Cyberspace Under Siege
Andy V. Sabett remembers some years ago when a law firm installed glass-breakage sensors on the windows of its 43rd-floor conference room, where documents often were compiled for big cases. The firm wanted to guard against the possibility that someone would rappel from the skyscraper’s observation deck and break through the windows to steal sensitive information.
That kind of security plan might have been sufficient back in the days of Sean Connery’s James Bond, but it’s hardly adequate to protect against the security threats hanging over law firms today.
Those threats come primarily from cyberspace, the network that includes the Internet, computer systems, telecommunications networks, and embedded mechanisms that control many military operations and critical industries like petroleum, airlines and electricity. Cyberspace, in other words, is the digital infrastructure that keeps modernized governments, economies and societies functioning.
The digital infrastructure in the United States and other countries around the world is under siege. Some experts even describe efforts to infiltrate computer networks as the precursor to a new type of warfare in which the front lines are computers sitting on desks in the offices of government officials, corporate employees and even lawyers.
Every day, computer networks are subject to attacks probing for weaknesses in security systems, accessing sensitive information and implanting “botnets”—robot programs that allow invaders to return to networks later through back doors and pluck out information at will. The attacks come from diverse sources—individuals, organized crime groups and even nation-states—that can be nearly impossible to identify.
The growing threat of cyberattacks has upped the ante dramatically when it comes to protecting sensitive information, says Sabett, a partner at SNR Denton who co-chairs the Internet and data protection practice in the law firm’s Washington, D.C., office.
Law firms are a very attractive target for cyberattacks by anyone seeking sensitive information, says Bradford A. Bleier, unit chief to the Cyber National Security Section in the FBI’s Cyber Division. “Law firms have tremendous concentrations of really critical private information,” says Bleier, and breaking into a firm’s computer system “is a really optimal way to obtain economic and personal security information.”
NO LONGER KID STUFF
In the early days of the Internet, computer hacking largely was the province of bored 13-year-old kids in their parents’ basements—as well as the occasional bored 36-year-old kid—who tried to break into the military’s computer systems just for the fun of it. Some of that is still going on, but the new generation of hacker is much more serious and sinister.
“In the 20 years I’ve been doing this, I’ve seen those types of intrusions go from being the hackers who did it just to prove they could to now a range of people,” says Christopher M.E. Painter, senior director for cybersecurity at the National Security Council and a past co-chair of the Cyber Crime Committee in the ABA’s Criminal Justice Section.
“These are organized criminal groups, individuals based not just in the United States but around the world,” Painter says. “The smarter ones pass their intrusion through a couple of different countries.”
How serious is it? “If you take the most sensitive piece of data that you’re afraid of losing and then think about what they can do with it, that’s the way to think about it,” Painter says.
Painter was a panelist at last year’s Annual Review of the Field of National Security Law, a conference co-sponsored by the ABA Standing Committee on Law and National Security. Other panelists were similarly convinced of the seriousness of the threat.
“My view of the threat is that it’s going up” for two primary reasons, said Philip Reitinger, the director of the National Cybersecurity Center in the Department of Homeland Security. First, he said, “the skill level of attackers is growing across the board.” Second, the nation’s networks of computer systems are becoming more connected and complex all the time, “and complexity is the enemy of security.”
As a result, Reitinger said, “if somebody wants to get into your system, they have a very, very good chance of doing it. So if you don’t want your system compromised, disconnect it from the Internet. Turn it off and don’t allow people to touch it, and then open up the box and take a hammer to the hard drive. At that point, you’re relatively secure.”
Also on the panel was Bleier, who used a metaphor that he acknowledged “is a little creepy” to illustrate how hard it is to measure the extent of the threat.
“You’re in a dark room and you’ve got a flashlight,” said Bleier. “You turn it on and you point it at the wall in front of you, and there’s 50 cockroaches on the wall. And the light goes off and you hit the flashlight and turn it to your left, and there are 50 cockroaches. Turn it to your right, turn it on again—50 cockroaches inscribed by the circle of the flashlight. On the floor, 50 cockroaches. Now after that, if you think there are 50 cockroaches in the room, you’re optimistic.”
The larger issue, Bleier said, “is all the other cockroaches you should be able to infer exist in the room. So in light of our increased awareness, just how many cockroaches are we after?”
A SHARPER FOCUS
Both the government and the private sector are painfully aware that there are plenty of cockroaches in the room.
A report (PDF) delivered in December 2008 to the incoming Obama administration by a commission of the Center for Strategic and International Studies in Washington, D.C., cited various intrusions against computer systems at the departments of State, Homeland Security and Commerce, as well as NASA.
Defense Department officials reported that its computers “are probed hundreds of thousands of times each day,” the report states. As for the private sector, “Senior representatives from the intelligence community told us that they had conclusive evidence, covertly obtained from foreign sources, that U.S. companies have lost billions in intellectual property,” adds the report.
“The immediate risk lies with the economy,” states the CSIS report. “Most companies’ business plans involve the use of cyberspace to deliver services, manage supply chains or interact with customers. Equally important, intellectual property is now stored in digital form, easily accessible to rivals. Weak cybersecurity dilutes our investment in innovation while subsidizing the research and development efforts of foreign competitors. In the new global competition, where economic strength and technological leadership are as important to national power as military force, failing to secure cyberspace puts us at a disadvantage.”
Shortly after taking office, President Barack Obama appointed a panel to conduct a 60-day “clean-slate” review (PDF) of U.S. policies relating to cybersecurity. The panel’s report was blunt in its assessment.
“The architecture of the nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient,” the report concludes. “Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations.”
In December 2009, Obama appointed Howard A. Schmidt, the former head of security at Microsoft, as White House cybersecurity coordinator. The Pentagon established a new Cyber Command. The administration also identified cybersecurity as a priority in its national security strategy (PDF) released in May. “Our digital infrastructure is a strategic national asset,” the document states, “and protecting it—while safeguarding privacy and civil liberties—is a national security priority.”
The growing use of cyberattacks as a weapon of economic competition helps to explain the increased attention law firms are getting as potential targets.
“What we’re seeing is a realization that the strategic deal information, potential economic espionage information, sits with lawyers as much as clients,” says Marc Zwillinger, a founding partner of Zwillinger Genetski, a boutique firm in Washington, D.C., that focuses on Internet-related legal issues. “Lawyers haven’t been as diligent with security as some of the institutions that gave them information.”
Sensitive information about a business often is easier to find in a law firm’s computers, says Alan Paller, director of research at the SANS Institute in Bethesda, Md., which conducts training and research on computer security.
“If I want to know about Boeing and I hack into Boeing, there are a billion files about Boeing,” Paller says. “But if I go to Boeing’s international law firm, they’re perfect. They’re like gold. They have exactly what I’m looking for. You reduce your effort.”
On Nov. 17, 2009, the FBI issued an alert warning that law firms and public relations firms were being targeted in a new round of organized cyber attacks. According to the bureau, the attackers were intruding into individual computers using a tactic known as “spear-phishing.”
A spear-phishing attack involves an e-mail sent to a specifically targeted individual. Using information picked up from common sources like Facebook and other social media sites, the message looks like it was sent by a colleague, client or some other trusted source, and it asks the recipient to open a link or attachment, which actually carries what the FBI terms a “malicious payload.” So what the recipient actually does is open the door for a botnet to enter the computer.
Gregory A. Fayer, an attorney at Gipson Hoffman & Pancione in Los Angeles, received such an e-mail just days after filing an intellectual property lawsuit that named the Chinese government, among others, as a defendant.
“These e-mails are specifically designed to target specific individuals by making them think they’re sent by someone that person knows or works with,” Fayer says. “For that reason, they’re much more dangerous than regular virus e-mails, which are generally detectable right off the bat or caught in anti-virus protections.”
Once hackers put their payload into a computer, they will first look for user credentials, such as administrator accounts, which allow them to move undetected within the larger network, according to Stephen L. Surdu, vice president of professional services at Mandiant, an information security firm headquartered in Alexandria, Va.
“It’s not traffic different from anything you would normally see,” he says. “They blend right in. They go in search of whatever brought them in the first place. They’ll copy that out, usually to a different location than where they’re doing their commands from, so it doesn’t get in the way of their activity.”
Sometimes hackers get in and get out quickly; other times they slowly harvest information over a protracted period of time, Surdu says. “If they’re stealthy enough, if they’re patient enough, it won’t alert anybody,” he says. “If you’re not looking for this type of thing, you’re not going to stumble across it.”
It is crucial for law firms to develop cybersecurity strategies, says Gabriel M. Helmer, a cybersecurity attorney in Boston who is conducting research projects in the field. “Figure out what information is very valuable to you and your business, and protect it to the level you think is appropriate,” he says. “Lawyers are in a position that they need to protect that information. When we stop being trusted, we stop having clients.”
But creating effective barriers to cyberattacks is a difficult proposition, for a number of reasons.
More cooperation in responding to the cyber security issue is vital, say experts in both government and the private sector. “Cybersecurity is a team sport that we all need to play effectively together,” says Reitinger from the Department of Homeland Security.
The federal government has taken steps toward developing a coordinated approach to the issue. The Obama administration, for instance, has adopted a 10-point near-term action plan recommended by the panel that prepared the clean-slate review of the government’s cybersecurity policies. Meanwhile, the FBI and 17 other federal law enforcement and intelligence agencies have formed the National Cyber Investigative Joint Task Force.
The private sector, though, is still playing catch-up.
In September 2009, the ABA’s Standing Committee on Law and National Security published a report (PDF) summarizing proceedings from a two-day workshop in conjunction with the National Strategy Forum and the McCormick Foundation.
“Creating incentives for security in the private sector cyberdomain is a challenge,” states the report, National Security Threats in Cyberspace. “One participant, rather unkindly, characterized the private sector response as a ‘faith-based market failure’—one bottomed on an act of faith that vulnerabilities would not be exploited. That faith has, of course, gone unrequited.”
But some efforts to address cybersecurity in the private sector are under way. The ABA’s national security committee, for instance, recently created a task force to look at some of the key legal considerations in dealing with cybersecurity. The task force will have up to 40 members, including government representatives and members of the private sector, according to its chair, Suzanne E. Spaulding. She is a principal in the D.C. office of the Bingham Con sulting Group, which advises companies on public policy issues, and serves as a special adviser to the ABA committee.
Three key issues the task force will address, Spaulding says, are how to increase collaboration between government entities and with the public sector to develop effective policies; legal concerns about how government surveillance of the Internet would affect privacy concerns; and how the framework of the laws of war developed for conflicts in the “kinetic” world should apply to attacks that occur in cyberspace. Spaulding says the task force report, which is expected in about a year, will focus on issue analysis rather than policy recommendations.
DOWN HERE ON THE GROUND
For law firms dealing with cybersecurity threats at ground level, developing effective policies may be the result of new ways of thinking as much as changes in technology.
Sabett says law firms need to instill a “security cul? ture” to help protect against online break-ins. “They should understand that if they use some Web-based e-mail package, it’s not secure,” he says. “They should take prudent steps to protect information. If a client has sensitive data, and that’s a hot-button issue for the client, use encryption,” which makes information unreadable to anyone but an intended recipient.
Focusing on security technology “is a good starting point,” says Surdu. “But you can have all the good technology in place, you can patch all your third-party software, you can perform your vulnerability assessments. But if your users aren’t aware, your attackers come back—and all the work you’ve put into taking your network back, you’ve got to start again.”
That’s where issues like law firm culture come in. Many lawyers, for instance, find it hard to resist the impulse to open certain types of e-mail, especially when the risks of doing so are well-concealed, says Stewart A. Baker, a partner at Steptoe & Johnson in D.C. who served more than three years as first assistant secretary for policy at the DHS. His new book, Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism, explores the threat of cyberspace attacks.
“Lawyers are in the business of responding quickly,” Baker says. “While they are not likely to respond to e-mails that promise to enlarge their anatomy, they are likely to respond to plausible requests or opportunities to get new business. It’s very hard to tell law partners not to open attachments from people they think might be sending them business or important documents.”
Some phishers try to take advantage of lawyer egos, Zwillinger says. Phishers might send e-mails saying, “Check this out: You’re featured in this article. If they think the story is about them, they’ll click on it.”
Attorneys also have grown accustomed to “open architecture” systems and often don’t spend the time to come up with sophisticated passwords, Zwillinger says.
“To be able to bill anywhere at any time, you need the open architecture,” he says. “But if I can log on to my server remotely, then a hacker can log on to my server remotely. And lawyers are too busy to be bothered with eight-character, uppercase-lowercase passwords.”
Law firm partners often become comfortable with outdated technology and see no return on investment in updating firewalls, Baker says. “Spending money on IT security produces no visible gain from the point of view of users, who are also owners, and consequently it’s a hard sell for the IT department.”
The resistance to updating technology is partly caused by what Paller terms the “power relationship between users and administrators. A lawyer at a law firm, he owns the firm. If the system administrator asks him to do something, he ignores him. ‘Why is that man or woman getting in the way of my doing things the way I want to?’ ”
Surdu advises that law firms perform basic vulnerability assessments, map where attackers might enter their systems, and ensure that firewalls are configured appropriately and anti-virus programs are updated.
Firms also should create multiple tiers of security for what Surdu describes as “everyday stuff, really good information and ‘crown jewels.’ ”
Baker advises segregating some key data offline. He also recommends that computers be set up to flag unusual activity and raise questions like, “Why is this guy logging on and sending e-mails at this hour?”
But segregating data comes back to questions about firm culture, says Paller, who describes a typical scenario: An attorney says, “I’m in Indiana, and I need my documents.” The IT person responds, “Well, move them off that network onto another network just for that meeting.” And the attorney barks back, “But that’s inconvenient.”
“See the problem?” asks Paller, who offers a solution: “Thumb drives have four, five, six gigs. The idea that you can’t carry it with you used to be true, but it’s not true now.”
Even if law firms manage to take heroic measures to secure their computer systems, experts say they—along with businesses and government—must accept the reality that cyberspace will never be entirely safe. As a result, experts say systems should be constructed so they are resilient enough to adapt to and recover from attacks rather than avoid them altogether.
“The goal is to make maximum use of all the benefits the Internet has to offer,” Spaulding says. “To fully exploit that, we need to have cybersecurity in appropriate contexts. We can’t put the system in a hermetically sealed environment.”
Speaking on the cybersecurity panel at last year’s national security law conference, K.A. “Kim” Taipale borrowed fellow panelist Bleier’s creepy cockroach metaphor to bring the point home. “The philosophical approach you have to take,” said Taipale, executive director of the Stilwell Center for Advanced Studies in Science and Technology Policy, “is not how to stamp out all the cockroaches, but how do you live the rest of your life in a room full of cockroaches?”
Whose Fault Is It, Anyway?
Clients don’t typically ask to audit the computer security policies of their law firms, but at least one expert on cyberspace issues says such things could soon become commonplace.
“We’re one security breach away from that starting to happen,” says Stewart A. Baker, a partner at Steptoe & Johnson in Washington, D.C. “If a security breach involves sensitive information handled by a law firm and someone finds it on a server headed to a foreign government, then the [U.S.] government will have some very awkward questions for the company that was the source of the information and the law firm that was the source of the information.”
That scenario hints at the potential liability and ethics problems that lurk amid growing concerns about attacks aimed at getting access to confidential information stored on computers.
But at least for now, many experts say breaches of client information that occur in cyberspace are subject to the same standards for lawyers that already apply outside of cyberspace.
“From an attorney-client perspective, the ramifications are no different than if you had the same sort of compromise in the physical world,” says Randy V. Sabett, a partner at SNR Denton in Washington, D.C. “The liability that a firm would face if they lost a box of documents would be no different than if that entire box of documents was on a thumb drive.”
The rules could change, however, under both federal and state laws. Massachusetts, for instance, recently enacted perhaps the strongest rules for businesses handling personal information for customers or clients.
“You have to put in super-duper computer security to make sure personal information is secure. It’s a pain in the neck,” says David J. Goldstone, a partner at Goodwin Procter in Boston who co-chairs the Cyber Crime Committee in the ABA’s Criminal Justice Section. Minnesota, Nevada and Wisconsin have less stringent regulations, Goldstone says, and New Jersey and New York are considering them.
But so far, says Gabriel M. Helmer, a cyber security attorney in Boston, “in a way, it’s the Wild West. There are very few precedential findings about what is good security. There are one-off cases where it’s hard to draw any real standards. Most of them come back to ‘reasonable and appropriate’ security steps.”