2.2.3. Intellectual Property and Import/Export Controls
💡 First Principle: Organizations create and depend on intellectual property — the code they write, the processes they develop, the brands they build. Different types of IP receive different legal protection mechanisms, and choosing the wrong one can mean losing protection entirely.
Four types of intellectual property:
| Type | Protection Mechanism | Duration | Registration Required? | Security Relevance |
|---|---|---|---|---|
| Copyright | Automatic on creation | Life + 70 years (US) | No (but beneficial) | Source code, documentation, creative content — automatically protected |
| Patent | Registration with patent office | 20 years from filing | Yes — public disclosure | Inventions, processes, software algorithms (jurisdiction-dependent) |
| Trademark | Use + optional registration | Indefinite (with renewal + use) | No (but registration strengthens) | Brand names, logos, product names — loss possible if not policed |
| Trade Secret | Active protection by owner | Indefinite (while secret) | No — secrecy IS the protection | Source code, formulas, business processes — protection LOST if disclosed without NDA |
Critical exam point on trade secrets: Unlike other IP types, a trade secret loses all legal protection the moment it is disclosed without appropriate protections in place. This is why NDAs for employees, contractors, and vendors are not optional — they are the legal mechanism that preserves trade secret status.
Software licensing — important because improper licensing creates both financial liability and potential security risk:
- Proprietary / commercial — License grants specific use rights; reverse engineering typically prohibited
- Open source — permissive (MIT, Apache, BSD): Can use freely, modify, distribute; must retain attribution
- Open source — copyleft (GPL, LGPL): Must release derivative works under same license — creates "viral" license risk
- Freeware / shareware — Not open source; free to use, but source not available
Export controls on cryptography — this is directly tested on the CISSP:
EAR (Export Administration Regulations) — Commerce Department rules governing dual-use goods (commercial items with military potential). Most commercial cryptographic software is controlled under EAR.
ITAR (International Traffic in Arms Regulations) — State Department rules governing defense articles. Military-grade cryptography falls here.
The practical implication: Exporting strong cryptographic software (AES-256 libraries, VPN products) to certain countries may require a license or may be prohibited entirely. Embargoed countries (currently including Iran, North Korea, Cuba, Syria) have the strictest restrictions. Security professionals deploying software globally must understand these controls — violation can result in criminal penalties.
⚠️ Exam Trap: Open source software is NOT automatically free of legal obligations. GPL-licensed code incorporated into proprietary software creates an obligation to open-source the combined work. Not reviewing the licenses of open-source dependencies is a common real-world mistake with serious legal consequences.
Reflection Question: A startup builds a B2B security product using an open-source cryptographic library licensed under GPL v3. They want to sell it as proprietary software. What legal issue exists, and what are their options?
