Joe Blow no match for trained ex-intelligence officers

David Drab is a former FBI investigative agent who now works as a principal in Xerox Global Services. He is presenting at RSA 2007 in San Francisco this week on trade secrets. He spoke to Brian McKenna about why trade secrets are the "orphan child of intellectual property protection".

Why is Xerox a security player?
The company builds quality multi-functional devices which are no different to any other node on the network. Security across the board is necessary in that context. And so the management of those devices becomes very important.

The context is a convergence between digital and paper. We have properly understood processes around the latter.

You're speaking specifically about trade secrets at this conference. Why?
Trade secrets are the orphans of intellectual property management. We had a reminder in December 2006 of the importance of trade secrets when two Silicon Valley engineers were found with suitcases full of documents pertaining to four hi-tech companies.

For the industrial age patenting was fine; in the information age, trade secrets will be the future. And so we need a more granular approach to the management of them. At present they are informally managed. When an idea is conceived -- a design for a possible new product, say -- the information is unstructured. You need to inventory trade secrets and categorize them.

The problem in this area lies in the failure to communicate to the employee what a trade secret is. We now have a generation of super users who have no concept of larceny! They think if you can access something on a computer then it is fair game.

The general context is that we worship the numbers, and people who are ambitious climbers will be opportunistic. We have a global environment where competition is so great that you get a haemorrhaging of information.

We just have no idea of what the impact can be of having corporate climbers with access to the bloodline of organizations in a context in which technology is changing behaviour.

There is a lot of talk in the industry now about data leakage protection. But, essentially, you are saying "take a step back" and classify what data you can afford to leak and what you can't?

In a sense, yes. If we come up with a design for something then that something will become a document in a workflow, it will perhaps be considered for a patent, it might get licensed, and even if it becomes obsolete it will still have value to a competitor. The lifecycle of the trade secret becomes critical, and it must be managed.

Are you leveraging your FBI background in accenting this the way you are doing? And, if so, how?

Yes. I was very focused on organized crime as an agent. And towards the end of my 27 year career I travelled a great deal as part of counter-terrorism activities. I was familiar with former Soviet bloc intelligence officers. And I came back to the US convinced of the need for more information protection. Ideas are so crucial now.

And I am drawing on my experience of investigating economic espionage. For example, I led the investigation into the theft of Alzheimer's disease research, resulting in the first indictment under the Economic Espionage Act of 1996.

Okay, but today's cyber-crime, while organized is surely not organized crime of the sort you used to investigate?
It's like this. In the US we had a process of denial of existence of a national conspiracy for many decades. The FBI denied the existence of the Mafia until Joe Valachi in 1963. Over time we got the tools for the mob -- wire taps, witness protection, and so on -- and we got proactive. We penetrated the Mafia and got the top bosses, not just the small fish. We brought the Mafia under control.

There is an analogy with information security in the enterprise environment today. Again, we are not recognizing the problem. We have not comprehended the degree of risk to the enterprise, the sheer diversity of [cyber criminal] business models, and the nature of the enemy -- which is virtual and is virtually anywhere.

As for traditional organized crime, they have an inherent nose for vulnerabilty. They will be involved in identity theft. They won't pass up the opportunity to make money.

Moreover, we have trained intelligence officers around the world for whom the normal corporate employee is simply no match. I've spoken to defence contracters who have been tricked by insiders. They let their guard down, they feel comfortable, and the information goes. They are just no match.