ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
On the Front Lines
As President Barack Obama studies how the U.S. military should respond to an increasing number of cyberattacks against public and private institutions, general counsel would be wise to examine their own companies' situations.
"The U.S. is under attack, for lack of a better word, from all types of states and organizations," says attorney Joseph DeMarco, who specializes in data security and information theft at Devore & DeMarco in New York. "The challenge for general counsel is to first understand the magnitude of the threat, the persistence of it, and the fact that it is not only directly against their company, but also indirectly through the company's outside consulting companies, accountants, and lawyers," he adds.
DeMarco, an exassistant U.S. attorney in Manhattan, explains that it's not uncommon for someone targeting a company's intellectual property to steal it from firms that the company consults with, such as its law firms. He calls them "downstream victims." The attacks, he says, can come from other nations, foreign companies, transactional groups, or individuals.
And the number of attacks is growing exponentially. The U.S. Department of Homeland Security has said recently that an unidentified American power station was crippled for weeks by cyberattacks. The New York Times , The Wall Street Journal, and The Washington Post have also reported attacks on them this year.
"What we've seen is a broadening in the types of organizations targeted," says Grady Summers, vice president of Mandiant, a leading data security company that was hired by the Times to deal with its recent breaches.
"Five or six years ago, attacks were common among defense contractors," he says, "but now they are against a broad range of industries, like oil and gas, high-tech manufacturers, and law firmsespecially law firms. And the phenomenon we've seen in the last two years is the attacks on media and entertainment companies," adds Summers, the former head of data security at Ernst & Young and General Electric Company.
Both DeMarco and Summers say that general counsel can play a crucial role in protecting a company's data.
"The most effective organizations have buy-in from general counsel [on cybersecurity]," Summers says. "It starts by recognizing the risk profile. We encourage general counsel to ask questions not like 'Are we secure?' but rather 'How do we know we're not compromised today? How would we know? What would we do about it if we were?' "
DeMarco adds that with today's cyber warfare, "it is imperative for senior management to take charge of the issue, be aware of the threat, and understand where the company's most valuable information is.
"They need to understand that they will never be able to lock down everything or be completely free of intrusion," adds DeMarco, who is also an adjunct professor who teaches an "Internet and Computer Crimes" seminar at Columbia Law School. "The new normal is running a business with sensitive information where network borders are blurry, and may very well have unauthorized people on the system all the time," he notes.
But what to do? Both experts say the most effective companies have a rehearsed response plan and that they drill employees repeatedly on how to deal with attacks. The training should include upper-level management, and even the board of directors, they say.
Ed Stroz, copresident of data security consultant Stroz Friedberg and a former Federal Bureau of Investigation agent, has also urged general counsel to examine their information systems. For example, "there's data stored in clouds. Who owns the machine storing your data, and what [are] your legal access rights to it?" he asked in a recent broadcast with Bloomberg News. (Stroz declined to be interviewed for this story.)
He told Bloomberg that general counsel need a good litigation strategy in advance, especially if companies are holding content such as credit card or Social Security numbers that have legal implications if compromised.
Another answer for companies might be stronger involvement by the U.S. government in defending corporations from attacks. In fact, President Obama in February issued an executive order directing federal agencies to come up with voluntary rules for the critical companies in the private sector.
But should the military be involved in private sector intrusions, even if the attacks are being conducted by another country? The recent media-company hackings, for example, have been traced to the Chinese government. (Asked about evidence that indicated that the hacking originated in China, and possibly with the military, China's Ministry of National Defense said, "Chinese laws prohibit any action including hacking that damages Internet security," according to the Times .)
DeMarco isn't sure about needing a government response. "The theft of intellectual property has to be addressed within strategic and economic and diplomatic realities," he says. "A trade war is not good for anyone." He adds that once the United States departs from a bright-line policy that the military gets involved only in an attack on government computers, "it can get pretty murky pretty quickly."
But he thinks that most people would agree that major attacks on power grids, air-controller computers, financial institutions, and even large email carriers like Google's Gmail could require a government response or preemptive strike. "I mean, are those really attacks against a company, or a country?" he says.
Mandiant's Summers takes a more aggressive stance. "We don't expect today's enterprises to defend themselves from air attacks. And we shouldn't expect companies to do it on this type of battlefield, either," he says.
"We need concerted action at the national level. I wouldn't say it has to be the military. Some think [the U.S. Department of Defense] should take the lead, others Homeland Security," says Summers. He agrees that cyberattacks on power grids or financial institutions are really matters of national security. And for Summers, so are attacks that steal intellectual property.
"On its surface, theft of IP is just property theft," he says, "but there's the issue of economic competitiveness in the long term," which then becomes a threat to our national security.