible Trend
Cybersecurity open source software (OSS) projects, like all manner of OSS development and usage, is an irreversible trend. Today, open source code is so effective and cost efficient that it is used in more than 90 percent of all commercially available software. In fact, it is impossible to catalog all of the daily touch points the average person has with an open source-powered product, or service. The Linux Foundation estimates more than 31 billion lines of code have been committed to OSS repositories. Open source is a leading technology in smart cars, IoT platforms, block chain technologies and cybersecurity software projects like Kali Linux.
While it has experienced exponential growth, the successful proliferation of open source by banking networks, mobile phone manufacturers, telecom networks, smart cars, cloud computing and block chain platforms, among many others, was not always a foregone conclusion. In 2003, there was an intellectual property (IP) -based attack on Linux, the most prevalent OSS project.
Promoting Patent Non-Aggression in Cybersecurity
While the claims underlying the litigation ultimately were found to be without merit in the court proceeding, it was a wake up call to several IP-savvy companies as to the potential negative impact of patent aggression on the growth of Linux and OSS projects. IBM, Red Hat and SUSE (then Novell) coordinated an effort with Sony, Philips and NEC to conceptualize and implement a solution designed to create a “patent no-fly zone” around the core of Linux. The entity is charged with administering this patent no-fly zone, utilizing a free license to require participant companies to forebear litigation and cross-license patents in the core of Linux and adjacent OSS. In the 12 years since its formation, the organization has grown into the largest patent non-aggression community in history with an excess of 2,900 participant companies that own upwards of three million patents.
In addition to administering the highly successful royalty-free free license, organization has been one of the most active users of the America Invents Act's pre-issuance submission program and through its actions prevented the grant of hundreds of patent applications with overly broad claims that, if issued as submitted, would have threatened Linux technology and products for years to come. This community-based organization also routinely uses its central role as guardian of patent freedom in the open source community to gather critical prior art to neutralize Linux-related litigation and pre-litigation patent assertions.
In some cases, it has taken the extraordinary measure of forward deploying key assets from its defensive patent portfolio of more than 1,300 patents and applications to companies at risk or in litigation for the purpose of allowing these companies to better defend themselves from patent antagonists with often far larger patent portfolios and deeper pockets seeking to slow or stall the progress of Linux.
Going forward, the cybersecurity industry has the potential to be a significant driver of innovation and protection for the global economy. The community-organization has and will continue to include core open source technology in the Linux System and is thereby insulating its community licensees from patent risk in this area. As the threat landscape morphs and new threats arise from the ranks of operating companies and patent assertion entities, the community will remain vigilant in acting to ensure fewer poor quality patents are issued, poor quality already granted patents are invalidated and the community of companies pledging patent non-aggression in the core of Linux and adjacent open source technology grows.
In order for the creativity and inventive capacities of the hundreds of thousands of people developing around cybersecurity to be realized, it is vital that patent non-aggression in the core is safeguarded. Companies and individuals seeking to support patent non-aggression in cybersecurity software should participate as members of its community by becoming signatories of its free license and, in so doing, commit to the onward sustainability of the collaborative model of innovation that is central to open source.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.