21st century cybersecurity: People are the first step
FBI Special Agent Jamil Hassani. Photo by Tony Avelar.
FBI Special Agent Jamil Hassani specializes in fighting cybercrime, and he told a gathering of lawyers and judges at the ABA Annual Meeting in San Francisco that because of their profession, stature and potential to poke back, he skipped something he often does just before such an appearance.
He typically sends a “spear-phishing” email to some of the people with whom he’s about to meet. “They get an ominous screen saying: ‘I just spear-phished you’ and a follow-up saying “Just kidding.”
His story illustrates the first level of security, which is people—those in the audience, employees of companies and others. He has found that when he uses the stunt, “one in 20 click on the link.”
The presentation titled “Effective Cybersecurity in the 21st Century: Privacy, Policy & Protocol,” was sponsored by the ABA’s Litigation Section.
With all the talk of cutting-edge malware, the tools that were used when he started in this work in 2004 “are virtually identical to the ones they’re using today,” Hassani said. But now the internet is much bigger. He pointed out that he found an access point to get into a major hotel’s computer system through the smart refrigerator in a guest room.
Companies need to do more than prevent cyberintrusions to protect themselves and their customers; they also need to comply with federal requirements for security.
Panelist Mary Jane Wilson-Bilik, a lawyer in the Washington, D.C., office of Sutherland Asbill & Brennan, said federal and state regulators “are upping their game” with a “mosaic of laws” that sometimes are conflicting or represent competition among agencies.
The Gramm-Leach-Bliley Act of 1999 requires financial institutions to safeguard data, she said, but another benchmark is the National Institute of Standards and Technology cybersecurity framework. NIST is a nonregulatory agency within the U.S. Commerce Department that develops standards to promote innovation and competitiveness.
Panelist Jennifer Martin, who has handled cybercrises for companies for the past 15 years and recently joined the New York City office of Covington & Burling, suggested concentrating on developing an incident response program.
“More and more companies have plans, but the devil is really in the details,” she said, later explaining the need to “learn C-suite escalations” for managing various responses, such as who decides to pull the server down and other action items.
“That should be choreographed,” Martin said, not worked out on the fly during the first crisis.
Follow along with our full coverage of the 2016 ABA Annual Meeting.
Updated Aug. 12 to clarify a statement by Hassani.