Ever heard of a “blended threat” or the “weaponizing” of information?
If you haven’t, then listen up to Morrison & Foerster’s John P. Carlin, who gave a master class on the current cybersecurity landscape, discussing emerging threats and practical guidance on how lawyers and law firms can prepare for and respond to cyber-threats.
Carlin knows from whence he speaks: as Assistant Attorney General for National Security, he led the U.S. Department of Justice’s (DOJ’s) National Security Division and was DOJ’s highest-ranking national security lawyer. Previously he served as Chief of Staff to the Director of the FBI.
He launched a nationwide outreach effort to raise awareness of national security, cyber, and espionage threats, and encourage greater C-suite involvement in corporate cybersecurity matters — including investigating the attack on Sony Entertainment’s computer systems; indicting members of the Chinese military for economic espionage; and looking at Russian attempts to influence elections across Europe and in the U.S. Currently, he’s Global Risk & Crisis Management Group Chair for Morrison & Foerster and gave a rundown of what he’s worried about on behalf of his clients.
First, he explains the “blending” of criminal and national security threats, such as terrorists or state actors who collaborate with — and even moonlight for — criminal enterprises. Carlin noted we have seen state-linked actors such as the Syrian Electronic Army and “hacktivist” groups with political or social agendas who also engage in cyber crime on the side to profit and advance their goals.
Companies victimized by cyber schemes assume the perpetrators are garden variety criminals. “It looks like a simple criminal act,” said Carlin, “and so it goes unreported.”
The Blended Threats
Carlin’s first case in point of a “blended threat” is someone like Junaid Hussain, who was a key ISIS operative until his death in an American drone strike in 2015, or Ardit Ferizi, sentenced last year for material support to terrorism. Both used traditional hacker methods to advance terrorist activities, often in ways that disguised their true aims.
“They used social media and Twitter and called on adherents to hack companies or sent around a kill list of employees.” Carlin said. To the company that is the victim of the hack, “it looks like a cyber threat, but it’s also putting companies on the front lines of national security in a way that wasn’t true before,” Carlin said.
Another version of blended threat: the mix between hacktivist and crook, or what’s known in the intelligence community as a “false flag.” For example, when the Syrian Electronic Army defaced the White House website, it in turn caused the stock market to plummet. Carlin also pointed to companies in strategically important sectors being hacked so that nation states could exploit their information. “We were able to watch in real time into companies [and] universities, watching their data be hacked and then go back to nation states like China,” Carlin said of his time in government. “So how do we increase the cost to the hackers?”
In 2014, for instance, China’s army stole plans and pricing information to force a rival solar panel company into bankruptcy — and then stole its rival’s litigation strategy needed to fight back in court.
How did a company like Sony fight back when it was the victim of a hack of confidential information? They cultivated high-level contacts in government. “They knew exactly who to call at a high level. We were in direct contact with Sony executives working on who and what would go public on the government’s side,” he recalls of the hacking. Within a few months, Sony’s share price had recovered after initially plummeting.
Then there’s “ransomware,” the extortion of cash payments to end the hacking, which affects about 60% of American companies. The FBI has warned about the risks of making payments, which can lead to companies being re-victimized in the future and creates incentives for more ransomware. But Carlin acknowledges it can be a difficult choice and that “Many pay, because, let’s face it, what would you do to get back up and running?”
And the increase in industry’s use of the “internet of things” presents another unique challenge, including possible outages or denial of service attacks on everything from cars to utilities to pacemakers.
What to Do?
Are you viewing your social media? Do you have a rapid response communications plan? Such a plan is critical, Carlin stressed, so that in the event of an incident you know where to turn, who will be in charge, and how you will mitigate the damage.
This advice is particularly important for law firms. Law firms “represent a weak spot,” Carlin said. “In government, we saw a trend where, in certain sectors, the cybersecurity defenses are put at the top-end like in the finance sector. The law firms would be a weak point, especially firms with outside counsel [who] compile everything that will hurt the client the most,” such as litigation files.
“It’s easy for bad guys to figure out and go after the law firms and consultants,” he added.
He notes the highly-publicized instance of Cravath Swaine & Moore and Weil Gotschal law firms being targeted by hackers, who broken into the firm’s networks to gather information about upcoming merger and acquisition deals. Another 48 law firms in Chicago were targeted by Russian hackers in 2016.
Often, the law firm won’t know who was beyond the breach. “Sometimes it’s hard to tell if it’s a government hacker or a crook. It could be the same guy using the same tool kit,” he said.
Even with more attention being paid to these issues, law firms “are still being targeted, especially small- or mid-sized law firms. The amount of attention, time and resources protecting systems has increased exponentially since five years ago. But given where the threat level is, it’s still a significant risk. I’ve had a fair number of breach situations and experiences advising people pre-breach. You have to share what you’re seeing with the private sector.”
Carlin also stressed the importance to law firms and others of advance outreach to the government. Even if you haven’t yet had a breach, cultivate relationships with the cyber AUSA (Assistant U.S. Attorney) in your district. Contact your local FBI cyber task force and outreach. Get together in a group of law firms — you can have some good opportunities for an outreach session, he added.
Law firm IT groups “are sharing threats they’re seeing with peers, through groups such as ISAC: Info-Sharing and Analysis Centers. ISACs are blessed by law enforcement to share info without running into potential anti-trust concerns. They don’t share what’s been stolen, but threats, the code being used, tactics, procedures from adversaries.”
(These groups use industry acronyms such as FS, which stands for “financial services,” IT for “information technology,” and LS for “legal services”.)