For Western lawyers working in China, doing business can require a curious combination of legal skills and 007-like stealth. Leave your laptop in your hotel room? Expect it to be searched. Call up a website to check the weather? You might load code that pulls data off your hard disk. Does your PC weigh more than it did when you left the States? That could be a homing device, implanted on the sly and now transmitting information about the merger your client is planning. It might sound like stuff from a James Bond movie. But the threats are real, say law firm technology chiefsand worrisome.
The perils of using technology in China isn't a topic that law firms like to talk about publicly. "This is a very, very sensitive subject in our firm," says one chief information officer who declined to talk about the topic, even on a confidential basis. Says another: "Public statements might be considered the equivalent of 'poking the bear.' On this topic, I believe we are better served staying quietly diligent."
The U.S. government has been less reticent. On its website, the U.S. Department of State advises travelers to China that Internet and telephone use "may be monitored on-site or remotely, and personal possessions in hotel rooms, including computers, may be searched without your consent or knowledge." In February 2012 national intelligence director James Clapper told the House intelligence committee that "China and Russia are of particular concern. . . . Entities within these countries are responsible for extensive illicit intrusions into U.S. computer networks and theft of U.S. intellectual property."
Law firms can be especially at risk, so much so that in November 2011, the Federal Bureau of Investigation briefed the nation's top 200 firms on hacking and other IT security risks they face. One law firm CIO who attended the session said the FBI's message was clear: "They figure law firms are a particular target because big companies use them for deals, and [firms] often have weaker security than the companies themselves." Another CIO says that in the last 18 months he has attended four meetings where "three-letter federal agencies spoke about targeted hacking of law firms." (This CIO says that participants were asked not to provide details of the briefings.)
Austin Berglas, assistant special agent in charge of the cyber branch at the FBI's New York office, says the bureau routinely reaches out to law firms, along with financial institutions, universities, and research centers, because "highly skilled cyber-criminals often target these organizations on behalf of foreign nation-states who seek to gain an advantage socially, politically, or economically."
One law firm CIO, wholike many of the other CIOs quoted in this articleasked not be identified, says that Chinese clients are forthcoming about the risk: "They will say, if you leave your computer on in your hotel room and go to dinner, you can be assured that someone will try to break into it."
Not that this CIO, who oversees technology for an Am Law 100 firm with an office in China, needs to be convinced. Each day he receives a report on "port scans" experienced by the firm. A port scan is essentially the cyberspace equivalent of a tug at a windowsomeone on the outside checking, on their own and without permission, for a way onto a network. A firewallthe barrier that keeps unauthorized traffic from entering or leaving a law firm's data centertypically has thousands of ports. A hacker needs only to find one that is open and vulnerable. On an average day, this CIO's firm sees more than 3 million port scans: 2.4 million originating from within the United States, 500,000 from China, and 100,000 from every other country on the globe combined. He says he can always tell when there is a holiday inside China: That's when the number of port scans drop significantly.
Security concerns about China are "very legitimate [and] very high on our radar screen," says Linn Freedman, a partner at Nixon Peabody who leads the firm's privacy and data protection group. (Like a growing number of Am Law 100 firms, Nixon has a presence in mainland China, with an office in Shanghai; it has also assembled an internal "privacy council" of attorneys, management, and IT professionals to deal with privacy and security issues.) "There is no privacy in China," Freedman says. "You have to understand that when you are doing any business in that country. There are no statutory or legal protections. It is a whole different atmosphere than doing business in the European Union or the United States, and it is scary."
In fact the only protections firms have are the ones they create for themselves. What follows are policies that firm CIOs are instituting to protect lawyers who are doing business in China. They are also, the CIOs say, smart steps to take when lawyers travel in any nation where cyber-espionage poses a heightened riskand that doesn't just mean the usual suspects like Russia; two tech chiefs noted that France has been a surprisingly active hotspot for hacking and cyber-theft.
Take a loaner laptop
The most fundamental precaution is to take a "clean" laptop on the trip. Lawyers should never bring their usual machinethe one they use day in and day out for work (and the one filled with work-related data). Firms generally have a cache of loaner laptops that contain no work product. If these are lost or otherwise compromised, the potential damage is contained.
Other devices that may contain work or personal informationsuch as a tabletshould be left at home whenever possible. "You try to have a serious discussion with folks on what they need to take and have them trim back," says Matt Kesner, chief information officer at Fenwick & West. "We strongly encourage them not to take their own smartphones and iPads and definitely not their own laptopsnot just to China but when they go many places in the world."
While this advice might seem like a no-brainer, another CIO notes that it is not something partnerswho are often used to doing things their own way with their own equipmentlike to hear. "We had a document where we said, don't go [to China] with your standard laptop, but take a loaner, and a lot of attorneys were not thrilled with that," he says. Making a rule, he adds, was out of the question: The firm just didn't work like that. Besides, "at the end of the day, partners are going to do what they want, and the Chinese know that, and the hackers know that," he says.
Embrace desktop virtualization
By itself, a clean laptop can reduce security concerns but not eliminate them entirely. After all, lawyers could create sensitive work product on their loaner machines during their trip, or visit websites that plant harmful codeknown as malwareon the laptops, which among other things can intercept keystrokes or compromise any data that is on the machine. So some firms strive to make loaner laptops as bare-bones as possible, stripping them of Web browsers, word processing software, and email programs, and ensuring that no data is ever stored on them. So if prying eyes do come upon the laptop, there is nothing to see. The trick, in short, is to remove most of the things that make a laptop useful without making it useless. As luck would have it, there is a technology that does exactly thatdesktop virtualization. Firms are flocking to it.
What desktop virtualization does is turn a laptop into, in effect, a keyboard and screen. All of the actual applications, computer processing, and data storage takes place back in the firm's data center, where it can be secured. Many firms use platforms developed bya Citrix Systems Inc. or VMware Inc. to accomplish this.