- ABA Groups
- Resources for Lawyers
- About Us
While clients are demanding that their law firms take more steps to guard against cyber intrusions, concerns about hackers grow. Even the most conservative estimates of the costs of hacking forecast losses of billions of dollars over the coming decade.
What are the current cyber threats, applicable laws and standards lawyers need to know in this increasingly hazardous arena? Law enforcement officials have warned that law firms, in particular, are not doing enough to guard against hackers. On Saturday, cybersecurity experts at the Annual Meeting panel, “The Evolution of Cybersecurity and Planning for Response,” sponsored by the ABA Cybersecurity Legal Task Force, discussed lawyers’ obligations concerning both the risks and preparedness related to cybersecurity.
Panelist Sean Kanuck, national intelligence officer for cyber issues in the Office of the Director
of National Intelligence, said that trends in the area of cybersecurity are alarming: there are more incidents, more hackers, the attacks are more sophisticated, the attacks are more disruptive, there are a greater variety of targets, more collateral damage and new vectors are being used.
Panelist Michael McGuire, a shareholder and chief information security officer at Littler Mendelson in Minneapolis, said, “It is past time for lawyers to take cybersecurity seriously. You need someone to keep watch over the issue, and it is much more than technology. It involves technical controls, administrative controls and physical controls.”
“Some things IT is not suited to address because it is outside of their bailiwick.”
One of the slides accompanying McGuire’s presentation read: “Vendors require oversight.” McGuire explained that “you can’t just hire someone and assume [security] is taken care of.”
Moderator Judith A. Miller, former general counsel for the Bechtel Group, had similar thoughts: “Cybersecurity needs to be acted on in an ongoing way by lawyers, not just their IT folks and their clients. This is not an impossible task. There is a lot of operational, accessible and affordable support available today to help.”
Panelist Harriet Goldman, director of advanced cybersecurity at MITRE Information Technology and Services, advised lawyers to strive for a resilient technological environment. “You need resiliency so that your system still works despite being under attack.”
Goldman advocated for what she termed as “mission assurance engineering” –“understanding what you need to protect and what you need to keep going.”
Panelist Suzanne Spaulding, undersecretary for national protection and programs directorate in the Department of Homeland Security, said that basic steps can stop 90 percent of cyber intrusions, and that 85 percent of the nation’s critical infrastructure is owned by the private sector.
Panelist and Rep. James Langevin, D-R.I., founded the first-ever Congressional Cybersecurity Caucus in September 2008, with co-chair Rep. Mike McCaul, R-Texas. Langevin said:
“We depend on cyberspace for everything from banking and health care to national security, and it is a central component of our nation’s critical infrastructure. The importance of robust cyber protections cannot be overstated, and the pace of threats is ever-increasing, whether from criminals who seek financial gain by stealing personal computer information or from cyberterrorists who wish to attack our electric grid or otherwise weaken the United States.”
Langevin lamented that “Congress’s record has not been stellar in this area,” and noted that the worldwide costs of cyber crime and economic espionage total $445 billion a year, about 1 percent of global GDP.
Harvey Rishikof, dean of the National War College at the National Defense University, cited what he thinks are the four cyber vulnerabilities—software, hardware, carbon units [people] and networks—and said, “We all have grandchildren. If we’re not going to solve this problem [of cyber crimes], we better all learn Mandarin.”
Goldman, Langevin and Rishikof all made the point that cybersecurity is a problem that can only be managed, not eliminated.