Whether they realize it or not, lawyers are on the front lines when it comes to protecting the United States from cyber threats, according to Spencer Fisher, who spoke at a March 9 breakfast meeting sponsored by the ABA Standing Committee on Law and National Security.
Fisher, who is senior counsel for the National Counterintelligence and Security Center, supports the counterintelligence and security activities of the U.S. intelligence community, the U.S. government and the private sector at risk of attack by foreign adversaries.
“The foreign intelligence threat is one of the most significant threats facing our country,” Fisher said, noting that much of the threat comes from Russia and China – but also from nations with lesser capabilities and potentially more disruptive intent, as well as from profit-motivated criminal enterprises both here and abroad and other hackers and terrorists.
While one of the most high-profile recent breaches involves the U.S. electoral system, it’s not just the government and its infrastructure that is being threatened – but proprietary information from U.S. companies, too.
Law firms are rich targets for hackers and have been victims of cyberattacks, notably the 2016 hack of the Panamanian firm Mossack Fonseca, which resulted in the release of 11 million confidential documents.
“If you think about these examples from our adversaries’ perspective, which is what trained professionals are told to do, lawyers are an opportune and inviting target,” Fisher said. Lawyers acquire and retain vast quantities of their clients’ data, and they have practice areas that cut across many different industries – and are typically not experts in IT or cyber.
For too many law firms, security is a secondary concern. A recent assessment of law firm cybersecurity concluded that 40 percent of the surveyed law firms had experienced a data breach in 2016 but did not know it had occurred.
As lawyers, it’s essential to safeguard personal, identifiable information and proprietary information obtained through discovery or from clients, so that this data does not end up in the wrong hands, Fisher said. “Nobody wants their firm to be associated with a major cyber breach.”
There are several measures law firms can take, such as:
- Develop data security plans that speak to all members of the firm so they know their roles in the event of a cyber breach
- Prepare the workforce by continually educating employees on how to respond to cyberattacks, particularly phishing attacks, which are the cause of the majority of cyber intrusions
- Engage outside IT security experts and conduct risk assessments on a regular basis, and use the results of these assessments to inform future activities.
“These are just a few of the issues lawyers and firms [should] grapple with as we become allies in addressing threats to our national security and our infrastructure,” Fisher said.