Cyberwarfare Defined and Lawyers’ Role in the Fight
Cyberthreats are a constant in the digital world, but what does change is the nature of the attack. At a panel titled “Emerging Cyber Attack Trends and Technical and Legal Remedies,” held at the New York Harvard Club on Feb. 24, experts from the crossroads of legal and technology converged to discuss the trends in this ongoing evolution of cybercrime, as well as the role of lawyers in the fight against it. The session was divided into discussions on defining the cybersecurity war, analyzing the most successful of attacks, methods for investigation and remediation, and how lawyers factor into the fight.
The War is Waged: Threats on the Landscape
The session kicked off with the dissection of cyberwarfare. Timothy Ryan, managing director of cybersecurity at Kroll, explained a trend he’s encountered over the “last few months,” in which “a group of hackers is going around the country breaking into enterprises” and implanting malware.
“In the blink of an eye, they’re shutting the enterprise down,” Ryan said. “That’s what I call a data destroyer.” Ryan warned that, from an “impact perspective,” data destroyer threats are “number one,” and that they can be used to compromise everything from medical records to credit card information.
Ryan also discussed the various types of hackers. Among them were hacktivists, “stealing for the purpose of embarrassing people; enterprise insiders, going “rogue” with information or just being negligent in its management; and nation-state actors, which are usually protected by a sovereignty.
“[Chinese government hackers] are trained people; they have an R&D department. All the bells and whistles you have to protect your infrastructure they have, so they know how to circumvent that,” he explained. Other examples he listed are groups affiliated with the governments of North Korea and Iran.
As to ways hackers access enterprises’ information, the panel noted social engineering and malware, particularly in the form of a “skeleton key” that allows access into various points within an enterprise. This led to the question: How can we prevent hacks?
“We still don’t properly focus on the fact that there’s always somebody trying to get our stuff,” said Stewart Baker, partner at Steptoe & Johnson. “A suspicion about everything that comes in is probably worthwhile, but that’s hard to sustain.”
Baker noted that approaches to prevention depend on “who’s trying to get in,” explaining that if it’s people trying to get your credit card information, continual prevention can lead the hackers to change course. “If it’s the [Chinese military], they’re just going to keep coming at you.”
“We are all used to thinking we have adversaries – often permanent adversaries,” Baker added. “You have permanent adversaries in cyberspace too.”
Can Lawyers Take Up the Fight?
There’s more than one way to handle a breach. However, an often overlooked ally in the battle to protect information is the lawyer, and, according to the panelists, she has more weapons for the fight than many of us realize.
Dan Karson, a New York-based chairman of Kroll, said that when it comes to addressing an attack, bringing in a lawyer “is a very valuable step to take,” especially when the lawyer knows how to use freezing orders and restraining orders. The effectiveness of this decision, he said, depends on putting “to work a lawyer who knows how to use all the right tools.”
However, even with the right tools, the battle can be difficult. Karson noted, “If you have a known adversary, putting a good lawyer to work is extremely effective. If you have an unknown adversary, your strategy is a good deal more limited.”
Explaining his position, Karson defined a known adversary as a hacker within your enterprise or industry, and that dealing with an individual of this sort leaves a “menu of options available to you.” When it comes to unknown adversaries, “then you’re in negotiating posture.”
Steven Davidson, partner at Steptoe & Johnson’s Washington office, explained that after a hack, lawyers can employ a short-term remedy such as injunctive relief, engage in a long-term collection of damages, or help the client become part of a deterrence campaign.
“I’m sort of surprised looking at the cyber issue from the sidelines that there hasn’t been more use of the courts,” Davidson said. “And obviously the great difficulty is finding who to sue and when to sue.” Davidson noted that while at times we’re unaware of hackers’ identities, there are instances in which we do know them. He believes the reason that more isn’t done “on the court side to stop it,” is because, at times, there are issues of sovereignty.
However, he said as a private litigant, the ability to sue is “more available than people think,” as companies can “prove certain exemptions under the Foreign Sovereign Immunities Act in order to get subject matter jurisdiction against the sovereign.” As an example of a situation where this could take place, Davidson listed the Sony hacks, though he noted that for many companies, “the point becomes ‘to what end,’” as they often want to “put this fact in the rear view mirror,” while a case would put them in the spotlight.
Davidson noted that for “rogue countries,” assets might not be easily reached under Western jurisdictions, though he also said going after them is still attainable as they have money “going through” other countries.
As to why more remedial actions aren’t undertaken, Ryan said, “The reality is most breaches that we investigate are the product or smaller breaches in the company,” and it becomes “a cost-benefit calculation. Are we really going to be able to successfully pursue this? And if so, what’s it going to cost us in the end?”
Baker noted the effectiveness of sanctions when it comes to nation-state actors, as most companies “have to compete globally.” One reason he cited was the Obama administration’s decision to impose sanctions against the companies to which nation-state actors provide stolen data.
Davidson noted how Federal Causes of Action like the Computer Fraud and Abuse Act are useful for helping victims obtain justice and recompense as well as determine who is hacking them.
“Litigation I think can be an effective tool here,” he said. “And I foresee as we evolve in this [litigation] being used more.”
Ian Lopez, Legaltech News