Please ensure Javascript is enabled for purposes of website accessibility
Home / News / Cyber (in)security

Cyber (in)security

Cybersecurity experts say a recent blockbuster report linking the hacking of more than 100 organizations to the Chinese military is the latest, though not the first, wake-up call to law firms. But this time they hope attorneys won’t hit the snooze button.

The report by cybersecurity firm Mandiant linked 141 mostly American organizations, including four unidentified law firms, to a military unit outside Shanghai.

While the report underlined that the biggest risks are still for international law firms working on sensitive deals of interest to nation-states, the FBI has warned that cyber criminals are increasingly targeting small and mid-size businesses. Concurrently, clients are beginning to demand that law firms have strong anti-hacking measures in place before agreeing to representation.

“Some clients are giving all vendors security questionnaires, and including law firms,” said Steven R. Chabinsky, senior vice president of legal affairs and chief risk officer at the security startup CrowdStrike. “If this company is going to provide you with sensitive information, you have to answer 40 questions.”

A number of area law firms were contacted for this story but declined to comment, fearing it would draw unwanted attraction from hackers. As one representative for an international law firm with a Boston presence put it, “We don’t want to wave the red cape” and invite hackers to test the firm’s system. The rep went on to say that his firm takes cybersecurity very seriously, employing the increasingly common practice of having a chief information security officer on staff to coordinate and oversee efforts.

“The managing partner needs to keep this on their radar and have daily or weekly meetings to discuss it,” said Chabinsky, a former practicing lawyer who also spent 17 years in the FBI. “A law firm needs professional expertise brought in. Just like a client needs a lawyer to handle a case, lawyers need to rely on outside security personnel.”

Security is a process, Chabinsky added, and it needs to be treated that way.

“What was amazing to me, when I was in the bureau, was organizations that purchased the correct software but never configured it correctly. That’s like purchasing an alarm system but never turning it on,” he said.

Peter Tran, head of the advanced cyber defense practice at EMC Corp.’s security division, RSA, said law firms are increasingly at risk because hackers more and more are relying on “indirect attacks.”

For example, rather than identifying a corporation and attacking it straight on, hackers are now looking for the path of least resistance. Oftentimes, it’s the company’s law firm.

“Law firm security has left a lot to be desired,” said Steven R. Baker, a partner at the Washington, D.C., firm Steptoe & Johnson. “Anybody who wants to know something about the legal advice being given to large companies, such as negotiating strategy, could be trying to attack law firms. No one sends uninteresting stuff to their lawyer, because they can’t afford to have them spend time reviewing irrelevant information.”

Chabinsky said a cybersecurity breach can be particularly devastating for a law firm, since lawyers are obligated to protect client information and their reputation for doing so can be their most valuable asset — or debilitating liability.

“Law firms are particularly susceptible to computer intrusions because they have the most sensitive information,” Chabinsky said. “They’re basically the central repository for sensitive information on behalf of hundreds of clients, and they tend to have weaker cybersecurity than the companies they represent. They tend to be the weakest link for those seeking highly sensitive information.”

Chabinsky said cybersecurity within the legal community remains relatively weak despite the fact that the FBI and consultants like himself have been sounding the alarm since at least 2009.

“We do work with law firms quite a bit,” Tran said. “It’s a critical area to address. Are they slowly moving in that direction? Yes. Are they as prepared as they should be? No.”

Identifying risk

Baker said his firm was recently the victim of an attempted attack in which a free Yahoo email account was created to look like one belonging to him and sent to every attorney in his practice group. The message encouraged Baker’s colleagues to click on a link to a national security memo that, in reality, would compromise the computer if clicked on.

“Hackers figure out what you’re likely to click on, stay within your area of interest, and all you need is one person to click on it. If one person falls for the email, they’ve got a tentacle into your system and can very quickly build from there. It requires a very lengthy and expensive disinfection process to eradicate,” Baker said, adding that the attack on Steptoe & Johnson was not successful.

“We got lucky, but as the IRA said to Margaret Thatcher, ‘You have to be lucky all the time. We only have to be lucky once.’”

Knowing how far to go to protect against such an attack, known as “spear phishing,” and others can be difficult for lawyers. Most of the ethical guidance requires practitioners to take “reasonable efforts” to protect client information.

That’s vague, but cybersecurity consultants agreed that the best place for a law firm to start is by asking questions to help identify the risk they face. To determine whether they might be a target, firms should ask what information they have that would be of interest to outsiders.

Michael DuBose, managing director and cyber investigations practice leader at Kroll Advisory Solutions, said it’s not always the information people typically suspect.

“Law firms are increasingly being targeted because of the type of sensitive data they have on their clients in relation to sensitive deals,” DuBose said. “Just because it’s not credit card numbers and personal information doesn’t mean it’s not valuable. The type of data they have on their clients is highly valuable to get a market advantage in a particular deal or industry.”

For example, Baker said law firms have to assume hacking is a tactic that will be used if a client is negotiating a deal with a state-owned entity in China or one that otherwise would be of interest to the People’s Liberation Army or other nation-states with intelligence-gathering apparatuses.

“Anybody in the intelligence business is in the hacking business,” Baker said.

But while nation-states may have the most capability and interest in hacking a law firm, Chabinsky said, “you don’t have to be the target of a nation-state to be the target of hacking as a law firm.”

DuBose noted the rise of “hacktivism” and the use of cyber attacks to achieve political goals.

Hacktivists “will target information that can be used to embarrass a client or the law firm itself,” DuBose said. “That, in particular, would be devastating to a lawyer’s reputation.”

Protecting yourself

The consultants said law firms should use email authentication and encryption, come up with passwords that are hard to reverse engineer, and maintain a “white list” of applications that are safe and permitted to be installed on the firm’s computers and other devices.

There also should be protocols in place for sharing and destroying information and an incident response plan, in the event of a breach, that spells out whether and how to notify clients. Software in addition to antivirus software should be installed to track all activity on the firm’s network and to detect abnormalities. Logs of network activity should be reviewed daily.

Tran admitted that those steps require a sizable investment without a clear return, something that frustrates firms and managing partners. He said he tries to think like a lawyer and pitch RSA’s services using terms such as “exposure” and “downstream liability.”

And while the measures might seem like overkill to a partner who simply wants to be able to access all the documents he needs on any device at any time, or who is annoyed at having to de-encrypt his emails, that’s because “strong data security and convenience have an inverse relationship,” DuBose said.

“The day is going to come sooner rather than later that law firms will be judged not just on the quality of their legal representation,” Chabinsky said, “but also the quality of their computer security.”