Artificial Intelligence and the UK vs. US Approach

Originally published on Legal Insights UK & Ireland

By Joseph Raczynski, edits, questions and preface by Ann Lundin and Joe Davis.

Artificial intelligence will threaten most jobs at some point soon—and new jobs will emerge’

The impact of innovative technology is undoubtedly going to radically reshape the delivery of legal services in the years ahead. To help consider the extent of this impact within the legal industry – and indeed, the current state of play, Legal Insights UK & Ireland spoke to Technologist and Futurist at Thomson Reuters, Joe Raczynski.

Tell us something about Joe Raczynski. You have been labelled as a ‘super geek’. How did you achieve this unique status?

It’s actually ‘Sir Super Geek of the Square Table’—as the Queen kindly bestowed recently. More seriously, I am very fortunate. My personal passions and professional career have spectacularly collided. Since I was young I would tinker with electronics, including building a home security system from spare computer parts, penetration testing networks as a white hat hacker, building websites and eventually fiddling with all things computer and technology related. For me, pure satisfaction is derived from being an early adopter of a technology, immersing myself in it, and then sharing that with others—ultimately seeing their eyes grow in amazement, interest and most importantly extrapolation. I still recall describing ‘digital cash’, e.g. Bitcoin, in 2011 to friends and seeing their awe and skepticism. On the other side, I bought Google Glass and trumpeted its potential, until the overwhelming collective societal shame forced them back into their box. The technology in a more robust form will return in a few years, I promise.

Tell us about your role at Thomson Reuters.

I oversee a wonderfully nimble team of technical client managers. Our collective goal is bifurcated. Part one is to assure that all our (80-plus) Thomson Reuters Legal products and services work well for our customers. Part two, which is ever growing, is sitting down with our customers across law firms, corporations, and government agencies to understand their technology initiatives. We are able to see the trends across the various facets of our legal customers, and serve as technology evangelists to share those insights with our customers. Historically, we have also listened to them about where ‘tool gaps’ lie, and either code those solutions ourselves, or work with the larger Thomson Reuters to build solutions.

Does the progressive development of AI and robots threaten your job or anyone else’s? If so, how soon?

AI will threaten most jobs at some point soon, mine included but a tad further out. Anything repeatable, routine, or even easy to adapt to ‘if then’ statements, will be impacted. Many of the traditional services positions will fade away first: drivers, wait staff, store clerks, and then some professional positions, such as project managers, will be next. Mentally, we all need to prepare for this eventuality. The positive is that new industries will evolve which haven’t been invented yet, which will spur new jobs.

How is AI currently disrupting the legal industry?

In the legal space, you can already see it on the eDiscovery front. Eight years ago, new lawyers might be tasked with document review spending 80 hours a week. Now law firms need far fewer eyes reviewing documents, because of AI infused tools. Document automation tools like Contract Express or Drafting Assistant make law firms much more efficient by replicating and modifying exemplar documents with ease. Those firms that adapt soonest, will be best positioned moving forward.

What do you make of law firms engaging more directly with incubators/tech start-ups?

There are several things afoot. Law firms traditionally were technology risk adverse, but that is rapidly changing. The first tug on the law firm are clients asking for them to be more agile forcing new mindsets. Another pull is that law firms tend to be a highly profitable industry, and for that reason small companies have now cast their gaze on their large margins. You have hundreds of new start-ups seizing upon niches of the legal business, be it the practice or business of law. Lastly, law firms are seeing the above and deciding to band together with start-ups to test the waters on new products and services. This has a secondary purpose, it also better positions the firm as forward thinking for new clients.

How do UK and US large law firms’ attitude differ in their receptiveness to new legal technology, and willingness to invest?

I have seen a wide variety of responses on adoption of legal technology at US law firms. Recently one firm stated, ‘we are not going to invest in AI because we are an insurance firm and it will not help us’. Conversely, I have seen several large law firm tossing millions of dollars at internal initiatives to develop new tools. My experience with UK firms demonstrates a real tilt toward innovation perhaps more universally than in the US. It seems that currently the push to be more efficient in the UK surpasses that need in the US. Despite major transformative landscape changes in the US, there are clusters of firms that will not change—until forced to do so, which will likely happen within five years. In general UK firms are thinking more like a business.

Does the growing necessity to adopt time-saving, efficiency-driven legal technology put pressure on small and medium-sized law firms to invest? What will likely happen if they don’t?

Personally, I believe the medium sized firms could be best positioned with new efficiency driven legal solutions. To that end, I am starting to see medium sized firms competing against the biggest law firms. Five years ago, this wasn’t as feasible. No matter the size of the firm, they must have a keen eye to investigate the latest legal technology trends, tools, and service models. If they don’t, they will miss opportunities—and a streak of missed opportunities will lead to significant risk of survival.

 

Classification of Cryptocurrency: Coins, Tokens & Securitized Tokens

Originally published in the Legal Executive Institute

By Joseph Raczynski

One of the most contentious debates in the cryptocurrency world surrounds classification of blockchain-based digital assets, tokens and cryptocurrencies. A panel at the recent Thomson Reuters Regulation of Financial Services Conference discussing the basics of cryptocurrenciesexamined this argument. With more than 1,650 cryptocurrencies or tokens trading in the public domain, it is important to understand their nuanced differences.

Cryptocurrency

Dominating this conversation in the United States is whether specific coins are securities, and secondly, if a utility token can exist. In addressing the first part, the US Securities and Exchange Commission (SEC) recently shed some light by declaring both Bitcoin and Ethereum non-securities. This assertion defines that there is no expectation of equity or return on any investment in these virtual currencies. The overarching belief had held that Bitcoin is a currency and thus a competitor to the US Dollar or Euro; and Ethereum is more complicated.

Tokens

The original intent behind Ethereum was that it supported smart contracts by using their blockchain token called Ether or ETH. In this case, a token stands as a digitized tool to perform a service, similar to those physical token coins used in some video game arcades or laundromats. In this digitized version, the Ethereum platform was intended to perform a service and store more complex, automated, yet immutable code on their blockchain (for example, storing a contract on the blockchain that dictates a sell order if the stock of Amazon reaches $2,000 per share on January 1, 2020).

What differentiates Ethereum from Bitcoin is that the token ETH is used to upload and save that smart contract to a blockchain using “gas”, basically the payment of ETH for each transaction. Therefore, many argue that ETH is a “utility token”, performing a service, i.e. saving that contract to the blockchain. What complicates this is that many start-up tech companies are using Initial Coin Offerings (ICOs) on the Ethereum platform to launch crowd-funding campaigns and raising money. The complication — raising money in this form — have some regulators and industry watchers arguing that these ICOs are more like securities, similar to stocks, even if they are sitting atop of the Ethereum token-based platform rather than on a stock exchange.

Tokenized Securities

Now, a hybrid product that is emerging quickly is the tokenized security. Recently at Consensus in New York City, a company called Polymath created a platform for anyone who wishes to raise money for their company quickly can do so by issuing tokenized securities. The primary difference with this model is that the issuer is offering shares or portions of ownership of the company. There is also a belief that these types of securities will eventually adhere to SEC regulation, which is yet to be determined. What drives the regulatory discussion is a 1946 Supreme Court ruling now called the Howey Test, which determine if something is a security or not. The tenets of the Howey Test are as follows:

  1.  It is an investment of money
  2.  There is an expectation of profits from the investment
  3.  The investment of money is in a common enterprise
  4.  Any profit comes from the efforts of a promoter or third party

 

For a token to be considered a security, each of the above must be true. The primary point of contention is around point four, “Any profit comes from the efforts of a promoter or third party”. This aspect is typically out of the hands of the investor and not something they can control. When these tokens are launched on third-party exchanges, this falls outside of that individual investors domain, and for many, nullifies the Howey Test.

Or as Ash Bennington of CoinDesk phrased it:

A long time ago, someone named Howey owned an orange grove.

Howey said: “I’ve got this orange grove and I’ve got no way to make money out of it — because I need money to make money.”

Tell you what. I’m going to sell you this orange grove and, in exchange, you get whatever profits are made from that little plot.

I’ll work the land. I’m going to pick the oranges. I’m going to squeeze the juice. You just pay me the money.

The plaintiffs said: “That’s a security.”

The SEC said: “That’s a security.”

Howey said: ‘No, no. That’s just selling plots of oranges.”

Ultimately, the Supreme Court said: “That’s a security” – because it passed this test: There was an investment of money. And a common enterprise. With the expectation of profit, primarily from the efforts of others.

Governments around the world are grappling with the classification of cryptocurrencies in what should become a multi-trillion-dollar industry within the next decade. With so much at stake for everyone from the garage startups to the Morgan Stanleys of the world, some regulation is inevitable. Most are merely hoping for clarity, not confines, which could hurt the innovation stemming from the once-a-generation revolutionary platform technology called blockchain.

Kill Chain: The 7 Stages of a Cyberattack

Originally published in the Thomson Reuters Tax & Accounting Blog

By Joseph Raczynski

In our new world reality where cyberattacks are a daily occurrence and every organization must focus on critical infrastructure surrounding cybersecurity, businesses have begun to think like the military. How can we defend our enterprise? To that end, it’s not surprising that companies have adopted soldierly, combative mindsets and terminology.

The term “kill chain” originates from the armed forces and refers to the structure—or seven stages—of a cyberattack:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Action on Objectives

Now, many proactive institutions are attempting to “break” an opponent’s kill chain as a defense method or preemptive action. One of the leaders in this space adapting the concept for Information Security is Lockheed Martin.

Thinking Like a Hacker
A hacker typically has a creative, analytical mindset. These individuals search for paths toward a solution—often devising serpentine and circuitous routes to attain their goal. It’s this approach that we need to build awareness around if we are to thwart an onslaught of attacks.

As an example, let’s pretend that a hacker wants to get into your Tax Consultancy LLP organization to pilfer the Social Security numbers of your clients. This is how they may think at every stage of the kill chain. Your goal is to understand the steps and proactively counter each one to protect your network.

Stage 1: Reconnaissance
Hackers begin by researching your company online—gathering names, titles, and email addresses of people who work for the organization. They identify one person to target and then plan their avenue of attack. They may use e-mail attachments with viruses, port surf the company network, drop a memory card containing malicious code in the parking lot, or decrypt WiFi traffic. In this scenario, let’s say they choose e-mail as their method. An e-mail containing a link is sent to the selected individual, who, once they click on the link, inadvertently downloads the malware.

Stage 2: Weaponization
Hackers have libraries of code at their disposal that they use and tweak for their attacks. They consider the networks, operating systems, and software that Tax Consultancy LLP—and every company they target—may run. By identifying these components through research, the hackers can customize their code to work in those environments. One of the most common ways to compromise a computer or network is to attack unpatched software by companies such as Microsoft Cisco—applications that have known vulnerabilities, but ones that Tax Consultancy LLP may not have updated.

Stage 3: Delivery
In this instance, the hacker has decided to target the CFO of Tax Consultancy LLP. Through research, the hacker knows the name of the CFO, where she lives, works and even personal information gathered from the Web. He knows she coaches an eighth-grade softball team, enjoys camping, and shops at a local Safeway Food store she once complained about on Google reviews. Armed with this information, the hacker decides to lure the CFO with a spear phishing tactic.

Stage 4: Exploitation
The hacker crafts a perfectly feasible email to the CFO.

“Dear Jenny, it has been too long since we last spoke! I hope all is well. The last time we chatted we were at Safeway, complaining about their so called “fresh fish” section. One of these days they will have fresh shrimp, not just the frozen variety. The reason I am writing is that our daughters are in the same softball league. They have grown up so fast! I know you are busy, so you may not be aware, but they are hoping to go to Florida for a tournament in a few months. We are trying to raise some money for the kids who currently don’t have the means to get there, can you please help by donating say $20 to the cause? You can click here to donate.”

Stage 5: Installation
There is a 96 percent likelihood that the CFO will click on the link in the spear phishing e-mail. When she does, the malicious software takes root.

Stage 6: Command & Control
Once the malicious code has been installed, it phones home to the hacker. The hacker then has the ability to control it, let it sit for an extended period of time, automatically listen to packets across the network, or crawl through the network. All of this depends on what was deployed and what the hacker wants from the system. In our imaginary scenario, the hacker is after Social Security numbers, so he may attack the central database of Tax Consultancy LLP that houses all of their clients’ information, most likely found in an unencrypted DBA system, or perhaps Excel spreadsheets or other email accounts. The hacker is then able to harvest the information and send it out through the firm’s firewall to a remote server as a repository.

Stage 7: Action on Objectives
Finally, the hacker is able to extract whatever information they’ve been targeting. They can now easily gather Social Security numbers contained in the firm’s data. Of course, the options for exploiting this sort of information are many. The hacker may sell the numbers on the dark web, file fake tax returns, or use them to apply for credit or new identities.

Be Vigilant
All of this happened because the hacker was able to effectively use each stage of the kill chain to astutely identify the company’s possible vulnerabilities and leverage them. Today, all businesses should spend time walking through these stages, identify vulnerabilities, and shoring up their defenses to eliminate them. It’s not an easy task, but the more critically each of us look at these seven stages of the kill chain, the better we can prevent the next hack.