Without question, environment, energy, and resources (EER) practice involves working with facilities, industrial sectors, and state, federal, and local agencies that are recognized as vulnerable to, and as prime targets of, cyber attack and disruption. The February 2013 Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience (PPD-21) identifies 16 critical infrastructure sectors—many familiar to EER work—such as water and wastewater systems; chemicals; commercial facilities; critical manufacturing; dams; energy; food and agriculture; nuclear reactors, materials, and waste; and transportation systems. Subparts of major industry sectors that are reported to be on the front lines of being the focus of cyber attack include new energy, bio-tech, new materials and minerals, high-end equipment manufacturing, and clean energy vehicles.
It takes little imagination to start an inventory of the many ways cyber attacks can adversely impact law offices, client business, and our nation’s infrastructure overall. Malicious cyber actions include creating, modifying, deleting, and executing programs; uploading and downloading files; starting and stopping processes, systems, or mechanics; capturing keystrokes and screenshots; and obtaining passwords. At least one western U.S. state reports its computer system receives approximately 90 million attacks daily from potential hackers, a dramatic increase from past years. Experts note no breach is harmless, as cyber attackers frequently repeat patterns and other attackers attempt to follow and vary pathways previously tried. Press accounts have already been filed regarding plans by external groups to disrupt U.S. infrastructure this very summer, focusing on water and power control systems, with ominous names such as “Operation Black Summer.”
Federal environmental, energy, and resource agencies are making numerous resources available to increase public awareness of the presence of cyber threats and to shore up their systems. In February 2013, President Obama signed Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, to further focus on “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” A visit to any of the following sites reveals the serious work underway to protect critical infrastructure from cyber threats—EPA’s Homeland Security Portal; the Nuclear Regulatory Commission’s cybersecurity webpage; the Department of Interior’s Information Assurance Division site; the Department of Energy’s Office of Electricity Delivery and Energy Reliability (OE) page; or the Federal Energy Regulatory Commission’s Office of Energy Infrastructure Security webpage.
The Section is fortunate to have past Chair Claudia Rast of Butzel Long as our liaison to the ABA Cybersecurity Legal Task Force. Claudia is following developments and reporting regularly to the Section Council on implications for EER work. The Council has signed on to the cybersecurity resolution, which will be considered by the ABA House of Delegates at the Annual Meeting, August 8–13, 2013 in San Francisco. The resolution and its accompanying report thoughtfully discuss cybersecurity issues as they specifically apply to the legal profession, and note that existing state, local, territorial, and tribal governmental laws and regulations may be inadequate to deter, prevent, and punish unauthorized, illegal intrusions into the computer networks utilized by lawyers and law firms. As drafted, the resolution supports governmental actions, policies, practices, and procedures to combat unauthorized, illegal intrusions into the computer networks utilized by lawyers and law firms that respect and preserve client confidentiality, but opposes measures that would have the effect of eroding the attorney-client privilege, the work product doctrine, the confidential lawyer-client relationship, or traditional state court and bar regulation and oversight of lawyers and the legal profession. Critical too, is the lawyer’s duty of competency under Model Rule 1.1, which includes keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. . . .” We look forward to reporting to the membership soon on the disposition of this resolution and on future cybersecurity activities by the ABA and our Section.
This is my final “Views from the Chair” column. Drafting this article on cybersecurity provided a perfect opportunity to reflect on how my ABA and Section membership gives me the opportunity to hear from global leaders on truly cutting-edge issues and to grow as a legal professional. Through my membership, I meet experts working at the heart of issues that matter to our profession; I am challenged to think about issues that enhance my work and abilities. An issue like cybersecurity is testament to what the ABA is all about— advancing the rule of law, professionalism, knowledge, and justice. It has been a privilege to serve all of you this year as your chair. I welcome Bill Penny of Stites & Harbison, as the new chair—he will serve the Section well! I close with the fine words of Garrison Keillor—“Be well, do good work, and keep in touch.”