Lawyers, some maintain, are merely handmaidens. They're rarely on the invitation list, but they are instrumental in getting their clients to the gala in the best shape possible.
Which doesn't mean that lawyers are outside the line of fire. Should someone want to wreak havoc on royalty, a direct attack is not always the best route. The king and queen, after all, are surrounded by formidable security measures. Exploiting a trusted advisor's proximity to the monarch can be considerably simpler that a direct attack.
Consider, for example, that when an Australian radio station wanted information about Kate Middleton's pregnancy, they didn't even try to call the duchess; rather, they contacted her hospital and her nurses, who promptly spilled the beans.
Thoughtful lawyers should have been at least a bit discomfited by the royal breach. After all, nobody was really interested in the workings of the hospital or the nurses' lives — just as nobody is really interested in lawyers. Unless, of course, they're watching Perry Mason and his clones, or reading John Grisham, and everyone knows that the reality quotient of these scripts can be sorely lacking.
What the radio station was interested in, of course, was the hospital's VIP patient. Now substitute “client” for “patient” and what you'll find is that the real world is a great deal more interested in lawyers' clients than in their representatives. “For someone who wants easy access to competitive intelligence, law firms are the lowest hanging fruit,” says Domenic Jaar, KPMG's Montreal-based National Practice Leader, Information Management Services.
All of which goes to explain why cyber security has become such a hot issue for law firms these days. And if truth be told, it's probably a much bigger issue than the profession cares to admit: law firms, after all, are not very likely to acknowledge publicly that they've been the target of cyber attacks, especially successful ones. After a Legal Week survey released in October 2012 found that almost one in five law firms in the country had suffered a cyber attack in the previous 12 months, chief information officers at some of the UK's largest law firms told the publication that “the threat and frequency of cyber attacks is likely to be much higher than the perceptions of those surveyed.”
That's not surprising: losing confidential information is high on the list of factors that can undermine a firm's reputation. So much so that the website of Maryland-based SANS Institute – the world's largest information security training and certification organization – recounts an incident where the managing partner and IT partner of a large New York law firm had been told by the FBI that all the firm's proprietary files had been found on a server used as a way station for sending data to China.
Allan Paller, SANS' Research Director, asked what the lawyers were planning to tell their clients. “Telling them anything would be crazy!” the lawyers responded. “Can you think of a better way to destroy their trust in us than informing them that all the documents they gave us under attorney-client privilege have been stolen?”
For an idea of just how far this problem might extend, consider the spontaneous reaction of lawyers at the American Bar Association's February 2013 Midyear Meeting. At a cyber-security program, ABA members were asked whether they believed their firm had been the victim of a cyber attack. Nearly 100 per cent raised their hands.
Studies by the Ponemon Institute – a Michigan-based research centre dedicated to privacy, data protection and information-security policy – show that third-party attacks account for upwards of 40 per cent of cyber-security breaches. “We are no longer dealing with script kiddies sitting in basements drinking Smirnoff and trying to get some attention for themselves,” says Daniel Tobok, National Head of Forensics for TELUS.
According to David Craig, PwC's Toronto-based National Information Security Practice Leader, potential hackers can be state-sponsored groups and other parties interested in corporate espionage, organized crime, opportunists who exploit a weakness for one-time gain, or “hacktivists” with a cause or ideology.
The most high-profile attack in Canada started in September 2010 when hackers compromised the security of seven major Canadian firms – Blake, Cassels & Graydon LLP, and Stikeman Elliott LLP among them – involved in BHP Billiton's proposed takeover of Saskatchewan's Potash Corp. Both Blakes, counsel to BHP, and Stikeman Elliott, counsel to Potash, say that no client information was compromised.
That wasn't all: elsewhere, an unrelated attack targeted another major M&A, while a third was aimed at high-profile litigation. “We're seeing the rise of very substantial sustained and massive campaigns where governments seek to extract information by attacking computer networks,” says Stewart Baker, a partner in the Washington, DC, office of Steptoe & Johnson, who spent more than three years as the US Department of Homeland Security's first assistant secretary for policy. “What they have discovered is that sometimes the best way to get that information is by going after the lawyers who act for the real targets.”
The security problem related to Potash emerged after one of the law firms detected an intrusion. The firm hired Toronto's Digital Wyzdom (founded by Tobok and now part of TELUS) to investigate. Digital's analysis revealed that the spyware responsible had been formulated on a Chinese-language keyboard and could be traced to servers in China linked to state-owned enterprises.
It was no secret that the Chinese government, worried about a global potash monopoly, opposed the deal. As the Chinese have long been accused of resorting to cyber espionage for various political and commercial purposes, the evidence implicating China was telling.
But it's not just law firms doing sensitive M&A deals that are being targeted. Fraudsters recently embedded what is known as the “Trojan bank virus” in a computer used by the bookkeeper in a small, Toronto-area law firm. The virus emulated a bank's website: when the bookkeeper typed in the firm's trust account password, it sent the password to the hackers. It then became a simple matter to access the account and transfer out what has been reported as a “six-figure amount.”
In the US, Washington, DC-based Mandiant Corporation, an information-security company, estimates that 80 major US law firms were hacked in 2012. As far back as 2010, though – about the time that the Canadian firms involved in the Potash transaction were first targeted – Los Angeles-based Gipson Hoffman & Pancione reported receiving emails that allegedly came from firm members but were in fact “Trojan horses” capable of retrieving data from the firm's computers. Investigators traced the email to Chinese servers and noted that the emails were similar to those sent to a firm client, a software company that it was representing in a $2.2-billion lawsuit against the Chinese government and various computer manufacturers.
In his book The New Digital Age, no less an authority than Google's Executive Chairman, Eric Schmidt, calls China “the world's most active and enthusiastic filterer of information.” Schmidt proved somewhat prescient when, just about the time the book was published, the New York Times and the Wall Street Journal both accused the Chinese government of breaching their internal networks to steal information, including the passwords of reporters and other employees.
The Times hired Mandiant to investigate. Mandiant's report, APT1: Exposing One of China's Cyber Espionage Units, leaves little doubt that the Chinese government is behind hordes of attacks on US and Canadian corporate and government networks. According to the Times, the most serious incident involved a Canadian subsidairy of an American software company whose products are used for the remote control of the valves and switches that oil and gas pipelines and power-generating utilities use in their distribution systems.
Direct competitors not linked to government may also be potential hackers. Public reports suggest, for example, that Nortel's systems had been seriously compromised before the company's demise. “You've got to wonder what impact these attacks, which began some 18 months before Nortel's financial situation became public, had on the company's competitive position,” Baker says. “But that's never been examined too closely,”
Still, unscrupulous companies working alone are not nearly as formidable a threat to law firms as state-linked concerns. “For many Western companies, hiring hackers is just illegal and off limits and few are willing to take the risk,” Baker says. “Because of the expense and sophistication involved, you're more likely to find the threat among companies, particularly SOEs, that have a close relationship with an intelligence service.”
What makes law firms even more attractive to hackers is that their cyber-security defences have tended to lag behind the defences of their clients. “As companies get more sophisticated, the attackers have moved on to secondary targets,” Baker says.
The irony is that law firms' information can be more valuable motherlodes for cyber hackers than the data harboured by their clients. “For example, on an M&A deal, we sometimes have information or documentation that the clients themselves don't have,” says Dick Jensen, Director of Technology at Toronto-based Goodmans LLP.
Both Jonathan Evans, Director General of the British Security Service, and Bear Bryant, the US Counter Intelligence Executive in the Office of the Director of National Intelligence, have warned publicly of the threat that inadequate law firm security poses to business. More particularly, Evans warned the managing directors of 300 UK companies that hackers were “as likely” to steal company information from law firms as they were from the company itself, that most law firms' security was “very weak,” that lawyers often don't pay attention to security notices and guidelines, and that significant information relating to international corporate activities are “usually much easier to find in a law firm's files than in the corporate files.”
At least one lawyer well-versed on the issue is of similar mind. “Several years ago, while serving as the national counter-intelligence executive, I sat with colleagues discussing how we would plan an espionage attack against an American business,” writes Joel Brenner, formerly Senior Counsel at the US National Security Agency and now a partner in Cooley LLP's Washington, DC, office, in his book America The Vulnerable.
“And then a lightbulb went on: the law firms! Of course: A company's outside intellectual property lawyers have its technical secrets, and their corporate law colleagues are privy to strategic business plans. And lawyers don't like taking instructions from anybody, particularly their less well paid underlings who are responsible for network security. They're impatient. In some firms the rainmakers have nixed even simple steps, like requiring a password on mobile devices that connect with the firm's servers. They couldn't be bothered. Privileged with secrets, lawyers are the perfect targets. I cannot disclose what I know because it's classified, but I can disclose that I know that my surmise was soon justified. US law firms have been penetrated both here and abroad.”
So what are Canada's law firms doing to shore up their security? Both law firms and outside experts agree that awareness is increasing. “The Potash takeover incidents brought cyber security to the forefront because the attacks occurred so close to home,” says Jensen.
By way of example, the Potash incident prompted Goodmans (which was not a target in the M&A-related cyber attack) to introduce application white-listing technology developed by Massachusetts-based Bit9, Inc. The software allows only trusted programs to run on a law firm's system. “The theory is that everything is blocked unless it is explicitly authorized,” Jensen says. “If it is not, we check it out to make sure it is what it purports to be and then allow it if it's safe — because we're not trying to police our staff's online habits. But the software does step up the level of protection beyond almost anything else and catches stuff that anti-virus software would not.”
National firm Gowling Lafleur Henderson LLP has also embraced Bit9. “Our IT department tells me that it's really the product to have,” says Sharon Mitchell, the firm's COO. “And even though we're working in a global marketplace with offices in Moscow and London, we have not had security breach issues.”
By contrast, Torys LLP simply locked down end user privileges on the firm's desktops, which prevented end users from installing unauthorized applications. “In the past, we had wide open computers where people could install whatever software they chose, but that opened the floodgates to malicious software,” says Patrick Laflamme, the firm's Director of Information Services. “But we now understand that in today's environment, no one can do that without permission.”
But, naturally, there's a price. “Technology costs have gone up because law firms are now layering their security systems,” Laflamme says.
Keeping up with the technology is but one element of effective cyber security. “The weakest link in the cyber-security defence chain,” says Mitchell, “is the human link.” Ameliorating the problem doesn't involve rocket science, but it does mean breaking old habits and forming new ones, tasks that are arguably more difficult. “The biggest challenge is making sure that people think before they click and exercise caution when faced with questionable email or odd behaviours,” Laflamme says.
Having recognized the issue, law firms are dedicating more resources to educating lawyers and staff. Torys, like many Canadian firms, has instituted formal and informal education initiatives, ranging from seminars, to memos offering tips and tricks, to word-of-mouth communications. “Where organizations had put significant spending into protecting their perimeter in the past, the emphasis has now shifted to making sure that people are aware that law firms will be targeted for their data and what individuals can do to protect that data,” Craig says. “A well-educated and equipped workforce is the strongest defence against cyber breaches.”
The upshot is that cyber security is more top-of-mind than it has ever been. “Lawyers are more sensitive to cyber-security issues because they're now reading about it all the time and in many cases recognizing and even identifying with the targets,” Jensen says. “Nowadays, when we meet with lawyers about security issues like home computers and remote access, they're really paying attention — instead of just acknowledging that they should be paying attention.”
Craig says proper training programs focus on awareness, a communication plan via email or some other method, and formal classroom training. “Most organizations will require between one and four hours of classroom training annually for their employees,” Craig says. “And they should supplement this training with continual computer-based training that focuses on best practices.”
Some experts maintain, however, that Canadian law firms aren't doing enough. “They are waking up,” Craig says, “but they're still too complacent and, to the extent they believe that their efforts have made them safe, they won't be looking for the signs that indicate they are being watched or attacked.”
According to Craig, complacency, inefficient document-management systems that drive users to find more expedient – and often less secure – ways to transfer data, misuse of social media, and failing to test policies and procedures for effectiveness are among the most significant
factors putting law firms at risk.
By way of example, KPMG's Jaar says he knows of only one law firm that practises live monitoring, a process that searches out distinct network patterns that reveal either external or internal hacking. That's particularly important, Jaar says, because internal hacking can be as significant a problem as external hacking.
That's borne out by the Ponemon study cited earlier, which suggests that third-party attacks only account for roughly 40 per cent of cyber-security breaches, meaning that intentional or careless internal behaviour accounts for the majority. In this regard, Jaar tells the tale of a law firm's IT director who was caught doing insider trading on the basis of information he obtained from the firm's records.
“The difficulty is that information governance does not exist in most law firms,” Jaar says. “They have individuals who have access to all the law firm's systems, insufficient security measures regarding access in general, and not much logging of what people are doing on the network.”
Programs like Bit9, he says, can only take security so far. “Lawyers are a risk because they don't understand technology, so these applications are helpful in their case, but Bit9 is useless against internal IT folks or the like,” Jaar says. “And internally, the true risk is not the partner earning $500,000 but the IT individual making $50,000.”
Unencrypted email, Jaar points out, is also the standard in law firms. “If you're worried about preserving confidentiality in an M&A transaction, you've got to protect personal email as much as you do deal documentation that resides on the law firm's server,” he says. “Failing to do so is like going outside in bad weather wearing a coat but forgetting your boots.”
Craig is of the view that the legal community is farther ahead than others in some respects, but that doesn't mean they can drop their vigilance. “From a technological point of view, the major firms are protecting their perimeter,” he says. “But it has been said that, of the 300 million people using the Internet in China, about 100 million are doing things we would not expect them to do. IT departments in law firms will never be able to create the perfect defence to such collective wisdom, so they should be learning to deal more effectively and efficiently with things like incident response.”
For his part, Tobok likens lawyers to hibernating bears. “You poke the lawyers, and they may react, but they're still sleeping,” he says. “For the most part, they're still too conservative in their approach to cyber security.”
That conservatism, it appears, emanates from on high. “The federal auditor-general's report in 2012 was very critical of the Canadian government's approach to cyber security,” Craig notes. While the US government has taken cyber attacks seriously enough to authorize a military response and has recently unveiled a strategy to mitigate the theft of US trade secrets, the cyber-defence office in Ottawa is staffed only during business hours on weekdays.
Learn more about theft of intellectual property in Canada by reading this article.
It's also significant that US law firms supporting public issuers are subject to mandatory breach notification.
“The likelihood is that US firms are ahead of Canadian firms because there is a culture of awareness and true belief in the US generally that the country will be attacked, and that attitude helps drive the establishment of more proactive defences,” Craig says.
After government departments and parliamentary networks were penetrated and sensitive data stolen in February 2011, Canada's Ministry of Public Safety launched a Cybersecurity Awareness Month as part of an ambitious national cyber-security strategy. But critics like Rafal Rohozinski, CEO of the SecDev Group, a Canadian security consultancy, says Ottawa has “eviscerated” the program for budgetary reasons.
Regulation in the cyber-security area is also wanting. “Firms will spend more if government regulation requires them to do so,” Craig says.
Lawyers are also increasingly sensitive to client demands. But it's not as if clients are pressuring them to a significant degree. “Even in the US, companies have not been driving law firms in a particular direction,” Baker says. “In-house counsel were aware of the problem in much the same way that their external lawyers were aware of it, but they were not at a point of insisting that cyber-security provisions form part of standard engagement terms.”
Although a number of corporations have gone so far as to audit their law firms' cyber-security practices, clients are just beginning to articulate their expectations.
One of the problems is that best-practice guidance is still nascent. One of the most promising initiatives, however, is the International Legal Technology Association's recently formed Legal Information Security Council (LegalSEC), which hopes to release best-practice guidance on security for law firms at its 2013 summer conference in Chicago.
“One outcome may be that law firms will start to separate more sensitive data from their general network and protect it with greater rigour,” Baker says. “Another outcome is that law firms may start to ask clients to keep the sensitive documentation on their own systems and give the law firms access to it so that the company will not be relying on the sophistication or lack of sophistication of their lawyers as it relates to cyber security.”
What a firm chooses to do will ultimately depend on the risk it perceives. “The smaller the firm, the less it tends to do, but the larger the firm, the greater the risk and the cost of a breach,” Jaar says. “All things considered, however, my conclusion is that most law firms are not doing enough in light of the risks they face.”
That needs to change. “The situation used to be that law firms believed they might be attacked,” Craig says. “What they now need to understand is that they will be.”
Julius Melnitzer is a freelance legal-affairs writer in Toronto.
Key Steps for Cyber Security
While best practices are still evolving, it's clear that law firms cannot stand still in the interim. PwC's David Craig has the following suggestions for what law firms should do now:
1 > Understand that they are going to be attacked and increase awareness, communication and training on the subject of cyber security.
2 > Understand the value of their data and who would want access to it. If it is data that nation states, competitors or organized crime would want, protect it accordingly.
3 > Develop and test an incident response plan. Because lawyers have been trained in critical thinking, have superior language skills, and understand legislation perhaps better than the CEO, they may take for granted that they are fully equipped to handle a crisis. However, they still need to prepare and test their capability under simulated or role-play conditions.
4 > Improve data-loss detection capabilities. When data is copied, no one will detect it as missing. But unauthorized copies are often what hackers are after.
5 > Share best practices with other firms. Collaboration for the benefit of the professional is critical, as no single firm can defend itself against the resources of those trying to compromise the data.
Low-Cost Measures
Comprehensive and sophisticated cyber-security systems and processes are bound to be costly. But according to Karim Jinnah of Animate Inc., a legal IT consultancy that services firms in the 50-to-100-lawyer range, there are a number of basic, low-cost measures available to law firms:
1 > On “patch Tuesday,” which occurs once monthly, Microsoft releases security patches for its operating systems and application. “I recommend strongly that firms – especially firms that are under-resourced on the IT side – systematically take advantage of these patches,” Jinnah says.
2 > Do not allow users to have administrator privileges on their computers.
3 > Manage anti-virus software and firewalls properly.
4 > Use strong passwords that contain numbers, letters and punctuation. “You can use a phrase but include something like an ampersand,” Jinnah advises. “Stay away from something that an intrusive, automated program can look up in the dictionary.”
