Why is it essential to protect the Intellectual Property of your newly developed software?
Refrigerators, cars, smartphones… Software is everywhere and is becoming more and more widespread. Not only Information, but data, know-how and interpersonal skills flow through this software. Software is the result of years of work and above all investment. Often a revenue generator and development lever in its own right, the software is exposed to a largely underestimated risk: the possibility of being copy or stolen. In this context, the protection of software intellectual property is a key issue in developing innovations. Let’s take a look at it.
Intellectual property attests that an entity has created innovation. It allows the company that created the innovation to take ownership of it and to prove who it belongs to. Thus, intellectual property provides an opportunity for companies to gain a competitive advantage and leverage their innovation as a source of revenue. It is a valuable asset for a company that need to be protected.
“Protecting innovations generally means protecting the revenues derived from them“
Matthieu Mandard, The Protection of Innovations (2020).
Intellectual property is divided into two areas:
Intellectual property concerns all sectors: tech, defense, mobile, video content, etc.
And all sizes of companies: large companies that process large volumes of data and whose innovations represent a colossal investment, start-ups whose development and growth may be based solely on innovation.
The digitalization of the economy has contributed to software development and its widespread use. As a result, the majority of companies today do business around software. As a result, failing to protect the intellectual property of software means taking the risk of jeopardizing the company’s core revenue.
Nowadays, all known attacks on software (malware, ransomware…) are just the tip of the iceberg. There is a type of attack that is often ignored: the theft or copy of programs. The objective is to analyze and understandthe software without the owners’ knowledge; hackers act in the shadows without the legitimate owner even knowing what is happening. However, this theft of intellectual property based on reverse engineering causes significant damage.
Applied to the defense sector, intellectual property protection covers major societal issues: politics, positioning, State of strength, (technological advance, superiority), security, etc. Imagine the tampering of electronic voting systems and its consequence if organized by a foreign state. Or what if a government could retrieve a missile or a drone of a foreign country in a military operation: by analyzing its code, the government could learn both about military technologies but also military targets, as a very valuable source of intelligence.
Protecting an innovation allows the company to stay ahead of the competition and retain the competitive advantage offered by the innovation. Moreover, a software theft is likely to harm the company’s brand image and lead to a loss of customers. Let’s take an example: a mobile application is the only one on the market that allows you to perform action A. A competitor manages to steal the software for this application. The competitor then releases a similar application that can also perform action A. The company behind the innovation is then no longer seen by users as particularly innovative, as other solutions can now achieve the same results. Furthermore, some of its users may switch to the second application. The company then loses its market share.
If an innovation represents 80% of a company’s business, that company potentially loses 80% of its business in the event of an attack. Protecting intellectual property can thus be a matter of life and death for innovators. The risk is to have all your ideas and customers stolen and overtaken by your competitors. Example, in the Game industry, some companies make a large percentage of their revenues in a few weeks when launching a new game. delay an attacker is necessary in this domain.
In short, not protecting your intellectual property means running the risk of having your software stolen. However, if a hacker manages to steal the intellectual property of innovation, it is tough to prove it and punish him.
This issue has arisen between Sega and Accolade. Accolade reverse engineered the Genesis video game console, manufactured by Sega. More concretely, Accolade disassembled the software of the Genesis video game console in order to publish games without Sega’s agreement. The objective? Not to have to go through Sega’s development kit, and thus avoid paying royalties. The US District Court of California ruled in favour of Sega: Accolade was then forced to recall all its Genesis games. Unhappy with the decision, Accolade appealed, claiming that the reverse engineering was fair. The district court’s order found that Accolade’s use of reverse engineering to publish Genesis titles was protected by fair use. The court thus held that the alleged infringement of the Sega trademarks was Sega’s fault. This case and the resulting court decision question the applicability of intellectual property of innovations.
Several legal solutions exist to protect :
Filing a patent or copyright is about providing and validating evidence that innovation belongs to an entity. Thus, filing a patent or copyright attests to the intellectual property of innovation, but it does not prevent its theft. Furthermore, the regulations do not allow for the patenting of code, only how certain operations are carried out in the software.
In the event of theft, victims have legal recourse: they can initiate legal proceedings. On average, legal proceedings of this kind last more than 3 years. The company that is the victim of theft spends money and energy for several years and falls behind in its innovation cycle.
Thus, it appears necessary to fill this regulatory gap and constraints. Companies can opt for a strategy that complements the regulations to do this.
As far as patents on softwares are concerned, they can prevent inter-operability and are therefore not really effective.
Companies can deploy a physical/logical or technological means of protection by equipping themselves with a (technological) solution to protect intellectual property from theft effectively. Some cybersecurity experts have developed software to safeguard the intellectual property of innovations.
How does it work? Several techniques are used to prevent hackers from stealing innovations. One of them is the obfuscation technique. When an application is published, some people can analyze it to understand everything about it: how it works, where are the data, how they are manipulated, how it interacts with other systems, etc. The protection strategy consists of delaying this analysis, making it hard if not impossible with misleading or inaccurate information in the application to hide the relevant information but without preventing the functioning of the software. It makes a mathematical formula or a line of code more complex: hackers cannot understand it, steal it or abuse the data it contains. It could have impact on the performance but “ Security is always seen as too much until the day it’s not enough.” William H. Webster
Obfuscation has a dual purpose: to protect the software and enable the cooperation necessary for business. Despite the complexity of the code, the output is always the same: the code produces the same results but is made unintelligible. This makes it possible to create partnerships and cooperation with other companies. Obfuscation thus makes it possible to lend the technology to another entity by building trust.
The circulation of ideas and the reuse of innovations is a fact: it is part of the innovation cycle. The challenge is to find the right balance between competition and cooperation, proprietary logic and open source. Therefore, it is essential to protect the intellectual property of one’s innovations: to avoid code theft/copy and competing reverse engineering, but above all, to remain in control of one’s innovation and be able to prohibit its exploitation.[FR1]
The protection of the intellectual property is a significant issue to avoid espionage, the reuse of code and the ability to reverse-engineer a competitor. There are two complementary ways to protect intellectual property: the regulatory solution to certify that the innovation belongs to the company and the technological solution to prevent theft. The latter should not be forgotten because is complementary to the other.
To address this issue of protecting intellectual property through technology, Quarkslab has created Quarks AppShield. This cybersecurity solution protects software applications deployed on computers, mobile phones and connected objects. Its application protection, white-box cryptography and digital vault features thwart would-be attackers who attempt to reverse engineer applications and steal intellectual property. Quarks AppShield protects your code, data and encryption keys by integrating the code to make it more complex and secure. Want to learn more about Quarks AppShield? Request a demo!
[FR1]Hyper crucial! That would be the conclusion and likely an uncommon position I would like to stand. Patents on ideas are bad and not really effective. It also prevent inter-operability to the extend we had to make laws to allow inter-operability (otherwise, companies would create totally closed systems, that only them can fix and manage – see what is going on lately in the automotive industry).
Why is it essential to protect the Intellectual Property of your newly developed software?
According to Global Data, the IoT market could reach more than €1,000 billion by 2024, an increase of 13% compared to 2020. In light of this growth, the industry has understood the urgency of implementing security standards via regulatory bodies to limit the risks of cyber-attacks and other frauds. In this context, the identity of connected objects has become a real security issue for the IoT to guarantee the reliability of collected data and to pilot decisions.
Identity is a concept that always has the same essence: the identity of a connected object is, therefore, what makes it unique and authentic. The IoT can collect, process and exchange data via a communication network. Thus, in a context where platforms connect objects, identifying them contributes to the success of the operation, as well as to its security. Moreover, having trustable data permits to take better decisions without risking to use not integer data.
Among a fleet of devices and other connected objects with common characteristics, a connected object’s identity allows it to be identified from other things. Let’s make a comparison with human beings. The identity of a connected object is a sort of fingerprint that is unique to it and that allows it to be differentiated from others. This identity can be based on various technical forms/means: serial number, cryptographic signature, one-time programmable memory, Physical unclonable function (PUF), etc.
Firstly, giving an identity to a connected object allows it to be authenticated. This authentication process allows the human and the machine to recognise the object and place it in a zone of trust: a clearly identified and consequently authenticated object is a secure object.
If you are creating a platform or ecosystem, knowing exactly which connected object(s) to use to communicate with you saves time and confidence.
In addition, identifying the connected objects in its IoT fleet serves other functions:
These functions will ensure the privacy and integrity of data stored, sent, or shared by the object.
Against hacking or any other cyberattack, giving an identity to each object makes it unique and thus makes the intrusion more complex.
In case a device is compromised or data tempered, it is possible to blacklist it without having to update the entire fleet.
Indeed, hackers or cybercriminals will find very difficult to launch a volumetric or DDoS (denial of service) attack that clogs up systems and makes a server unavailable. Since each object is unique, they would have to be hacked one by one, which is too time-consuming.
In our daily lives, both in a personal and professional context, we use many connected objects, some of which manage data that determine an amount to be paid by the user.
It is the case with smart metering devices for collecting energy data remotely through smart meters and IoT sensors. In France for example, these devices, named Linky, have been widely deployed into the general population’s homes. Each meter must have an identity that makes it unique so that the supplier charges the right amount to the right person.
On the other hand, if the smart meter is undifferentiated and does not have an integrated identity (e.g., via a meter number), many errors could creep into the billing process and encourage fraud. For example, the meter could be easily replaceable and transmit consumption data far below the current consumption to reduce the bill amount.
On another level, that of Industrial Internet of Things (IIoT) data, it is crucial to establish the identity of a connected object that performs predictive maintenance. If a connected object fails or does not fulfil its role, the object in question must be identified in the middle of a fleet to intervene.
In other words, in automated or robotic production lines, it is essential to know which device has transmitted which data to which other device and thus to draw relevant information, primarily if a device is not functioning correctly.
Today, several hardware and software solutions can give a connected device its identity.
For the hardware, it is possible to customise the following elements:
For software, the establishment of identity can be implemented via :
Two elements should be taken into account to establish the identity of a connected object:
Therefore, the more securely these two elements are implemented, the less likely a hacker will be able to forge the device. In this context, the installation of a VPN, i.e., the implementation of virtual private networks, is also recommended to monitor the communications of IoT systems. In a Zero Trust context, a secure channel should be established directly with the cloud platform and it requires strong device authentication.
You’ve got it: giving an identity to a connected object allows it to be authenticated and to maintain a high level of security against cyber-attacks. Therefore, you can benefit from a technological boost to identify your entire IoT fleet.
Quarkslab has created QShield to address this issue. It is a cybersecurity solution that identifies each connected object in your fleet, protecting code, keys and data using the most advanced software technologies.
Want to know more? Request a demo!