Unintended Litigation Risks – A Case Study of FAIR for Cyber Risk Management
Whilst there is a large volume of freely available material to assist organizations in developing their cyber risk management programmes, such as those illustrated on this website, some may create litigation risks through their use.
In the case of the FAIR Framework (Factor Analysis of Information Risks), this was merely a failed US patent application filed by Jack A. Jones and later developed into a commercial product, currently available under licence from the Open Group.
The situation is more complex however, since FAIR, as a patent application, is within the public domain and as such not protected as a framework taxonomy. Jones abandoned the application due to his FAIR methods being invented by a number of other inventors before Jones’ application was filed.
With the information available from the US patent office’s website, a potential user of FAIR, whether under a Creative Commons licence, or under licence from the Open Group, is able to evaluate who owns the IP in any commercially provided consulting service or software that has FAIR embodied within it.
WHO INVENTED WHAT?
To provide some basic information to potential users of FAIR, some background information is provided here.
JACK A. JONES: US10/912,863
Jones filed his application for FAIR in 2004 as patent application 10/912,863 having filed a prior provisional application in August 2003 as US49397903P (a provisional application is never examined and is never in the public domain).
Jones filed the following claim covering the FAIR method, this being:
“1. A method of measuring and representing Security risk, the method comprising:
(a) Selecting at least one object within an environment;
(b) quantifying the strength of controls of at least one object within that environment by:
(i) quantifying authentication controls;
(ii) quantifying authorization controls; and
(iii) quantifying structural integrity;
(c) setting global variables for the environment e.g., whether the environment is Subject to regulatory laws;
(d) Selecting at least one threat community e.g., professional hacker; and
(e) calculating information risk by:
(i) performing a statistical analysis, using the strengths of controls of Said at least one object, the characteristics of at least one threat community, and the global variables of the environment, to compute a value representing information risk.”
ERIC B. COLE / SYTEX: US10/426,908
In 2007, the USPTO issued a rejection notice for Jones’ application based upon the same earlier invention of the same method by Eric B. Colein 2003, under the title: Methodology, system and computer readable medium for rating computer system vulnerabilities.
The examiner stating in the rejection that:
“Cole discloses a method of measuring and representing security risk, the method comprising:
- selecting at least one object within an environment;
- quantifying the strength of controls of at least one object within that environment by:
- quantifying authentication controls
- quantifying authorization controls; and
- quantifying structural integrity (paragraphs 0033-0048)
- setting global variables for the environment (paragraph 0049)
- selecting at least one threat community (paragraph 0050); and
- calculating information risk by:
- performing a statistical analysis, using the strength of controls of said at least one object, the characteristics of at least one threat community, and the global variables of the environment, to compute a value representing information risk (paragraph 0050).”
At the time of Cole’s invention, he was working for The Sytex Group, later acquired by Lockheed Martin in 2005 for $462 million, with the intellectual property assigned to Sytex at the time of the application filing. Further down the line, Sytex assigned the patent to Citibank and then back to Sytex via a holding company that includes leading security provider, Leidos.
DODD /INTERNET SECURITY SYSTEMS: US10/066,461(https://patents.google.com/patent/US20020147803A1/en?oq=2002%2f0147803 )
Additional to this however, is the fact that the application was, as in the case of Jones, abandoned after the application was rejected in 2006 due to prior art in the form of an application 10/066,461 by Timothy Dodd of Internet Security Systems Inc in 2003, entitled “Method and system for calculating risk in association with a security audit of a computer network”.
Claim 1 of Dodd states:
“1. A method for assessing the security of a system comprising:
selecting a vulnerability for the system;
obtaining an asset value for the system;
determining an exploit probability for the vulnerability;
obtaining a severity value for the vulnerability;
computing a risk value for the vulnerability based on at least one of the asset value, the exploit probability, and the severity value;
if there are additional vulnerabilities associated with the system, repeating the foregoing steps to compute risk values for the additional vulnerabilities; and
calculating a security score for the system based on at least one of the risk values associated with the system.
FOX / HARRIS CORP: US9/500,269
Although the application was abandoned it was, prior to this event, assigned to Accenture and then to IBM, illustrating the perceived importance and value of the method embodied within the application. However, once again, Dodd was rejected by the USPTO in 2005 in light of the prior patent application of Kevin Fox, et al on behalf of Harris Corporation in February 2000; US 9/500,269.
Fox’s patent entitled “System and method for assessing the security posture of a network using goal oriented fuzzy logic decision rules” claimed the following and precluded Dodd, Cole and Jones’ claims to the invention:
“1. A method for assessing the security posture of a network comprising the steps of:
creating a system object model database representing a network, wherein the system object model database supports the information data requirements of separate, non-integrated network vulnerability analysis programs;
exporting only the required data from the system object model database representing the network to each respective network vulnerability analysis program;
analyzing the network with each network vulnerability analysis program to produce data results from each program;
storing the data results from respective network vulnerability analysis programs and the common system model database within a data fact base; and
applying goal oriented fuzzy logic decision rules to the data fact base to determine the security posture of the network”.
The application was allowed and was patented as US6883101B1 and continued to be owned by Harris Corporation, a NYSE listed defence contractor that merged with L3 Technologies in 2019. Harris Corp continues to work within the cyber security space and has an annual revenue of around $4.5 billion.
A final point to note in this is the US Patent Office examiner for Fox/Harris Corp is the very same examiner that Quantar has prosecuted its’ patents with, thereby demonstrating the Quantar patent portfolio strength and validity.
IDENTIFICATION OF LITIGATION RISK
With reference again to the FAIR framework and the ownership of the intellectual property of the method, the above provides a sound illustration of who invented what and when. This is regardless of claims made, for example, by The Open Group of their ownership of a method embodied within FAIR that in fact was examined and granted to Harris Corporation, years before Jones filed his patent application.
The question remains, however, as to the use of a protected methodology that has now expired by patent term. What is clear is that where a US Government department has ruled on who originated the idea, such detailed and auditable evidence is likely to stand up in a US court of law in cases of claimed infringement.
When seeking to utilise methods that appear prima facie to be open source, free to use, royalty-free, code copyright-free, it is necessary to undertake sufficiently detailed due diligence in the same manner as a responsible organization would for the selection and use of any vendor’s products.
In the case of FAIR, one may make the case that there could be some form of liability arising from Harris Corporation, Sytex and Internet Security Systems, who could claim against those using the products with FAIR incorporated within them such as Risklens, Dell/RSA Archer CRQ, and others, with the method having been disclosed ahead of Jones and thus their intellectual property and not Risklens of The Open Group. How the method is used within software code that may copy code created by the other company’s products using the earlier application methods would need to be examined by the courts.
To ensure no IP liability is acquired through the use of a vendor’s products, whether intentionally or not, an evaluation of patent and certified code copyright by each and every vendor is required. As part of the overall risk management programme within organizations, vendor and IP risk should be conjoined within the assessment process.