Kelce Wilson came to patent law by way of the U.S. military, where he tested defense systems for weaknesses that could be exploited by foreign actors. In a recent interview, Kelce talked to us about his experience, defending against cyberattacks, and what drew him to Grable Martin Fulton PLLC.
You had a varied and fascinating career before you went to law school. Why did you want to become a lawyer?
I was ripped off by an invention services company using a patent attorney who cooperated with the scheme. Today, that would probably get the attorney disbarred from the PTO. There was a loophole in the ethical rules for patent practitioners, and several businesses sprang up to take advantage of it. I was one of the people who was exploited. Eventually, there was a sufficient outcry that the Patent and Trademark Office changed the rules and closed the loophole.
I ended up losing what was a huge amount of money at the time for a single-income military household with children: about $13,000. The feeling I had when I realized what had happened was sickening; I still remember it. Later, I had another invention idea I thought would be huge, but I couldn’t afford to hire an attorney to write the patent application, so I went to law school to become my own patent attorney. And there’s just no way I could let someone else experience something similar to my disaster.
What advice do you have for businesses that are nervous about the seemingly constant threat of cyberattacks and data breaches?
Just because you’re paranoid doesn’t mean they’re not out to get you. There are rational attackers and irrational attackers. Rational attackers will go after a company if the value of the information they can steal is worth the effort, or the cost, of engineering a breach. If you drive up the cost for rational attackers, they’ll often give up. Irrational attackers usually cannot be deterred, but are often less skilled and have fewer resources. Cybersecurity is a lot like locking your car at the airport parking lot. You see a car with the windows rolled up and the doors locked parked next to a convertible with the roof down and a wallet on the seat, and you get an idea of the security environment. Rational thieves are going to go for the easier mark. You don’t always need to outrun the bear. Sometimes, you just need to outrun the person next to you. Unfortunately, that’s currently a primary basis for defensive strategies.
Aside from that, you need to understand the industry and how to work smart. That’s how I can help.
For example, there’s a difference between complying with regulations and making yourself difficult to hack. When I was working at Blackberry, the Europeans, who tend regulate as much as they can, were attempting to enforce new regulations for cellphones. But too many companies ignored it, so after a delay, they had to go back and try to get the industry to buy in.
In the meantime, while those proposed regulations had been gathering dust, the industry had swapped over to a new technology: smartphones. Now, your smartphone has many of the same security risks as a desktop computer – plus a lot more. Eventually, many of the cellphone companies fell in line with the proposal, but in my opinion, perhaps they didn’t do their due diligence on the underlying technology issues. The existing regulations were outdated, back from the days of flip phones. They were designed for phones with limited computing functionality.
When Blackberry asked me to look at the proposal, I said, “These might have worked for prior generations of cellphones, but not anymore.” Some of the proposed regulations actually increased risk, because of the increased computational functionality of the new generation of devices, so we pushed back. We were the only ones in the whole industry, that I was aware of, who actively pushed back. Most of the other companies just signed on, I guess to be good citizens – although one of the largest companies in the industry just continued ignoring the regulators. As a result of the push back, that set of proposed regulations was dropped.
The lesson is that merely complying with regulations, without thinking things through carefully, doesn’t necessarily lead to better security.
In some cases, compliance can make a device easier to hack. Say there’s a requirement for information to be backed up and stored off-site. Most back-up systems don’t get a big budget for security. So somebody could possibly break into the backup and steal the information from there, when maybe they could not have succeeded in stealing from the primary system. Or they could insert a malicious program into the backup and force a crash of the primary system, so that the system IT administrators unwittingly load the malicious program onto the system, themselves.
What drew you to Grable Martin Fulton?
I’ve known Wei Wei Jeang for about 10 years and enjoyed working with her. A regular law firm with the overhead of a fancy building, they try working you to death and have to bill these huge fees. Grable Martin isn’t like that. Working here, my billing rate is achievable and realizable.
At Grable Martin, I can set a rate that’s actually achievable for people who are in the situation I found myself in earlier. If I was back in 1993 and had bumped into somebody who had the billing rate that I have now, adjusted for inflation, and who wouldn’t rip me off, that would have been a very different situation.
Flexibility is a big part of it, as well. I get to work on cybersecurity issues. I’ve got breach experience and know how to do security audits. And there’s room to grow that practice at Grable Martin. When there is a breach, part of the initial response includes short-deadline reporting obligations. In some situations, a representative of the company must inform the FBI, the victims, state attorney generals, and so on. I can handle that and other breach response matters, but I would prefer to spend my time on prevention, which is helping companies to not get hacked.