The British phone-hacking scandal graphically illustrates yet another facet of cybercrime: the vulnerability of personal mobile devices. Celebrities and politicians aren’t the only ones who should be on guard, however. Recent reports indicate that a rapidly growing number of business executives’ phones, tablets and laptops are hacked when traveling abroad, particularly in China and Russia.
With mobile devices at risk, the threat of losing critical business information multiplies, as do the worries of in-house counsel. Just a few years ago, companies’ principle digital security concern was protecting credit card numbers and other customer information. Now they must contend with massive international hacking rings bent on stealing intellectual property, “hactivist” groups that target organizations for ideological reasons and even state-sponsored computer attacks.
“The National Counterintelligence Executive issued a report last year that singled out Russia and China as two areas from which the most serious cyber espionage is taking place,” says former Secretary of Homeland Security Michael Chertoff, now a partner at Covington & Burling. “This kind of espionage can result in the theft of billions of dollars in intellectual property, and put the U.S. at a competitive disadvantage.”
Economic and industrial espionage in cyberspace can result in an enormous transfer of value to foreign companies that want to steal technology and to countries looking to put a thumb on the balance of trade. There’s no way to know exactly how much has already been lost—many if not most cyber breaches remain undetected—but estimates range as high as a half-trillion dollars in lost secrets.
“There are very high estimates, and this indisputably has a real national economic impact,” Chertoff says. “It winds up essentially smuggling out the crown jewels of our economy—our IP.”
Corporate counsel can’t help feeling overwhelmed as they struggle to contend with such nebulous and elusive adversaries. There are actions they can take, however, to better protect their companies’ critical information, starting with simply knowing what and where that data is.
What You Don’t Know
“Companies have to inventory their information to understand what they have, understand where it is, and then set protocols and protections based on sensitivity of information,” says Andrew B. Serwin, who chairs the privacy, security and information management practice at Foley & Lardner. “That’s something that a lot of companies still don’t do.”
Awareness of the full breadth of information security issues among in-house counsel often has a direct correlation to a history of security breaches. Companies that have been burned tend to get the message quickly. As such, large tech companies and the utility sector rate high in their anti-cybercrime efforts, but that just leads hackers to attack softer targets.
“Many of these hacking schemes are targeting small or medium-size businesses, in part because they’re more vulnerable,” says Mike DuBose, who leads the cyber investigations practice at Kroll. “As the larger corporations get better and more sophisticated, hackers are going after the low-hanging fruit.”
Until earlier this year, DuBose served as chief of the Department of Justice’s computer crime and intellectual property section, where he brought some of the largest computer network intrusion cases in U.S. history. He says it’s difficult but possible to criminally prosecute hackers, or even to take civil action. But first you have to track them down.
“Many of these threats originate overseas,” he says. “Gaining attribution is tremendously difficult as well because ultimately you need the cooperation of the foreign country, their law enforcement and/or their service providers. Even then, good hackers know how to hide their identity on the Internet.”
Still, it can be done. In 2007, for example, Chinese police investigators working in collaboration with the FBI broke up a $2 billion piracy ring, seizing $500 million in counterfeit software. Microsoft investigators in China conducted much of the investigation, and then turned their findings over to authorities.
“Very often the challenge is to get victims to report to law enforcement,” DuBose says. “They don’t necessarily trust that they’ll be able to protect their trade secrets through the process. The fact is, trade secrets actually can be protected, both through statutory and judicial precedents.”
The rising stakes of cybercrime have resulted in more companies looking to the government for assistance, and federal agencies are doing their best to help.
“I’ve been working with folks on Capitol Hill on new legislation designed to simplify and clarify the ability of the private sector to interface with knowledgeable government actors,” Chertoff says. “Often it’s the government that reaches out to a company that doesn’t know it’s been penetrated.”
The FBI and Secret Service typically take the lead on those investigations. From a remedial and forensic standpoint, the Department of Homeland Security or Computer Emergency Readiness Team are usually the points of contact. Intelligence agencies can offer technical assistance to companies in some cases, but up to now, such collaboration raised as many legal questions as it resolved.
What are the government’s obligations to protect information? What legal restrictions apply to global enterprises in various jurisdictions around the world? What are the government’s notification obligations in the event of a breach? Can the intelligence community be involved if investigation targets are U.S. citizens? Are agencies empowered to deal directly with these issues, or does their involvement have to be requested? Such questions and many more are addressed in the Cybersecurity Act of 2012, introduced in February.
“These issues have to do with an overlapping set of authorities that govern the intelligence community, the defense community and law enforcement that were born in the last century and don’t apply very easily in this context,” Chertoff says.
Such questions must be resolved and harmonized, however, if companies are to establish effective preventive and intrusion response plans.
“I can pretty much guarantee that any sophisticated company has intrusions all the time,” Chertoff says. “The questions are what damage is done and how quickly they’re able to respond.”