Image: clipart.com
As President Barack Obama studies how the U.S. military should respond to an increasing number of cyberattacks against public and private institutions, general counsel would be wise to examine their own companies' situations.
"The U.S. is under attack, for lack of a better word, from all types of states and organizations," said attorney Joseph DeMarco, who specializes in data security and information theft at Devore & DeMarco in New York.
"The challenge for general counsel is to first understand the magnitude of the threat, the persistence of it, and the fact that it is not only directly against their company, but also indirectly through the company's outside consulting companies, accountants, and lawyers," he told CorpCounsel.com Monday.
DeMarco, an ex-assistant U.S. attorney in Manhattan, explained that it's not uncommon for someone targeting a company's intellectual property to steal it from firms that the company consults with, such as its law firms. He calls them "downstream victims."
The attacks, he said, can come from other nations, foreign companies, transactional groups, or individuals.
And the number of attacks is growing exponentially. The U.S. Department of Homeland Security has said recently that an unidentified American power station was crippled for weeks by cyberattacks. The New York Times, the Wall Street Journal, and the Washington Post have also reported attacks early this year.
"What we've seen is a broadening in the types of organizations targeted," said Grady Summers, vice president of Mandiant, a leading data security company that was hired by The Times to deal with its recent breaches.
"Five or six years ago, attacks were common among defense contractors," he explained, "but now they are against a broad range of industries, like oil and gas, high-tech manufacturers, and law firms — especially law firms.
"And the phenomenon we've seen in the last two years is the attacks on media and entertainment companies," added Summers, the former head of data security at Ernst & Young, and General Electric.
Both DeMarco and Summers said general counsel can play a crucial role in protecting a company's data.
"The most effective organizations have buy-in from general counsel" on cybersecurity Summers said. "It starts by recognizing the risk profile. We encourage general counsel to ask questions not like 'Are we secure?' — but rather 'How do we know we're not compromised today? How would we know? What would we do about it if we were?' "
DeMarco added that with today's cyberwarfare, "it is imperative for senior management to take charge of the issue, be aware of the threat, and understand where the company's most valuable information is."
"They need to understand that they will never be able to lock down everything or be completely free of intrusion," added DeMarco, who is also an adjunct professor who teaches an "Internet and Computer Crimes" seminar at Columbia Law School.
"The new normal is running a business with sensitive information where network borders are blurry, and may very well have unauthorized people on the system all the time," he noted.
Both experts said the most effective companies have a rehearsed response plan and that they drill employees repeatedly on how to deal with attacks. The training should include upper-level management, and even the board of directors, they said.
Ed Stroz, co-president of data security consultant Stroz Friedberg and a former FBI agent, has also urged general counsel to examine their information systems.
"There's data stored in clouds. Who owns the machine storing your data and what is your legal access rights to it?" he asked in a recent broadcast with Bloomberg News. Stroz declined an interview for this story.
He told Bloomberg that general counsel need a good litigation strategy in advance, especially if companies are holding content such as credit card or social security numbers that have legal implications if compromised.
Another answer for companies might be stronger involvement by the U.S. government in defending corporations from attacks.
President Obama is expected to approve the nation's first rules for how the military can defend, or retaliate, against a major cyberattack against the government, according to a story in Monday's New York Times.
But should the military be involved in private sector intrusions, even if the attacks are being conducted by another country? The recent media-company hackings, for example, have been traced to the Chinese government.
(Asked about evidence that indicated the hacking originated in China, and possibly with the military, China's Ministry of National Defense said, "Chinese laws prohibit any action including hacking that damages Internet security," according to the Times.)
DeMarco isn't sure about needing a government response. "I think the theft of intellectual property has to be addressed within strategic and economic and diplomatic realities," he said. "A trade war is not good for anyone."
He said once the U.S. departs from a bright-line policy that the military gets involved only in an attack on government computers, then "it can get pretty murky pretty quickly."
But he thinks most people would agree that major attacks on power grids, air-controller computers, financial institutions, and even large email carriers like Google's Gmail could require a government response or pre-emptive strike. "I mean are those really attacks against a company, or a country?" he asked.
Mandiant's Summers takes a more aggressive stance. "We don't expect today's enterprises to defend themselves from air attacks. And we shouldn't expect companies to do it on this type of battlefield either," he said.
"We need concerted action at the national level. I wouldn't say it has to be the military. Some think [the Department of Defense] should take lead, others Homeland Security," according to Summers.
He agrees that cyberattacks on power grids or financial institutions are really matters of national security. And for Summers, so are attacks that steal intellectual property.
"On its surface, theft of IP is just property theft," he explained, "but there's the issue of economic competitiveness in the long term," which then becomes a threat to our national security, Summers said.
