Wikileaks and data theft

A colleague of mine, Bill Munroe, is VP Marketing at Verdasys, the first of the agent DLP vendors and the most established of  the independent pure play DLP technology companies. (No. I do not have a business relationship with Verdasys).  Bill has written a paper entitled “Protecting against Wikileaks events and the trusted insider threat” . The paper brings a number of important insights regarding the massive data breach of State Department cables and why Wikileaks is different.

Wikileaks gives a leaker immediate visibility to her/his message. Once Wikileaks publishes the data, it’s  highly visible due to the tremendous conventional media interest in Wikileaks.  I doubt that PFC Manning, if he had a blog somewhere in the long tail of the Internet, would have made such an immediate impact.

Unlike Wikileaks, data theft of intellectual property or credit card data is motivated by the economic gain. In the case of Wikileaks, the motivation is social or political.  With cheap removable storage devices, smart phones, tables, dropbox and wireless network connectivity “employees with personal agendas will be more likely to jeopardize their careers in order to make a passionate statement“.

Network  DLP is a poor security countermeasure against the Wikileaks class of data breach. Network DLP can network-intercept but not analyze obfuscated data (encryption, embedded screenshots, steganography) and is blind to removable media and smart phones. The best technical countermeasure against a leak must be at the point of data use. First described in a 1983 DOD study called “The Trusted Computer System Evaluation Criteria” (TCSEC)  a user end point needs to be “instrumented” in order to identify and intercept content and mitigate threats before they can occur. This requires identification of the trusted user, appropriate content interception and analysis and the ability to tie the results into actionable forensics. Detecting data loss at the end point, is notably Verdasys’s key strength.

However – there are a few  points in the article that need to be addressed:

Insider theft of sensitive data is not new. WikiLeaks is just the latest outlet for the disaffected individual to be amplified in our interconnected world… WikiLeaks is merely the latest enabler of the populist-driven “Robin Hood” syndrome.

I don’t subscribe to the notion that data theft has always been an issue.   20 years ago, we had industrial espionage of trade secrets or national espionage of defense secrets – not the widespread data leaks we see today.  Conditions in 2011 are different then they were in the 80s when my father worked at TRW Defense and Space Systems in Redondo Beach.  Data breaches are driven by motive, means and opportunity – motive: under 30 something people have a sense of entitlement – they have a Blackberry, a nice car, a nice girlfriend, good standard of living, a 250K college education and a sense that they can do whatever they want without paying the price..  means – mobile and removable devices, Web services… opportunity – a leaker is in positions of access. Given the right stimulus (hating Obama,  despising Hilary, liking a bribe from Der Spiegel) they will get to the data, leave their ethics at the door and do the deed. Calling the phenomena “Robin Hood” is too gracious.

Trade secret and IP theft is projected to double again by 2017 with 2008 losses reaching one trillion dollars!

The $1 Trillion number for the financial losses due to IP theft  was mentioned in a McAfee press release (they took  the item off their web site…) and later quoted by President Obama’s in his talk on “aggressively protecting intellectual property”.

Since the 1 trillion number is  the cornerstone of both vendor and political argumentation for protecting IP, the number bears closer scrutiny. We will see that the $1 trillion number is no more than a love for round numbers, not unlike Gordon Browns love for round numbers “Bring 1,000 troops home for Christmas”.

Referring to Bessen and Maurer “Patent  Failure” and other research articles, the empirical data shows a different picture. Global patents held by US firms as of 1999 was $122BN in 1992 dollars.  Even if that number tripled in 20 years that means that the total IP value is 360BN so it’s impossible that 1 Trillion was “lost”.  I will discuss what loss of IP actually means in a moment.

Examining firm level data, we see that worldwide value of patent stocks is only about 1% of market value.   Note that the majority of this value is owned by a small number of large pharmaceutical companies.   Then, we have to net out litigation and IP legal costs from the net patent rents (the above-normal returns) that a company earns from it’s IP.

And to provide a sanity check on how disproportionate the 1 Trillion dollar IP loss number really is, consider that at  GSK (and their numbers are consistent with the other big innovative pharmas) – cost of sales is 26% of expenses, marketing – 31% and R&D 15%.  Now we know 2 things: (a) that the big pharmas account for most of the IP and (b) most of their money is in sales and marketing. If 10 big pharmas with a total of 100BN operating profit had lost a Trillion dollars, they would all be bankrupt by now,  but they are all alive and kicking and selling us everything from Viagra to Remicade.

What does the loss of intellectual property actually mean?  After all, it’s not like losing cash.

In a threat analysis I did for a NASDAQ traded firm with significant IP – I determined together with the CFO and the board that their exposure to IP leakage was about 1% of their market cap – they understood that you cannot “lose” IP – but when it’s leaked it goes to a competitor who may gain a time to market advantage – and that advantage is only temporary.   At another public firm where I did a threat analysis using the same methodology, the CEO and board determined that the exposure to IP theft was negligible since the competitors needed 12-18 months to implement stolen IP and since the firm was operating on a 12 month product release cycle, they were ahead of the competition who were using stolen IP.  In other words – it’s better to innovate than to steal and try to re-implement.  This is particularly true in the software industry where the cost of implementation is far higher than the time and cost to develop the algorithm.

Reading Bill’s article, one would naturally ask, given the magnitude of the problem and the effectiveness of Verdasys technology, why doesn’t every company in the world deploy end point DLP like they deploy a firewall.  I think that the answer lies in the actual magnitude of the financial impact of data leakage.   The State department cables Wikileaks disclosure may or may not have been orchestrated by the Obama administration itself – but arguably, no economic damage and no tangible damage was incurred to the US political image or image of it’s allies.  If  real damage had been done to the US, then Hilary would be keeping Jonathan Pollard company.

I think that Verdasys and other DLP vendors miss one of the key strengths of data loss detection/prevention technology: real time feedback to an organizations users, and the deterrent value.   As Andy Grove once wrote – “a little fear in the workplace is not necessarily a bad thing“.

With increasing consumerization of IT, entitled employees will have even more means at their disposal and even more blurring of business boundaries by sexy personal devices.

What is a company to do?  That leaves us with good management and a corporate culture with employee values of competitiveness that drives value that drives rewards both intangible and tangible for the employee.  If it’s just about the money – then an iPhone is worth a lot more than a $500 bonus but engendering a sense of being involved and influencing the business at all levels – even if it’s just a kind word once a day – will be worth 100 fold that number and go a long way towards mitigating the vulnerability of employee entitlement.

I’d like to conclude with a call to the marketeers at McAfee, Symantec, IBM, Oracle, Websense, Fidelis, Checkpoint and Verdasys. Let’s shift the DLP marketing focus from large federal customers and banks and explain to small to medium sized enterprises how DLP technologies can protect the value of their implementation techniques and intellectual property.

For a 10 man vaccine startup the secret is in the recipe, not in the patents.  For a SME with IP – it’s not the IP licensing value, it’s difference between life and death.  And death trumps money any day of the week.

You can download the paper “Protecting Against WikiLeaks Events and the Insider Threat” on the Verdasys Web site.