President Obama's cybersecurity executiveorder, released February 12, had legal technology experts split in their opinions.
The order (full text) calls for specific actions: civil liberty and privacy protection; collaborative development of tiered security standards based on the context of an organization's data; creation of federal cybersecurity technical guidelines; identification of critical infrastructure; periodic policy review; and periodic unclassified security reports.
Law firm computer security, and by association the security in electronic discovery products, is increasingly considered important because the firms and technology company networks hold valuable client data. "We have hundreds of law firms that we see increasingly being targeted by hackers," Federal Bureau of Investigation cybersecurity expert Mary Galligan said at LegalTech New York this month.
FBI officials have long acknowledged that they regularly share cybersecurity information with private companies, often through a project called InfraGard, which has 56 chapters nationwide. The group's membership is not disclosed, although Hogan Lovells partner Jeffrey Lolley co-chairs InfraGard's cybersecurity committee. Hogan partner Harriet Pearson blogged about the executive order. "President Obama noted that this executive order is meant to fill a gap while Congress continues to pursue legislation," she observed.
The National Institute of Standards and Technology announced its own security information sharing plan in 2012. Now, NIST is calling for public comments on the executive order, the agency announced. Law firms have their own entity, the LegalSEC committee of the International Legal Technology Association, which formed in 2012 and is hosting its first conference this summer.
Adam Carlson, of security consultancy Carlson & Wolf, focuses on law firms. He saw reasons for optimism and skepticism. "I think the cybersecurity program could have a major positive impact on the cybersecurity readiness of American business, but the program must be well-designed and well-executed, something always easier said than done," he noted, in Oakland, Calif. "However, the order is vague in describing what types of organizations will be impacted. ... It appears to leave open the possibility that at least some law firms would be included due to their management of various types of highly sensitive client data," he said. "Similarly, there is a lack of clarity about what types of information will be shared and how the shared information can be used to prevent successful cyberattacks."
KPMG observers agreed with that assessment. E-discovery specialist Katey Wood said cybersecurity is atop the mind of her clients. "I can tell you that we've had a number of inquiries from clients for services around breaches, both direct and indirect," she said, in New York. Edward Goings, principal, added a larger context: "With the increased activity around state-sponsored attacks and increased activity around cyberterrorism, companies know this issue has to be addressed now instead of later. I think the executive order by the administration is a step in the right direction to get companies sharing information rather than keeping it quiet."
Attorney Craig Ball, in Austin, Texas, also saw the positives and negatives. "Every exercise of political will in support of hardening critical infrastructure against hacking is a positive step, and it's laudable that the president has so prominently elevated the issue in the national consciousness," Ball said. "But, we should not conflate his commissioning what is basically a big study of how to proceed toward the goal with making genuine progress. Furnishing more information about cyberthreats is of limited value if those who receive more information aren't acting on the threat data they already receive."
Ball added that many cyberattacks happen after "zero-day" events security vulnerabilities that are newly discovered and for which patches don't yet exist or after companies ignore well-known system weaknesses.
"Not only is the executive order more aspirational than executive, I worry that its legacy will be to prompt Congress to extend broad immunities from liability to the companies who have proven so lax in their stewardship of critical infrastructure. Without the specter of liability without sharp teeth there's little to motivate private concerns to upgrade information infrastructure in support of cybersecurity," Ball continued. "We should be vigilant to prevent labeling anyone from Google to Amazon to your local power company as a provider of 'critical infrastructure' if that label only serves as the cybersecurity equivalent of 'too big to fail' and operates to limit accountability to those injured by sloth, ignorance and greed."