August 04, 2018

Cyber experts: Attacks inevitable, preparation for law firms essential

After the 9/11 attack on the United States, a national commission that analyzed the tragedy found that the country’s national security apparatus failed in two major regards: it showed a lack of imagination for the unthinkable and no unity in communication and cooperation to face the developing terrorist threat.

Fast forward 17 years. A panel at the American Bar Association Annual Meeting in Chicago raised concerns Saturday that U.S. businesses -- and law firms particularly -- might be going down a similar pre-9/11 path by failing to comprehend the full threat, vulnerabilities and consequences of cyberattacks from around the globe.

The program, Cybersecurity Wake Up Call: The Business You Save May Be Your Own, included two key players in the cybersecurity space during the Obama administration – Rajesh De, former general counsel of the National Security Agency, and Suzanne Spaulding, former undersecretary for National Protection and Programs Directorate in the Department of Homeland Security. Also participating were lawyers Thomas Smedinghoff and moderator Ruth Hill Bro, both members of the ABA Cybersecurity Legal Task Force, which sponsored the 90-minute program.

De, who delivered a brief keynote address prior to the panel discussion, drew from his experience as a “junior staffer” on the 9/11 Commission, noting its members found “plenty of clues before 9/11 if we had been able to connect the dots.” He noted that Dan Coats, the current director of National Intelligence, recently said that the “system was blinking red” on cybersecurity matters, a phrase that then CIA Director George Tenet invoked before 9/11.

The consensus of the panel was that cyberattacks are inevitable, and that preparation for law firms was necessary not only to avoid the hardware issues but also post-attack consequences. A post-attack communications plan was essential, the panelists said. So is thorough due diligence and planning with vendors and others in the supply chain to avoid legal consequences after a breach.

Spaulding recounted a visit she had to the DLA Piper office in Atlanta in June 2017 as the firm was experiencing the first signs of a cyberattack that essentially grounded the international firm’s operations for an extended time. She said it began with a breach with a vendor for the firm’s office in Ukraine, and then spread globally within the DLA Piper network.

She used the firm’s experience to illustrate that law firms and other businesses spend too much time on “threat and vulnerability” and not enough on “consequences” and the “continuity of (business) operations.” Plan and prioritize, she urged the lawyers present, to determine “how you are going to mitigate that risk.”

Picking up on that example, Smedinghoff, who is of counsel to Locke Lord, pointed out that phishing attempts are one of the most popular efforts to destroy or manipulate systems. He noted “real issue is people,” including current and former employees and those working in the supply chain. Often, these breaches are successful because employees are careless and negligent, he added.

“In the final analysis somebody has to click on those emails,” he said of phishing attempts. “Somebody has to do something … to touch off the attack.”

The panelists also explored legal issues related to payments and other issues dealing with “ransomware,” the concept of criminals shaking down businesses and others for money and bitcoins through cyber breaches. De noted this is a corporate governance issue, and that there should be a plan when an incident occurs on notifying authorities, deciding whether a payment should be made and how to communicate the situation to stakeholders, including governing boards.

“It is always the disclosure issues that tend to trip people up,” said De, a partner at Mayer Brown in Washington, D.C.

Bro, who co-chairs the task force which recently published a book, “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals,” reminded the audience that cybersecurity “is a process not a product” requiring persistent vigilance and constant review. She touted the motto of the Boy Scouts: “Be prepared.”

“Always remember, it can happen to you,” she added.