Thursday, 10 December 2015

What we know and what we don’t: a review of patents for cybersecurity

"What we know and what we don’t: a review of patents for cybersecurity" is the title of this week's Aistemos IP Analytics contribution to the IAM Weekly Industry Reports.  This report gives a breakdown of one of the most currently sensitive industry sectors, offering not just fresh data but some pertinent perspectives.  This is what we've written:
The advantages that can be derived from the illicit accessing of both commercial and technical information, and the damage that can be done, are unimaginably large. In consequence, following recent incidents such as the hackings of the extramarital affairs of Ashley Madison patrons and the TalkTalk telephone subscriber database, not to mention concerns over systematic technospying by China and other nations, public concern over online information security breaches is running at an all-time high. While these anxieties are real, it may well be that the highest level of concern should be reserved for the episodes of hacking which are so sophisticated that they have achieved their aims without ever being detected at all.
With national security, commercial hegemony and personal dignity at stake, it is unsurprising that both public and private sector clients are prepared to pay a premium for the peace of mind that cybersecurity can bring. This in turn incentivises market entrants, of which there are three basic types:
  • major players in the field of computer hardware, software and cloud services (eg, IBM, Intel and EMC Corporation) which have augmented their other products with a range of cybersecurity offerings;
  • security companies which operate generally throughout the field of computer security (eg, Symantec and Japanese player Trend Micro); and
  • 'pure play' companies (eg, Fortinet and Riverbed) which focus primarily on cybersecurity.
The first two of these groups tend to have a broad range of patents while, as might be expected, pure play operations are generally smaller and hold correspondingly fewer patents. The first group is also far more deeply rooted in the computer services market. IBM, Intel and EMC Corporation were founded in 1911, 1968 and 1986, respectively – long before cybersecurity was an issue.
The second group’s members are more recent. Symantec’s involvement in security followed its acquisition of the Norton business in 1990, and most of the pure play companies are relative latecomers to cybersecurity. Fortinet dates back to 2000 and Riverbed to 2002, while Trend Micro, a veteran in the field, moved from hardware dongles to anti-virus products back in 1992. On the other hand, the pure play companies have been making up for lost time: the three mentioned here have increased the size of their patent portfolios between five and 10 times. 
Figure 1 shows the vast difference in size and growth of this space. The major computer companies hold thousands of relevant patents but, while they also continue to grow, their rate of growth in relative terms is not as dramatic as that of companies such as Qihoo and Fireye, which have grown by hundreds of percent since 2013. However, it also shows that IBM’s portfolio of granted patents is tens of hundred times larger than many players and nearly twice the size of the combined substantial holdings of Intel and EMC. Knowing their successful licensing operations, they should be, perhaps unsurprisingly, a real IP powerhouse in this space.
Figure 2 focuses on the number of new filings in the space over the last three years, where IBM’s dominance is seen again, but Symantec, Qihoo and Fortinet are also making strides.
In Figure 3 the metrics of filings and size are combined, but only for security and pure play companies. Here the strong growth of Symantec can really be seen.
How does cybersecurity pan out in terms of global spread? Recent Cipher studies have shown that patenting in some technology sectors is relatively evenly spread internationally (eg, the automotive sector), while in other cases patent filing is dominated by a single jurisdiction (eg, aquaculture, where China has taken the lead, and brewing, where Japan’s strong position is in the process of being overhauled by foreign challengers) or by dominant regions (eg, FinTech, where the preponderant patenting activity is US and Asia-based). When it comes to cybersecurity the picture reflected in Figure 4 is again one of an extreme US focus, although $1.4 billion-capitalised Chinese company Qihoo is patenting extensively in China and the Moscow-based core of Kaspersky, which operates in nearly 200 countries, files some patents in its Russian home territory. One anomaly is that Trend Micro, compared to many other Japanese companies, focuses primarily on the US market.
Unlike some of the other sectors mentioned above, cybersecurity is the one in which non-practising entities (NPEs) appear to have a substantial, if small, presence. This is demonstrated in the table below, which shows defensive aggregator RPX ahead of patent chimera Intellectual Ventures and Acacia.
As might be guessed from the corporate bases of these operations and the prevalence of NPE rent-collecting practices in the United States, cybersecurity patenting by businesses that are not delivering commercial products themselves is predominantly a US affair. Figure 5 shows small but comparable levels of patenting by NPEs in Europe and Asia, and very little beyond.
Figure 6 looks at the litigation intensity in the space, where it is clear to see how active an IP area this is, with a substantial number of NPE suits (75% of total). However, it is also hotly contested, with a large number of competitors suing each other (eg, Fortinet and Trend Micro).
Where then does this leave customers? The large volume of patents and intensity of filing activity suggests that the patent system is responding to a rich and anxious market by producing a large number of innovations which, ideally, should result in a wide range of sophisticated products. 
However, there is a downside to the patent system here. A condition of receiving a patent grant is that the invention is clearly and fully described in the patent application. This information is publicly available and there is nothing to stop cybercriminals accessing and studying it. It may well be, therefore, that businesses will want to consider an alternative strategy based not on patenting but on confidentiality. If this is done, the new products will be as invisible to the world as those successful cyber attacks that have yet to be detected.


  1. Is there really a risk of giving away too much information by patenting cybersecurity inventions? Why should anyone assume that the person trying to hack a system knows which security system is being used anyway? And the published patent application only goes so far in describing the parameters of the invention but doesn't give enough detail to facilitate hacking.

  2. Spotted this on the Computing website: "New cross-EU cyber-security legislation a 'wake-up call' for companies that handle data". Doesn't refer to IP except as a target for hackers

  3. Does anyone know if cyber security and data protection means are areas that are governed by any standard-essential patent norms?

  4. @JustCurious I did a bit of online searching but couldn't find any specific reference to cybersecurity SEPs. Maybe it's the wrong term to search under.

  5. The proposed Cybersecurity Directive talks about both technical standards and security standards, and Article 16 requires the Commission to draw up a list of standards and specifications "relevant to networks and information security".

  6. In the US the National Institute of Standards and Technology (NIST) is seeking information on how its voluntary “Framework for Improving Critical Infrastructure Cybersecurity” is being used: Doesn't seem bothered about patents though. Why?

  7. Interesting roundtable discussion on cybersecurity in Financier Worldwide at

    Doesn't mention patents but does talk of businesses in the sector exchanging information.