How USPTO built a culture of trust in its automation efforts

The U.S. Patent and Trademark Office has proven successful in using automation to quickly remediate identified system glitches and potential security vulnerabilities, according to an agency official. 

In an interview with Nextgov/FCW, Spence Spencer — director of USPTO’s System Configuration and Delivery Automation Division — said speedy and effective uses of automation across the agency’s systems have helped create a culture of trust that allows his team to take the lead in addressing problems without significant pushback from higher-up officials. 

Spencer’s division is responsible for building, delivering and ensuring the security of custom software to help USPTO’s development and product teams “deliver faster, more consistent, higher-quality” products, including by automating systems to enhance agency capabilities. 

“The ability to use automation allows you to act very quickly and respond very quickly,” he said. “If you look at a large project that starts to go sideways and you have the right kind of automation, then you can break it down into smaller units of work and you can knock those smaller units out one at a time.”

USPTO first began using “build automation” around 2010, Spencer said, and then moved toward development, security and operations — or DevSecOps — over the years as the agency “started to put security in the initial build” of automated tools. 

“Probably 30% of our deployments were failures” in the beginning, he said, but the successful deployment of automated systems across the agency over the ensuing years — coupled with the capabilities of the division’s personnel — proved the worth of broadening these efforts further.

“We went from a culture of mistrust, where the answer to every deployment was no, to now the answer is, ‘yeah, do it,’” Spencer said, adding that “we don’t do rollbacks anymore.”

During the Trademark Public Advisory Committee’s quarterly meeting in November, Spencer said members of the agency were demonstrating new trademark external applications when an attorney with a private company who was present at the meeting “pointed out a logic flaw in our public application.” 

The product team, which was remotely listening to the meeting, checked and confirmed that there was a flaw in the application. Spencer said they quickly got to work addressing the issue and were able to roll out a fix by the next day. 

“They went from the discovery of a bug to delivering a bug fix on a public-facing, government-owned application in under 24 hours,” he said, adding “that's the level of agility we're at.”

To help USPTO's developers build safe and secure applications, Spencer’s division has also developed some automated quality tools that look at code as it is being written and “tells them this is not being handled in a safe way or this is unsafe, and then it’ll flag it.”

And when it comes to broader security risks — including those in custom-built software or in open-source components that come with their own vulnerabilities — the agency has also relied on automation to quickly identify and mitigate potential threats. 

These capabilities came in particularly handy following the 2021 disclosure of vulnerabilities in Log4j, a popular open-source logging library used in a wide range of consumer and enterprise products. 

Spencer said “we had a very short horizon” to identify security flaws in the agency’s use of Log4j, adding that “we needed to find out essentially the same day how bad it was.” 

“We actually had to make a recommendation to our [chief information officer] about some fairly drastic action on how to take care of that,” he added. “You can't do that without automation.”

USPTO is also experimenting with and using some emerging technologies to bolster the security of its systems. Spencer said the agency is “starting to look at how we can use things like AI to help our folks actually code the software,” as well as other tools for securing systems. 

“For addressing things like security vulnerabilities through automation, we built it with a robot, the robot knows what's in there and we've got a bill of materials that we generated when we built it,” Spencer said. “If we find out about a new vulnerability, we can look at those bills of material real fast to say, ‘where do we have these problems and what do we need to fix it?’”