This post was co-written by AJ Jahanian (JD ’17) and Regina Zernay (JD ’17).
On Friday, January 29, 2016, the
Chapman Law Review
hosted its annual symposium titled
Cyber Wars: Navigating Responsibilities for the Public and Private Sector
. Over the course of the day, four distinguished panels discussed the history and evolution of cybercrimes, as well as the outlook on our abilities to minimize these incidences.
The Government Perspective: Preventing, Regulating and Responding to Cyberattacks
The first panel discussed the government’s perspective on preventing, regulating and responding to cyberattacks. The panel presented varying perspectives on the state of current cybersecurity, and how it can be improved. Stephen Flores, Special Agent at the FBI, provided some insight into how proactive the United States government truly is in preventing cyberattacks, but also, notably, how the government uses the internet to prevent more physical crimes (such as terrorism). Scott Shackelford of the Indiana University’s Kelley School of Business and Jasper Tran of the University of Minnesota discussed with brevity current models that countries (and private companies within) are following, and which of those we should emulate given their current successes and/or failures.
Keynote Address: Harvey Rishikof
This year’s keynote address,
Framework for the Future of Cybersecurity
, was presented by Harvey Rishikof, Chair of the American Bar Association (ABA) Advisory Standing Committee on Law and National Security and Co-Chair of the ABA Cybersecurity Legal Task Force. Mr. Rishikof is the former Dean of Roger Williams College of Law, and Professor of Law and National Security Studies at the National Defense University, National War College in Washington, D.C., where he chaired the Department of National Security Strategy. He also served as Legal Counsel for the Deputy Director of the Federal Bureau of Investigation.
Mr. Rishikof began his lively presentation by describing the division between technology specialists and lawyers, what he called the “Geek – Wonk Divide.” The “Geeks” are the IT professionals whose strengths lie in writing algorithms, coding, math, physics and computer science. In contrast, the “Wonks” are the lawyers, who focus on policy and regulation. Despite the differences between both sides, he said, the issue of cybersecurity cuts across all sectors, whether public, academic or private, and each sphere has trouble trying to approach this problem.
He identified three competing frameworks – cybercrime, espionage and cyber war. Cybercrime falls under Title 18 most easily, and the core of § 1030 is authorized and unauthorized access. Espionage falls under Title 50, which governs intelligence, as well as Executive Order 12333. Mr. Rishikof explained that the government is interested in gaining a “decisional advantage” from uncovering information about the intent and capabilities of foreign lands. Mr. Rishikof observed that the internet has created an amazing place for espionage, and the information is extremely advantageous; thus, we can expect the government to exploit the resources the internet provides. Finally, war falls under Title 10. This deals with the law of conflict, and it is driven by the Defense Department.
The cyber world is used across all three platforms, and Mr. Rishikof pointed out that it is not owned by any of the platforms using it. Instead, the platforms are traversing something controlled by the private sector.
Mr. Rishikof went on to identify the instigators of cybersecurity problems, a group he called “CHEW” (Criminals/Hactivists/Espionage/Warriors). The questions asked when an issue arises are (1) who is hacking you, (2) which statutory authority applies, and (3) what your responses may be. In today’s world, the FBI now chases hackers, and guns are likely to “go the way of the stage coach,” he said. Mr. Rishikof described this as revolutionary; agents have gone from knocking down doors to chasing hackers hiding behind computers.
To organize the ABA in order to regulate cybersecurity, admittedly a difficult task, Mr. Rishikof said three major groups – law firms, critical infrastructure and international norms – have been identified.
Law firms possess a great deal of private information. In answering the question of why the field is so difficult, Mr. Rishikof identified four vulnerabilities. First, software, by its nature, is flawed. For instance, the average length of malware is 140 lines, versus iPhone apps, which consist of hundreds of thousands to millions of lines of code; this makes it easy to bury malware. Second, there is a hardware problem. A disturbing example of this is if other countries added extra hardware in electronics when their companies have been contracted to manufacture technology. Third, people are a vulnerability because they can be used to access private systems and networks. One example is when thumb drives are given away for free to employees, but loaded with code that allows instigators to hack into a company’s systems. Finally, internet service providers themselves can leave firms vulnerable.
Critical infrastructure indicates both our physical and cyber vulnerabilities. Of the 16 critical infrastructures identified, the most critical is the electrical system, said Mr. Rishikof.
Finally, four international norms recommended in a recent report commissioned by the United Nations were discussed. First, a state should not conduct or support activity that threatens critical infrastructure. Second, a state should not conduct or support activity to prevent action by CERTS (Computer Emergency Response Teams) for cyber structure emergencies. Third, states should assist other states in controlling and mitigating cyber threats. Fourth and finally, a state should not conduct or support activity that facilitates cyber-enabled threats of private, intellectually valuable property.
To address these problems, Mr. Rishikof said we have “four hammers” for implementation: litigation, Tax Code (providing both incentives & disincentives), the insurance industry and legislation or regulation.
Regarding the private sector, Mr. Rishikof said the question of where liability lies is driving the issue and solution; more specifically, the corporate world will take action so long as there’s no liability attached. The current approach by the Department of Defense is that if a company has been hacked, it won’t be penalized for failing to protect the information, but they do want information for the investigation.
In discussing solutions for the private sector, Mr. Rishikof recommended that companies have a management risk committee. He suggested factoring it into a company’s plans and budgeting for it. He also recommended a public information officer, and a planned company response in case someone has been compromised.
Mr. Rishikof’s keynote was well-paced and entertaining, filled with timely and relevant information, and sound practical advice.
The Corporate Perspective: Corporate Duties and Responsibilities Relating to Cyberattacks
The second panel focused more on corporations’ perspectives on cybersecurity, provided us with varying viewpoints on the ability of corporations to minimize the incidences of attacks on their sensitive corporate information. Mike Hornak, partner at Rutan & Tucker. described the startling dichotomy, wherein the risks of costly and harmful cyberattacks are enormous, yet corporations often concern themselves more with the short-term costs of implementing uniform rules. David Groshoff of the American Jewish University, described in detail, some of the notable recent cyberattacks that have stymied our economy and even air travel. However, Groshoff’s resolution to these threats, unlike Hornak’s, which suggested hiring external third party experts to handle a company’s cybersecurity issues, detailed internal company changes (such as establishing committees or members of the board with fiduciary duties) that would affect the corporation’s cybersecurity policy.
View the webcast
Cybersecurity for the Practitioner: Client Security, Discovery, and Ethical Considerations
To begin the fourth and final panel, Professor Eli Wald of the University of Denver Sturm College of Law, gave an energetic and well-researched presentation about lawyers and cybersecurity. Professor Wald explained that lawyers, as centers of valuable and sensitive information, are often seen as a “one-stop-shop target” for hackers. Law firms can sometimes be more vulnerable than clients because their offices may be smaller than their clients’, they work with a lower budget, and they may have less sophisticated measures in place to prevent cyberattacks. Additionally, due to increased competitiveness, lawyers are under great pressure to be responsive 24 hours a day, 7 days a week, and as a result, they employ advanced technology and work remotely. This can lead to the use of technology they don’t fully understand, increasing the risk of a cyberattack. The list of those attacking lawyers includes insiders, social engineers, state-sponsored hackers and even governments.
Fortunately, he said, as many as 97% of cyberattacks can be prevented. Professor Wald discussed a number of ways to prevent attacks, such as virus scanners, firewalls, software updates, and better password procedures.
Professor Wald also cited a number of reasons why there is not sufficient protection from cyberattacks, such as under-regulation of lawyers’ cybersecurity conduct and the legal ethics of cybersecurity. Under the current rules of professional conduct, lawyers are not required to take action to protect themselves from cyberattacks.
Professor Wald described three things we can do to address these problems. First, he suggested mandating the adoption of cybersecurity plans in the Rules of Professional Conduct. Second, he urged that the definition of “reasonable efforts” should mean, in the rules of professional responsibility, to prevent the inadvertent or unauthorized disclosure sensitive information. Finally, he recommended requiring disclosure to clients of cyberattacks and data theft.
Scott B. Garner, Advisor and former Chair for the Committee on Professional Responsibility and Conduct, State Bar of California, and Attorney at Umberg Zipser LLP, provided a well-organized and clear discussion about the ethical duties of lawyers both pre- and post-breach, along with techniques and strategies to help lawyers take reasonable precautions to avoid a breach.
Ethical duties pre-breach involve a blending of the duties of competence and confidentiality. While the duty of competence does not require a lawyer to be an expert, Mr. Garner advised that he should probably hire a consultant. The duty of confidentiality is statutory, and is held to a higher standard in California. Additionally, the duty of confidentiality is also owed to former clients. As former clients can number in the tens of thousands, Mr. Garner warned that notice and implementation can sometimes prove to be difficult.
Mr. Garner offered a number of reasonable precautions that firms can take to avoid a breach. He discussed the considerations involved, such as technology, additional safeguards, the sensitivity of the information, and client expectations. Some strategies he suggested included the use of technology, policies, monitoring, and the very important and often overlooked tool of staff education.
Useful forms of technology Mr. Garner mentioned included encryption, access control, firewalls, antivirus software and “kill switches” which shut off the computer if it’s lost or stolen. Policies Mr. Garner suggested included “BYOD (Bring Your Own Device)” policies for the use of personal devices, access control, polices regarding the use of social media and public wifi and a procedures for handling angry and departing employees.
Mr. Garner wrapped up his presentation with a discussion of ethical duties post-breach, which include the duty to communicate, the duty of confidentiality and the duty of loyalty/conflict avoidance.
The third panelist, Tanya L. Forsheit, Partner at Baker & Hostetler LLP, gave a spirited presentation on the ways in which lawyers are currently meeting and exceeding their ethical requirements in cases of a breach.
Ms. Forsheit noted that existing laws (not just ethics) require attorneys to disclose security breaches. For instance, California has a security breach law that applies to a number of industries possessing sensitive information (e.g., health/medical information, social security numbers and credit card information). Additionally, California law requires reasonable measures to protect sensitive client information (both at law firms and other businesses). Many jurisdictions also require written plans. Since these obligations already exist, additional ethical requirements may not lead to a great change in current behavior.
Ms. Forsheit also mentioned that lawyers have become much more tech-savvy. Ms. Forsheit predicted that, eventually, there will be some common law guidance about the definition of “reasonable efforts.”
In terms of requiring disclosures of cyberattacks, Ms. Forsheit said the big issue is what the “trigger” is (i.e. when has information truly been compromised). California has a higher standard. The amount of notification is also an issue; it may be unreasonable to require notification for every suspected incident. Also, too many notifications can lead to notice-fatigue and desensitization.
Ms. Forsheit summarized by saying that lawyers are catching up, but they still have some catching up to do. Law firms, however, are paying attention and know that cybersecurity is an issue.
The fourth and final speaker was Drew Simshaw, Attorney & Teaching Fellow at the Institute for Public Representation, Georgetown Law.
Professor Simshaw began with a discussion of the lawyer’s ethical obligations, including reasonable security, breach notification laws, HIPAA and Federal Trade Commission Act Section 5 – Unfair or Deceptive Acts or Practices. He warned of the consequences of failing to meet these obligations, which can include malpractice suits, ethical violations and a loss of credibility.
Professor Simshaw advised lawyers to take statistics with a grain of salt, as they are often incomplete and suffer from inherent uncertainty. He suggested implementing small-scale fixes, as well as offering training for all staff members. On a larger scale, Professor Simshaw suggested changing legal education to address this, and even the ethics rules themselves.
In terms of generational challenges, Professor Simshaw observed that the older generation may be less tech-savvy, but they will have a critical eye about important issues. Historically, lawyers have had an aversion to new technology, but eventually, this aversion evolved into annoyance, and finally acknowledgment of technology’s usefulness. In today’s world, we recognize the benefits and risks associated with technology, and a competent and vigilant attorney should take advantage of the security benefits offered by new technology. However, lawyers are vulnerable and advised to “practice what they preach” to clients and protect their personally identifiable information. They should also know when to bring in consultants and do so whenever necessary.
Professor Simshaw advised that ethics rules should be viewed as a “floor, not a ceiling,” and lawyers should always attempt to protect themselves before anything happens. He encouraged lawyers to talk with clients before a breach, and to think of security as an investment, reminding everyone that an ounce of prevention is worth a pound of cure. Finally, he urged lawyers to include all staff in measures to prevent a breach, and to be proactive and keep up with changes in technology.