When most people think about cybersecurity, they think of breaches of consumer personal information. And who can blame anyone for that, just look at the headlines for the latest breach of a major hotel chain and FIVE HUNDRED MILLION customer accounts. But one aspect of cybersecurity that is arguably more important than breaches of consumer information is theft of trade secrets. You may have heard the statement from then FBI Director Robert Mueller that there are only two types of companies, “those that have been hacked and those that will be.” What you may not realize is that his oft-quoted statement was made in the context of imploring businesses to report security breaches that involved trade secrets. Director Mueller had to make that plea because there were no requirements for businesses to report security breaches if they did not implicate certain information, such as consumer financial information or protected health information. This kept theft of trade secrets out of the public eye and in many cases unknown to anyone but the victim.
Protecting United States’ trade secrets is one of the hot topics in the current trade negotiations with China that stem from a trade war initiated in part because a U.S. investigation found that “Chinese theft of American IP currently costs between $225 billion and $600 billion annually.” On December 1, 2018 the White House issued a statement that “intellectual property protection,” along with “cyber intrusions and cyber theft” were among the key issues to be negotiated. This IP theft is as rampant as it is complex because it can occur in a number of ways. It is not limited to the type of external hacking Mueller was referencing. It can also be a malicious insider, as there have been several cases of workers selling or attempting to sell trade secrets to the Chinese. But perhaps the most vexing problem is the theft of trade secrets in the supply chain. Companies in the U.S. often rely on Chinese suppliers to fabricate critical components, which necessarily requires disclosing IP. Contractual measures such as non-disclosure agreements may offer very little, if any, protection for a U.S. company in overseas transactions. This is a particularly acute problem for companies with IP in integrated circuits. These chips are invariably being fabricated, tested, and often incorporated into products abroad, exposing their IP to be pilfered at several points along the way.
While companies try to protect their networks and guard against insider threats at home, what can be done about supply chain IP theft? Perhaps innovation in technology itself is the answer. Researchers from NYU have developed a technique for integrated circuits called “dynamic camouflaging.” It uses magneto-electric spin-orbit (MESO) devices that have properties of polymorphism and post-fabrication reconfigurability to camouflage the IC configuration during fabrication and testing. In addition, the devices have run-time polymorphism which even allows obfuscation after fabrication. According to the authors, this protects against a malevolent employee in the foundry with access to the design including material and layout parameters, one in the test facility with access to the test patterns and corresponding responses, and a malicious end user with the know how to reverse engineer a chip with analytical attacks.
A figure from the paper entitled “Opening the Doors to Dynamic Camouflaging: Harnessing the Power of Polymorphic Devices”, by Rangajaran et al., dated November 14, 2018, shows logically how the MESO devices work to disguise the true configuration of the chip from both the foundry that fabricates it and the test facility that tests it.
Whether this particular solution is ultimately practical and effective remains to be seen. Nevertheless, it underscores the supply chain IP theft problem, and suggests that legal IP practitioners should recognize that mitigation solutions may come from outside of the traditional legal and business realm.