The vice grip of cybersecurity concerns on law firms

Originally published on Legal Insights UK & Ireland

By Joseph Raczynski

Law firms stand in a very precarious position in the cybersecurity world. Next to financial institutions, private legal institutions are a virtual honey pot for cybercriminals. Any breach, no matter the size, impacts the client, and certainly could destroy a firm’s reputation.

Four years ago, I toured over 50 law firms discussing cybersecurity with chief information officers (CIO), managing partners, lawyers and support staff. Each year since, it remains one of the hottest legal technology topics with my clients. The unfortunate situation is that, while law firms have dramatically shored up the barriers of defence, criminals have new methods to circumnavigate the ramparts.

Why law firms now?

Recently, I was at a CIO conference with 350 medium and large law firm CIOs in attendance. The keynote speaker stunned the crowd with a singular statement: “do you realise you [CIOs] are the gatekeepers to 71 percent of the non-public intellectual property (IP)?” The first reason law firms are attacked is because of IP. Criminals of all sorts see law firms rife with IP that can be pilfered.

One Asian country has allegedly lifted massive amounts of IP from technology companies, not from the companies themselves, but rather their law firms. Once obtained, they pass the IP to their nation’s internal network of state owned companies for development. Apple could have trade secrets stolen and then developed and sold in China before Apple could get it to market in London. To this end, Joe Patrice, Editor of Above the Law, once called law firms “the soft underbelly of the cybersecurity world”. The good news is that law firms have fortified their gates more recently to stymie the IP raiders.

The second reason why law firms are attacked is business information. Last year a known hacker in Russia targeted the top 25 law firms in the world to pull out any merger and acquisition (M&A) information. The criminals silently slip past firewalls, identify M&A documentation of companies set to merge, then can use that information to purchase stock—all before it is publicly announced.

Methods of attack

There is a myriad of tried and true means to crack networks and computers. Having been a white hat hacker script kiddie, years ago, I recently dipped my toe back into the space to see what has changed. My conclusion: it is easier to hack now than it was 10 years ago.

I bought a £4 specialised USB the other day, which will load any sort of script onto a computer in under four seconds. Simply choose the script from 100’s publicly available on the web, convert the code through a free compiler, load it onto the USB stick—and voila! In my testing, I could scrape the user names and passwords entered on my computer, and have it automatically sent to a test email account, simply by placing the ’bad USB’ or ’Rubber Ducky’ into my drive for a few seconds. Does your firm lock down USB ports? Perhaps it is worth considering as an attack of this nature can be executed with relative ease.

There are countless other ways to hack a computer or IoT (Internet of Things) device, but no greater risk is higher than email. Allen Paller, of the US-based SANS Institute, cites 95 percent of all malware and breaches start with email. Phishing attacks, discussed in a new government report published by the National Cyber Security Centre: ‘The cyber threat to UK legal sector’, states that 80 percent of law firms in the UK have had attempted phishing attacks in the last year. These sorts of attacks can be prevented in several ways:

  • Have processes in place when dealing with accounting so emails are not approval for funds transfer—use an internal application for requests and verification
  • Use software to distinguish ‘external’ emails from ‘internal’
  • Link protection—use real-time analysis of URLs and domains so that the user is safely redirected to valid domains when clicking ‘unknown’ links in emails
  • Assuring that all applications are running their most up to date versions

One of the largest law firms in the world, DLA Piper, was hit by ransomware last year. Fortunately, DLA Piper survived, though weeks of recovery at a tremendous cost. Still, these types of attacks can be devastating. They encrypt all files on your computer or network—leaving you two options: pay the ransom to get the password, or delete everything off the computer and rebuild with your backup files. Either option can leave a law firm, for a short or long period of time, with limited ability to address client needs.

The future of cybersecurity will be a multi-pronged approach. No longer is antivirus software the ultimate defence. Instead, law firms will need tools that detect intruders using artificial intelligence infused algorithms to figure out abnormal activity on the network. Blockchain will help securitise information and identities with a distributed network—compared to a central repository of sensitive information. Lastly, the General Data Protection Regulation has already, and will continue to, force all parties to take security more seriously or risk significant fines.

Risk Management in the Cryptosphere: A Talk with Gibson Dunn’s Judith Alison Lee

Originally published in the Legal Executive Institute 

By Joseph Raczynski

Cryptocurrencies and its underlying blockchain technology is upending the traditional paradigm for financial institutions and regulators around risk management. This disruption includes unique challenges around identity association and verification in the cryptosphere, specifically around decentralized exchanges, applications (DApps), and identities. We discussed these topics with Judith Alison Lee, a partner at Gibson Dunn & Crutcher, who advises on issues relating to virtual and digital currencies, blockchain technologies, and distributed cryptoledgers.

Judith, what are the legal challenges in identity-linking and verification in the cryptosphere?

Judith Alison Lee: Given the pseudonymous nature of cryptocurrencies, there needs to be a framework — most likely at the exchange level — to identify the individuals that transact in cryptocurrencies. Most exchanges do collect and attempt to verify customer identifying information; however, depending on the exchange, the information collection and verification may not be robust, and customers may engage in various location- or identity-masking services that pose challenges.

Additionally, there may be jurisdictional challenges regarding privacy laws and the transfer of identifying information. Finally, as we are seeing more and more decentralized platforms supporting peer-to-peer transactions, linking customer identity to particular transactions will likely become more difficult.

How are regulators starting to deal with identity and blockchain?

Regulators are requiring licensing or registration for money transmitter licenses at both the federal and state levels, which requires such entities to comply with Know your Customer and anti-money laundering (KYC/AML) requirements and is one way regulators are addressing identity.


blockchain

Judith Alison Lee of Gibson Dunn & Crutcher

Given the pseudonymous nature of cryptocurrencies, there needs to be a framework — most likely at the exchange level — to identify the individuals that transact in cryptocurrencies.

 


It gets a bit more complicated when we start to talk about linking participants to particular transactions, particularly since the transactions in spot-market cryptocurrencies are not regulated in the same way as transactions in securities or derivatives. As a result, regulators have focused on fraud and manipulation in those markets and have relied on asking the exchanges for transaction-level information, including any identifying information they have collected.

With regard to KYC/AML, terrorist financing, and anonymous transactions, what does the legal landscape look like and how are states or the federal government handling this currently or planning to in the future? 

At the federal level in the US, entities that exchange cryptocurrency may be required to register as money services businesses, while at the state level, many (but not all) states require them to obtain a money transmitter or equivalent license. Both the states and federal government have been involved in enforcement actions to protect against fraudsters in the cryptocurrency space.

In the future, we will have to wait and see if the next Congress will issue legislation on cryptocurrencies.

Is there a way to utilize blockchain for customer due diligence?

It certainly seems that there is a role for blockchain in customer due diligence. The permanent and transparent nature of the blockchain makes it a logical tool to streamline the KYC process. The blockchain would likely be a good way for regulators to have a single source of data and access to the latest information. However, it seems unlikely that a blockchain solution could be utilized for all customer due diligence — though it could certain help to simplify it, particularly for financial institutions.

Clearly, these are the embryonic stages of regulation and oversight for identity management and verification in the crypto space. As adoption of these token rise, global banks and government agencies will further adapt under this decentralized technology-driven revolution.