Adam Myers:

Hello and welcome to our podcast, Tales from the CyberLab. My name’s Adam Myers, I’m the Sales Director here at CyberLab, and I’ll be your host for today. I’m joined by David Robinson and Fiona Phillips from Marks & Clerk. Welcome.

David Robinson:

Great. Thanks for having us. Really, really excited to be here.

Adam Myers:

So can you just tell us a little bit about your role and what you do on a day-to-day basis?

David Robinson:

Sure. So I’m one of the partners at Marks & Clerk. I’m a patent attorney. I think we’re going to talk about various different bits of IP today. So just to be clear in the front, patents is really my expertise. If we touch on other bits, then it’s outside of my comfort zone. But yeah, so I help people protect their inventions essentially.

Adam Myers:

It’s going to be very interesting when we go down that rabbit hole, which could be good. And Fiona, yourself?

Fiona Phillips:

Yeah, I’m Fiona Phillips:. I recently joined Marks and Clerk as a partner, and I’m setting up a new team advising our clients on AI and cyber security. And I get the benefit of all these amazing IP specialists who are always very humble about their expertise, but absolute geniuses.

Adam Myers:

Amazing. Well, welcome, and I think it’s going to be a great episode. So I guess the first topic that we’ll lead with and first question will be, how does cybersecurity play a role in protecting intellectual property in today’s digital first world? And maybe, David, you could maybe lead this question off and sort of explain a little bit of what that means for people that may be not aware with our audience.

David Robinson:

Sure. So in terms of what intellectual property means, so there are various different things that fall under intellectual property. So as I said at the start, I’m a patent attorney, so I’m concerned with protecting people’s inventions. And actually I mostly protect people’s inventions in software and AI areas. Alongside patents, you have copyright, which protects expression effectively.

So in terms of software, it’s the computer code, but it might also be music, words, text, anything like that that is sort of how you express an idea. Then you have designs, which are mostly about shape and appearance, how something looks, trademarks, which is a designation of origins. It’s kind of your brand. It says that a good is from you or goods or services are from you.

So those are what we might call hard IP. And then soft IP, you also have, and I think it’s really relevant to today’s discussion, you have trade secrets and confidential information.

So breach of confidence is the other area that you can use to protect your intellectual property.

Adam Myers:

Amazing. I think we’ve already learned lots already. So yeah, brilliant. Thank you so much. And then I guess the positioning the question to you, Fiona, what do you think and what are your thoughts?

Fiona Phillips:

So I think if we step back and look at cyber instances, we rarely hear about the ones where IP has been taken. The ones we hear the most about are where someone’s come and taken your data or they’ve encrypted your data. And the reason we don’t hear much about it is if you think about the incentives for people in these types of attacks, the incentives for the company is to keep that quiet.

They’ve lost something really important that they normally keep really secret. And if you think about the person that’s taken it, they don’t want you to know that they’ve taken it. Whereas if I come and steal your data, I want you to know because I want you to pay me to give it back or not release it. If I’ve stolen a really great invention from you, I don’t want you to know.

Adam Myers:

Yeah. So I’ve never really thought of it that way, but you’re actually trying to keep that a secret, I guess, aren’t you? You want us then maybe use that intellectual property to gain an advantage on maybe competitors or, I don’t know, we always think of ransomware as the main one that we allude to. I guess in that instance, there’s a driver to exploit and take money.

But in this instance, I guess you’re working in the shadows a little bit, aren’t you? By you’ve got something that you know is sensitive and you want to maintain that without … Yeah.

Fiona Phillips:

If you’ve taken it, you want to use it. Maybe you are an employee and you’ve taken it and you want to use it at a different company to steal the invention, steal the ideas. Maybe you’re a nation state actor and you want to develop that technology or that AI in a different country, but we hear less about them and they’re much harder to detect as well, because you don’t necessarily know unless you’re looking for it because people aren’t coming and issuing you with a ransom note. You might be able to tell from a competitor’s product that they’ve used something that they’ve taken from it. You might not though, right? Yeah.

So it’s really hard to detect these. And actually there’s some really good research that DSIC commissioned earlier this year, David and I, we’re reading this, by this company called Alma Economics, where they’re trying to work out from very limited data, what’s actually the scale of these types of attacks in the UK? What’s the impact? It’s really hard to work out, right?

Adam Myers:

Yeah. And I guess from another perspective, the difficulty is if maybe you’re a startup, you might not have cyber defences quite like sort of maybe we compare it to huge organisations, but you’ve got a great idea that could be the next big evolution in technology.

And then you’re not able probably to defend yourself in quite the same mechanism as a very large enterprise organisation. So it kind of goes hand in hand a little bit with, you’re not probably thinking of cybersecurity as your main priority when you’re trying to probably invest your money back into the thing that you’re developing in R&D, for example, that could probably make that jump further ahead.

Fiona Phillips:

Well, your IP could be everything when you’re starting that. If you’re an SME, it could be existential if I take your IP and I use it in a different context. So it’s really important that when you’re thinking about cyber and protecting the crown jewels of your company and think about this. The other thing to remember is that sometimes quite often cyber insurance excludes IP loss.

Adam Myers:

Really?

Fiona Phillips:

So have a look at the exclusions and your policies, trips up a lot of people. Lots of different types of IP loss are not covered.

Adam Myers:

I think you covered this. I’m already thinking at Manchester Digital when we did the event, you were one of the speakers there. Can you just explain a little bit about that in terms of the cyber insurance and IP and probably just building on a little bit what Fiona said there?

David Robinson:

I think you know more about the cyber insurance than I do. I’ll hand that over to fee.

Fiona Phillips:

So if you look at most cyber insurance policies, there’s normally quite a broad exclusion relating to the loss of IP and any commercial value that you might lose because you’ve lost your IP. Sometimes you can recover some costs related to an instant that involved the theft of IP, maybe the recovery of business disruption or the recovery of getting data back, but often it’s excluded and you really need to pay attention to that if IP is really crucial to your company.

Adam Myers:

Yeah. Amazing. Thank you. So topic number two, so what are the unique challenges of patenting digital technologies like AI, cybersecurity tools, and cloud platforms? And I think this one’s going to be your topic, David. So can you just lead us off a little bit with what you’re seeing?

David Robinson:

Yeah, sure. So I think a lot of people think that you can’t protect software. There’s lots of confusion around whether or not you can protect software. And I think that’s probably because the law is written in a way that might be a little bit confusing. So the Patents Act in the UK says that you can’t protect certain things, and one of those is a computer programme.

So I can see why people might think you can’t protect computer programmes, but unfortunately that doesn’t mean that you can’t protect any software. You can protect the underlying idea, you just can’t protect. It really is designed to exclude patterns reaching through to what copyright is for, which is for the actual code itself, the expression itself. So you absolutely can patent software, algorithms, AI, cyber technology. My background is software. So I did a PhD in AI, and that’s all I do is protect software and AI and technologies in this area.

So I think maybe just to reinforce the point, you can protect this. So there’s something called the international patent classification system. And there are two international patent classification codes that I managed to find that are squarely related to cybersecurity. So one is about protecting the data as it’s in transits and the other is about protecting the systems.

And they really are in terms of really very specifically to cyber. So you can definitely protect these kinds of things. In terms of the other things, so there’s kind of a gateway to, is it the kind of thing that you can protect? And it is harder to pay at software than other areas because you have this kind of gateway. I guess my key takeaway is think about whether or not you should protect it. It’s obviously a fast moving area. I think there needs to always be a really commercial decision about whether you apply for a patent.

It’s expensive to get, it’s high cost, but in terms of the value, the only thing that can stop you, that you can stop someone else doing what you’re doing. And in software, really once you release some software into the world, quite often, not always, but quite often, you really give that idea to the work. People can see what the software does and a patent allows you to stop it.

Adam Myers:

And are you seeing, I guess, the rise of AI? We’re always going to go down that sort of topic, but are you seeing a rise in the number that you’re seeing in terms of how active that’s now becoming because of, I guess it’s easy to scale and find ideas. And where maybe 10 years ago that was maybe people could do it, but it was a difficult technology to adopt and they had a certain skill. But with AI, I guess a lot of the heavy lifting might be done. Are you seeing a rise in since the sort of … I’ve lost three, four years.

David Robinson:

Yeah. So we put out an annual report on AI patents, and we’ve actually just predicted our latest one. It’s based on actual analysis of patent filings and applications, and goes into quite a lot of detail. And that has shown absolutely extraordinary, particularly in AI, an extraordinary rise on the number of filings, just a genuinely exponential increase in the number of applications into being filed in that area. Yeah,

Adam Myers:

Because I guess a lot of people are probably thinking, I’ve got this great idea and they can now probably bring it to life a lot easier and startups and whatnot. Yeah. All businesses are evolving. They don’t want to get left behind. So they’re thinking and they’re innovating and maybe that’s where AI is helping us become more creative potentially, I think. But protecting that is probably the first step, isn’t it? That idea can quickly, like you said, if it’s published, people are going to replicate and steal your idea.

David Robinson:

Yeah. The report that Fee referred to earlier had an interesting bit of data in it. It said something like, I think it was 55% increase in sales for having a piece of intellectual. It’s not patterned specifically, but a piece of intellectual property, it’s 55% increase in your sales compared to those that don’t. So I think in terms of driving forward a business, particularly a small business, I think software is an area where if you’re small and have a great idea, big companies more than perhaps other areas really can just come and do that. So I think thinking about your IP strategy and patents as a part of that strategy is a really important thing to do.

Adam Myers:

Yeah. And I think just for the audience, I would imagine that a lot of people are listening to this, probably thinking, I’ve got an idea, maybe where do I start? And is it as simple as maybe reaching out to you and the team just to sort of start that conversation and maybe some consultancy around what they should do and how to protect that IP?

David Robinson:

Yeah, absolutely. Just initial conversation, like I said before, I don’t see my job as telling people to get to patent or telling them how to get to patent even. It’s telling them what their strategy should be around protecting their business. And that might be patents. It might be copyrighted, it might be trade secrets. And there’s a whole bunch of things that you can use to protect your business.

So yeah, absolutely. An initial conversation, I think a lot of companies don’t have that conversation and I find it so frustrating. You can do it for free, you can do it at very, very low cost just to get an idea of what you should be doing, whether you should be doing something. We’re involved in networks where we offer as a free service. The take up is so low, even when it’s there as a free service, I think that first conversation is a really important thing to do.

Adam Myers:

Perfect. Yeah. Reach out, but there definitely seems like there’s some great work that you’re doing with other customers that others our listeners can maybe learn from. So yeah, thank you very much. So I guess topic number three, I think just developing on the previous answer, I guess, how is IP law relevant in a cyber incident or a cyber attack? So maybe Dave lead us off and then we’ll come over to you, Fiona.

David Robinson:

I guess I talked about patents, that’s my expertise. So the interesting thing about a patent application is that part of the deal of getting a patent is that you give that information to the world. So to my mind, cyber and intellectual property is all about worrying about what you’ve given to the world. Yes. If you filed a patent application, you’ve already given it to the world, so you care a lot less. So actually having a patent application filed gives you quite a lot of comfort, I think, around a cyber incident.

You’ve got protection. You can prevent somebody doing what’s protected by that patent. And so if somebody else starts doing it, well, you can still stop them. It doesn’t matter if they’ve got the idea. In fact, you’ve already given everybody the

Adam Myers:

Idea.

David Robinson:

Trade secrets I think is kind of quite … The bit that is perhaps worrying and the bit that might give companies the most concern around intellectual property. So if they wanted to keep it secret and suddenly it’s not a secret. So that’s a really difficult area. There are a few things you can do. I mean, one thing you can do is you can file path the application.

Normally, if something is in the public domain, then you can’t file a patent application for it. But there are certain ways in which if something is taken unlawfully from you, then you can. So in the UK, you get a six-month grace period for anything that’s taken as a breach of confidence, which a cyber incident would be a breach of confidence. In the US, there’s a grace period in general, it doesn’t have to be in virtue of confidence.

You still have a 12-month period where you can get protection in the US market, which often, particularly in the software area, it’s a core market. It’s the

Adam Myers:

Most important market for you. And I guess at that moment in time when you’ve, I don’t know, been breached or been hit with a ransomware note, you’ve got your instant response plan, I guess. Fiona, your take on what businesses should do at that moment in time with protecting that IP. I

Fiona Phillips:

Think IP is often forgotten when people are doing instant response because we’re very focused often on data

And our mind’s a bit more focused because we’ve got reporting obligations of personal data that’s involved, et cetera. But I think it’s often forgotten and people need to look at their instant response plan and say, okay, I’ve already done this IP strategy.

I know where my IP and knowledge assets are. I know what the really important things are. Maybe it’s already been patent, it’s already out there. Maybe I’m developing a patent and I don’t want people to know that information. Maybe I’ve got trade secrets. Maybe I’ve got other things I want to protect. And then when you’re in an instance saying, has any of that been affected?

Adam Myers:

Yes.

Fiona Phillips:

So building in IP as a consideration into your instant response and then seeing what remedies might be available to you working with an IP lawyer to say, how might I protect myself? And that might be against the person who’s taken it or it might be against the third party who’s trying to then buy that information or use that explanation.

And I think a really big risk we find in this area is the increase in disgruntled employees or employees going to another company where they want to take that IP. And the NCSC has done a really good set of resources with the NPSA, so many acronyms in this space, which is really focused on the research and development sectors and how they might be particularly vulnerable to cyber attacks targeted at taking IP.

But they also talk about this insider risk, this disgruntled employee who might be disappearing off somewhere, downloads all the IP onto a memory card. Could you track that? Have you got systems in place to stop that? And then when it goes, what are you going to do about it? So don’t forget IP I think and get someone like David involved to help you work out what your remedies could be to stop it being used, to stop the value of your company diminishing because someone else has got your ideas and inventions.

Adam Myers:

Yeah. And I think it goes back to insider threat risk, which is what we do. So if anyone’s listening, that’s kind of where we step in there. So risk profiling people that are doing suspicious activities in the middle of the night, suddenly this IP is a folder or whatever it can be is being accessed and we’re suddenly going, hang on a sec, we’re drawing data and we’re seeing that. How do we track that and how can we demonstrate from a forensic perspective that this has been stamped and we’ve seen this and we can track it and where it’s going? I think from that perspective, it’s very important.

Fiona Phillips:

And that IP map is so important, Okay, they’ve accessed this system, I’ve actually got trade secrets and I’ve got controls around who access this trade secret, really important to know that in an attack.

David Robinson:

Yeah. So the trade secrets, one of the things that you need to do for something to be a trade secret is have taken reasonable steps to keep it a secret.

Adam Myers:

Yes.

David Robinson:

So all of the things you just described, those are the kinds of things that are absolutely going to help you in demonstrating that actually this is a secret. You did take reasonable steps to keep it a secret to prevent … It might be preventing access in general, but if quite often that’s just not feasible, people need to know the things that your business does.

So if you’ve taken steps to prevent it stopping being a secret, then those kinds of things can really help you to demonstrate that actually this is a trade secret. And as Fi said, you can then use that to reach through, not just to get the person to prevent or take action against the person that took things, but to then reach through to companies that might want to use that information. You can prevent them. You can get something called an injunction, which means they have to stop using that information.

And you can also get damages for anything that they’ve done with it. So you kind of get monetary remedies for misuse of that trade secrets.

Adam Myers:

Amazing. Yeah. And I guess where I can see this heading a little bit, if someone gets kind of wind, probably thinking more like nation state attacks where they know you are building something or it’s potentially, I don’t know, for defence, it could be anything that you’re building something that is a big step in technology. I guess your business becomes a target list for those nation states that are probably wanting to understand what you’re building and developing.

We kind of sit in education a lot with what we’re teaching in certain programmes. I guess that’s where you will become a high risk sort of organisation from what you’re building and developing. And that’s where we’ve got to really step up the game to protect that information across …

Fiona Phillips:

Which I think is what that tie up between FC and MPSA is focused on. It’s that kind of the espionage, but also economic value for the UK economy. If we’re developing things that we might be able to get a patent from them and monetize those, we need to protect that part of the economy.

Adam Myers:

100%. Yeah. Amazing. Thank you. So topic number four, what are the IP and cybersecurity risk associated with using open source code in commercial products? Things might be you, David.

David Robinson:

Yeah. So I think opens, I should say this is a bit outside of my expertise as a firm, we’re a big firm and we have experts in different areas, but I hopefully have some things I can say about this. So open source licencing, I think one of the key things to think about with open source licencing is which open source licence. There is not one open source licence. There are, I don’t know, 50, 100, there are very, very many of them and they all put different requirements on you to do different things. And I think my key takeaway on open source is think about what that licence is and think about what it requires you to do. I think some of them can force you to effectively make open source whatever you generate and that might be okay for you, but there are open source licences which allow you to actually have pattern protection, keep the developments to yourself and many, many different shades in between.

So I think thinking about what those requirements are is really the key thing around open source. And one thing that I thought was maybe interesting on open source licencing when we’re thinking about cyber in particular is some of the open source software licences require you to declare that you’ve used open source software and actually potentially to declare what open source software you’ve used, which which modules you’ve used. And I think that potentially introduces a real risk.

Cyber attacks are about vulnerabilities, and if there’s open source software and there’s vulnerabilities identified in it, I think open source software, it’s not a commercial product. You need to think about whether or not those vulnerabilities are being developed and kept on top of, protected against.

But if you find yourself in a position where you’ve got some open source software, it’s got a vulnerability in it, you’re declaring that you’re using that open source software, I think you’re basically putting a big sign on your product saying, “Attack me here, and actually you know exactly how to attack it. ” So I think with all of these things, thinking about it is the key. Don’t just do it without thinking, but I think there are some risks around open source that need to be considered.

Adam Myers:

And I guess it’s more like secure by design as well, is really as how you build out that product or that solution and what you’re using. I guess vulnerability management on top of that is something that we do a lot of from a cybersecurity perspective. And what are you doing to protect that? So I don’t know, Fiona, if you got anything to add from your perspective, what you would … Any tips maybe for the audience?

Fiona Phillips:

Yeah, I don’t know. I mean, open source for cyber, it’s kind of both sides of the coin, isn’t it? In one sense, it’s great because if it’s open source code, there’s more people that can look for vulnerabilities as you know. But on the other hand, it can introduce more risk and certainly the core depositories of open source. If you can insert something in there and use that as an entry point to lots of companies, that can be dangerous. But what I’ll be thinking about in a cyber event is what have they taken? Is it data? And then are there other things like code that they might’ve taken that David and his team might be able to help me have some remedies against? And what is it that you’ve actually lost?

Adam Myers:

Yeah. Yeah. I guess we’re going back to like zero day attacks and whatnot and those vulnerabilities that might shine a light and something you’re not aware and there’s a lot there to consider from a cyber perspective. So yeah, really good answer. Thank you very much. So our final topic that we’re going to discuss today is how can organisations build an IP strategy that’s resilient to cyber threats from the start? So Fiona, maybe over to you.

Fiona Phillips:

Sure. I think important you have to have an IP strategy, first of all, and come and speak to someone like David so that you’ve mapped out your IP assets and you know what they are because that’s a first building block that many people just haven’t done. So knowing what IP you’ve got, and then as you plan and you prepare and you practise cyber resilience, so you’re doing your tabletops or you’ve got your playbooks, make sure they include IP questions and IP steps so that you’re not just thinking about data or business disruption, that you are thinking about IP as well.

And I don’t see that many companies when they do their tabletops using a theft of IP scenario, do that once in a while, see what that looks like for you, see what the risk could be for you, and think about how you’re going to quantify that risk and protect against that risk.

Adam Myers:

Yeah. So I think it’s more adding that into … My takeaway from probably this podcast is adding that into your response planning really, because it sounds like a lot of organisations are not doing that. We do look at data and breaches and what to do or ransomware or activism. We’ve probably got a playbook on how to respond, but really coming back to what you said, it’s maybe a lot of businesses not testing or looking at that.

Fiona Phillips:

Because they’re rarer and that natural people are focusing on the more common attacks. But if IP is really central to your business and you’re not thinking about what that would mean for you if you lost it, that you’re not prepared.

Adam Myers:

Yeah. So I guess, David, the question posed to you, what can maybe businesses do to protect their IP in that instance?

David Robinson:

So for your core ideas, if you can have a patent application or a granted patent, then you’re not really going to be worrying about that in a cyber incident. It’s okay. It’s protected. You can stop your competitors doing that thing. So I think at least considering patents as part of your cybersecurity approach as part of your IP approach as well.

In terms of other things you can do, I think confidential information, trade secrets, they’re the things you’re probably going to be worrying about in a cyber incident, the things that you wanted to keep secret, and now maybe they’re not secret. Going back to fees. And so I think understanding what they are allows you to think about what you do now, but there are steps that you can take to make sure that you’re in the best position you can be so that you can actually demonstrate that it is a trade secret, and then you can think about what actions you can take later to things like making sure your employment contracts have confidentiality clauses in them that they talk about what confidential information is. Thinking about having a policy around trade secrets, making sure you are taking effective steps to keep things secret. Effective steps doesn’t mean making sure you don’t have a cyber attack because that’s something that’s really, really difficult to make sure you don’t do.

But if what it turns out your trade secrets are is things that are pinned up on a board in a room that anybody can access, you’re going to have a really hard time showing that they are trade secrets and actually they should be treated by the quarters trade secrets. So I think work out what they are, make sure you put in appropriate layers and your most important trade secrets, maybe you should have additional layers like with limited access, additional security, encryption, and you’re not going to keep everything you want to keep secret. A business is going to struggle as in at the tightest level of lockdown.

A business can struggle to operate in many instances if you do that. So I thinking about where the key assets are, where the key secrets are, making sure that they’re protected. And then you can be a bit more relaxed about the things that you’re maybe slightly less worried about, having different layers of protection around that.

Adam Myers:

Amazing. Yeah. So it sounds, from my perspective there, just as this is new to me, so I’m learning on the fly, but it’s almost a bit like the way we look at data classification in cybersecurity. I guess from your perspective, it’s the IP classification and being able to demonstrate that if it is taken, that you’ve taken steps as a preventative measure to stop when it goes to court or whatever it is that you can demonstrate that back to say, we took this measure in the first instance, which I think a lot of businesses probably just don’t consider that. I think as that early phase, maybe that’s probably for me what the takeaway is there from some of these things.

Fiona Phillips:

And remember that often if they’ve taken data, it might also be that they’ve taken IP. It’s not one or the other. It might be that you’ve got to consider both remedies. And the other thing I would say is always think about when you are in an incident where this has happened, whether you should be talking to law enforcement, whether you should be talking to the intelligence agencies because it could be a nation state actor and they may be able to help you.

David Robinson:

Yeah, perfect. One thing may be worth just commenting on is copyright because I think I’m not an expert in copyright by any stretch, but copyright is a right to prevent people from copying. If somebody takes your code, then if they reuse that code, then copyright will be something that you can use.

However, what copyright really doesn’t prevent anyone doing is taking your code and then understanding what your code does and then writing their own code. So long as you take certain measures along that path. So I guess one thing I would say is if you’re thinking about copywright as your layer of protection, then I would probably also think about that as a trade secret because trade secrets is going to be a powerful way you can kind of protect that alongside copyright.

Adam Myers:

Amazing. Great tip. So I guess just to wrap up this podcast, I think it’s been a fantastic episode, so thank you much for joining us. If there’s one key takeaway to summarise this podcast that you could give and share with our audience, what would that be? And maybe Fiona, you can give your tip and takeaway.

Fiona Phillips:

Just when you’re planning and prepping for cyber instances in your tabletops or in your playbooks, don’t forget IP.

David Robinson:

I mean, it’s difficult to say anything other than that as a takeaway, is it? I think about IP as part of your strategy. That has to be our takeaway from this. I think it does get ignored. You can see that from the insurance policies. I think companies aren’t really thinking about it.

So having thought about it, you might decide that you don’t need to do anything different, but think about it first. Make that an active, positive decision, not just something that happens to your business and your intellectual property.

Adam Myers:

Perfect. What a conclusion. So that does conclude this episode of Tales from the Cyber Lab. Join us next time for a brand new episode. Until then, stay secure.