PREDICTIONS AND THREATS FOR THE YEAR IN CYBERSECURITY
welcome. Our interview with Rand researcher Sasha Romanosky delves into some of these issues
seems to be another angle. It may surprise some readers to learn that the government has a history of tech innovation, and some new programs established at universities are designed to lure entrepreneurial
students to beat a path to Washington rather than Silicon Valley. And they’re actually winning converts
Finally, it wouldn’t be a new year if we didn’t feature a crystal ball somewhere in the mix. We invited a legal expert to talk to us about two articles that had important things to say. One predicted what we can expect this year; the other warned what we should fear (Predictions and Threats for the Year in Cybersecurity).
We’ll be back with another issue of CyberInsecurity next month. Until then, please let us know what you think. Your comments and suggestions are always welcome.
David Hechler, Editor-in-Chief
An expert weighs in on some prognostications.
n late December, the online publication CSO posted an
article with the headline Our Top 7 Cyber Security Predictions for 2018, by senior editor Michael Nadeau. In early January, MIT Technology Review posted Six Cyber Threats to Really Worry About in 2018, by San Francisco bureau chief Martin Giles. Each had plenty to knock the complacency out of any general counsel foolish enough to try to relax over the holidays. We asked Daniel Garrie to have a look and talk to us about takeaways for in-house lawyers, including his own recommendations. Garrie, who frequently counsels company lawyers, is co-founder and managing partner of Law & Forensics and the editor-in-chief of the Journal of Law and Cyber Warfare. In addition to his law degree, he earned a bachelor’s and master’s in computer science and has built and sold several tech startups.
Legal BlackBook: The MIT article focused on the likely future targets of cyberattacks, including cloud storage companies, data brokers who store information about people’s Web browsing habits, and infrastructure such as
electric grids and voting machines. What potential targets strike you as the most important for in-house lawyers to pay attention to?
Daniel Garrie: Vendors and supply chains. They will have the biggest impact, and there is a high likelihood that they will be targeted. This presents a huge risk because larger companies can have many vendors, some of which may have connectivity to a company’s most sensitive information. If vendors get hit and they have the right level of connectivity, that can have the most material consequences to the organization.
LBB: What can they do to protect their companies?
DG: Three things. First, policies and procedures should be implemented and followed. It is not enough to simply make policies and consider the problem solved. Having a bunch of policies that no one at the company follows is a problem. Having a bunch of procedures that aren’t followed by managers or vendors is also a problem. That’s why it is critical to ensure that policies are being followed by anyone with access to company data. Second, there should be a robust structure for educating employees on good information security practices. It's important that the training is not threat-driven, but rather engages employees and focuses on the constructive rather than destructive aspects of security. The third area is insurance. They should make sure they’ve done an evaluation and adjustment of their insurance framework and coverages, and understand where the gaps are. They need to review their insurance in light of all their risks, and then determine what they may need to insure against from a cyber perspective.
LBB: Based on your experience, how do you think they’re doing?
DG: Most of the companies I have worked with struggle with all three—at different levels, depending on the resources they have available to them.
LBB: Both articles discussed new tech weapons. CSO said that internet of things (IoT) devices have been compromised by botnets and used to launch attacks. On the other hand, artificial intelligence has helped companies automate threat detection. But the MIT article pointed out that AI is also being used in spear phishing attacks because it crafts fake messages as effectively as humans. Are these the biggest threats, in your view?
DG: Those are great, but there are a lot more threats and weapons. There’s some very advanced custom-built ransomware coming to market that has learning algorithms—AI—built into it. That’s one of the known threats, and I think that’s a real issue.
LBB: Who do you think is winning the cyber arms race, the good guys or the bad guys?
DG: On the civilian side, the bad guys. On the military side, I’d say that the military is not losing the battle, but they’re not crushing it per se. The military has sophisticated capabilities, but the dynamics of this battle change on a daily basis.
LBB: What can companies do to keep up with the threats?
DG: They can identify their risk factors and work to understand their specific threat landscape and readiness. Because what’s generic isn’t going to work. And that’s what you have to embrace—the reality of your operating environment, not what everybody else is telling you. It’s different for everybody. And it’s near impossible to say that what works for one is going to work for the other.
LBB: CSO suggested that 2018 will finally bring an acceleration of multifactor authentication in place of password-only systems. One reason is the rise of what’s called “aftershock breach”—after a data breach at one company, stolen credentials are used to breach accounts at other companies. Do you agree with this predication?
DG: I think they’re right. Companies are starting to do this because they have to protect the consumer, they have to protect their brand. They’re realizing that they have to take a more proactive, assertive approach to all of this.
LBB: What role do you think in-house lawyers should play here?
DG: They need to identify the legal risks. It depends on the business, but there’s direct liability, third-party liability, customer agreements. It depends on the type of client company it is.
LBB: What do you think are the biggest challenges ahead for companies in this realm?
DG: The conversation between in-house counsel and outside counsel on protecting client data—one of the things that nobody talks about. That conversation, that dialogue is changing rapidly. And defining that partnership and how those dynamics work and operate is really interesting. Clients are changing the level of security requirements. They want outside counsel to secure their data. They want to know who can access the information. Company lawyers have to reevaluate
LBB: What guidance can you offer general counsel?
DG: When this subject comes up at their companies, they should make sure they have a seat at the table and are properly engaging the business, risk, cyber and communications team when addressing cybersecurity issues.
Who is winning
civilian side, the bad guys.
BUILDING A CYBERSECURITY BRIDGE
BETWEEN STARTUPS AND THE MILITARY
Universities are becoming incubators for innovation.
teve Blank wants you to rethink everything you thought you knew about government. Especially the stereotype of
agencies that are hidebound, inflexible and out of touch. And he’s especially insistent when he’s speaking to gifted students with a tech background and entrepreneurial aspirations. He has big plans for them, and he believes they can help make us all a little safer.
Blank was speaking at a panel discussion in January hosted by Columbia University, where he’s a senior fellow for entrepreneurship. It’s a subject he knows pretty well. He founded or worked in eight startups, and half of them went public. His own introduction to the tech industry occurred after he joined the Air Force and volunteered to go to Vietnam. “I spent a year and a half in Southeast Asia learning electronics,” he told the audience. “And when I got out, I ended up in Silicon Valley in the mid 1970s, when we were selling equipment to other businesses.” That was because the consumer electronics business didn’t exist. The government and the defense industry were the Valley’s big innovators back then. “Lockheed was the largest employer,” Blank said. “I worked for a startup run by someone named Bill Perry. He ended up eventually as the secretary of defense. So my introduction to the Valley was a halfway house between startups and the military.”
Now he’s trying to build a bridge between the two. The government needs to innovate to counter the high-tech threats it faces from global adversaries, Blank explained. It needs energy and vision comparable to what you find in Valley startups. But rather than seek to lure talent from there, he is grooming it at universities by creating courses with names like Hacking for Diplomacy and Hacking for Defense.
The idea is to present students with some real problems government agencies are trying to solve and see what they can come up with in 10 weeks. The goal is not only to solve problems, it’s to create a public service career path for young tech innovators.
(from left) Justin Fox, Avril Haines and Steve Blank
Sitting next to Blank on the stage was Avril Haines, a lawyer and former deputy National Security Advisor under Obama who is now a senior research scholar at Columbia and a lecturer in law. Haines was an entrepreneur herself shortly after college, when she founded and ran a successful bookstore/café before she sold it and went to law school. But for this talk, which was moderated by Bloomberg View columnist Justin Fox, she was speaking as a recent government insider with a ringside view of the biggest threats the country faces.
“In the national security world,” Haines said, “we are consistently facing more threats more quickly—the generation cycle is faster—and they’re more complex in the sense that you typically need greater and diverse expertise to really understand them and deal with them on a consistent basis.”
Cyber is high on the list of critical vulnerabilities, she said, noting that 50 percent of households have a smart meter attached to their electricity. “An adversary looks for places where they can innovate and find ways to hold at risk, at relatively low cost to them, things that are of value to us. Similarly we need to innovate in order the think through how we can respond without actually hurting the great value that all of these areas bring to the United States.”
For this reason, she continued, innovation is “critical to dealing with national security issues.” Effective responses require execution, “but you also need an innovation culture. The two can coexist.”
Blank had already made incursions into the academy before he introduced his hacking classes. He’d realized that business schools and investors invariably treated startups as smaller versions of large companies. They asked fledgling entities for 40-page business plans without realizing that nearly all of these companies were run by visionaries. For them it wasn’t about executing their business model; it was about finding one.
“We had built 100 years of management tools for execution,” he told the Columbia crowd, “but very little methodology
create something called the Lean Startup, which “established a set of rules for startups on how to think about
Based on this groundwork, in 2011 he created a class called The Lean LaunchPad. It was all about talking to potential customers, building viable products and designing a business model. As it started to catch on with universities, a funny thing happened, Blank said. He’d been blogging about it, posting his class notes, and through these he developed a small but influential fan club within the government. Washington had long given out research grants that included money for commercialization, but had never offered recipients any guidance on how to start a business. Blank’s Lean Startup struck some people there as just what they needed, so the National Science Foundation adopted it. After that, a host of other agencies followed suit.
By 2013, the wider business world had taken notice. ”It happened to be the time when large companies were dealing with continuous disruption,” Blank noted. “And for the first time large companies were looking to startups for methodologies.” That’s when the Harvard Business Review ran a cover that said: Why the Lean Start-up Changes Everything. More than 80 universities are now teaching courses.
Three years later Stanford offered Hacking for Defense. The following semester it added Hacking for Diplomacy. The methodology is basically the same as the Lean Startup courses. They talk to lots of potential customers and try to build viable products. But the problems they’re addressing are ones government agencies are trying to solve. About 10 universities offer these classes now, Blank said.
He’s particularly pleased that students have responded so positively. But the big deal to him is what he hopes it does for the country. “Think about retail today in the United States,” he told the audience. “It’s literally being taken apart by Amazon. Some form of retail will continue to exist, but it won’t look anything like today.
“The problem I observed, and the reason why I’m interested in government,” he concluded, “is that we can afford to have Macy’s go out of business. We can’t afford to have our intelligence community go out of business.“
A serial entrepreneur is having an impact that’s been felt in the academy, business and government.
CHALLENGES IN CYBERSECURITY PROVOKE CONFLICT BETWEEN THE PUBLIC AND PRIVATE SECTORS
Observers see progress in the release of the VEP charter last year.
asha Romanosky’s computer career began at age 13, when his sister won a Commodore 64 at a spelling bee. “I don’t think she ever saw it after she won it,” he confessed with a laugh. “I confiscated it.” Born and raised in Canada, Romanosky earned a BS in electrical engineering from the University of Calgary and a PhD in public policy and management from Carnegie Mellon University. Now a policy researcher at the Rand Corporation, he writes and speaks often about cybersecurity and the law. These days he’s based in Washington, D.C. , where he learned a lot about contentious relations between the public and private sectors during a year as a policy adviser to the U.S. Department
Legal BlackBook: So what hooked you on the Commodore 64 at age 13?
Sasha Romanosky: Back then I was playing the games, hacking the games. They had a cartridge that could freeze the operating system and dump you into assembly—almost the lowest level of programming for the computer—and then you could play around in memory. There was a small area that controlled all of the game’s parameters, so it was fairly easy to goof around with things.
LBB: How did you get into cybersecurity?
SR: Before there was cybersecurity it was information security. I started doing this professionally after college, working at an ISP [internet service provider]. We were setting up internet services, firewalls, e-commerce sites for people. It was all pretty simple. Until the late 1990s it wasn’t even considered security. After that it was information security, and then somehow the term morphed into cybersecurity, which I think just came from the government and military, because for them “cyber” encompasses electronic warfare. And even to this day, old-school information security people get a twinge when they hear “cyber” because it’s almost like a goofy marketing term.
LBB: These days, some of your work focuses on corporate governance, compliance and corporate crime, areas that are of great interest to lawyers. In what context did you begin delving into this arena?
SR: It started when I was looking at the data breach litigation and state data breach disclosure laws, and whether those had an effect on firms and consumers. These are laws that require companies to notify you when they suffer breaches. And there are good policy questions as to whether the laws are working. Plaintiffs were always losing these cases. We wanted to study what those cases look like. What are the causes of action that are brought? When are data breaches more likely to be litigated, when are firms more likely to be sued, when are those cases more likely to settle, what do the settlements look like? All of that.
LBB: Can you give us a summary of what you found?
SR: First, we found that only a very small percent of data breaches end up being litigated. A decade ago, the litigation rate was in the high teens, but recently it has fallen to 3 to 4 percent. So the probability that any firm would be sued is already pretty low. However, firms tend to be sued more when the breach relates to financial information and less when the firm provides credit monitoring right away. As for the results, it seems that about half of all these cases settle (with the other half being dismissed right away). However, “settled” typically means that only the named plaintiffs recover, and they get a few thousand dollars each. In addition, the firm was more likely to settle when the breach involved medical information. However, we saw no strong correlation between settlement and class action certification, or allegations of violations of statutes with statutory damages. Overall, though, the biggest finding was from coding each of the causes of action from all 200 plus cases. We found over 90 unique causes of action, including common law (torts, contracts, etc) and state and federal statutes. Contrast that with financial securities law, where there is a single federal statute under which plaintiffs can bring an action.
LBB: You’ve given lots of presentation on these topics to lawyers. Are you still doing that?
SR: Yes. And lawyers are always involved. I’m also getting into the cyber insurance area, which means more insurance people are involved. But there are always lawyers around.
LBB: Is this all from your Rand work?
SR: This is all Rand research. And it has a nice evolution. Looking at the security laws got into the litigation stuff, which then got into the story of costs for all of these incidents. Which then got into insurance because the companies are interested in what all these things cost, and the insurance companies are interested in what all these things cost.
And everyone wants to know: How do we protect ourselves best? What kind of insurance do we need? How much do
LBB: You were a cyber policy adviser to the U.S. Department of Defense for a year that ended last September. Can you tell us about your government work?
SR: There’s a federal statute that enables people to go back and forth from government to the private sector—or nonprofits anyway. This is a vehicle that the federal government can use to get experts to help them out for a short time. I was in cyber policy in OSD [Office of the Secretary of Defense]. It deals with all kinds of cyber issues to help inform the secretary to make decisions. If the Department of Defense is going to going to engage in cyber operations, there needs to be careful thought and understanding of how you do that—authorities and capabilities and agreements and all that. But the department also needs to defend itself, and I worked mainly on the defensive side.
LBB: We’re interested in the sometimes complicated relationships between the government and corporations.
Can you talk about that?
SR: Private-public partnerships are a big priority for the secretary. There are lots of ways that can happen. One of them is what they call DIUX, which is the Defense Innovation Unit Experimental. It’s about fostering a culture, working with startups to help develop new technology. And not all for robots that shoot guns. There are lots of innovations that could help. It’s that kind of an R&D partnership. There’s information sharing, cooperation between DOD and the defense industrial base, which is a whole collection of companies that supply support to DOD. Maybe they’re cyberattacked and DOD wants to know about that.
There’s a larger question if a company in the U.S. is cyberattaccked. What is the role for DOD in helping protect them? Generally the answer is, “There is no role.” DOD is not involved, nor should it be involved in defending or protecting some company that gets hacked. That’s the role of the FBI—until it becomes a national security issue. So if the whole country was suffering some kind of distributed denial of service attack, then one of the primary roles of the Defense Department is to protect the country. Only if and when that were to happen would DOD step in. There are conversations that DOD may have with infrastucture companies, telecommunications companies, finance companies to understand how resilient we are. What do we need? Are there any gaps? And what are the roles and responsibilities for different people? There’s what’s called Defense Support of Civil Authorities, which is what gets triggered when a state has a natural disaster and needs to call the military to help out with a hurricane or an earthquake or whatever. There’s a similar interest to figure out how DOD could help a state with a cyberattack.
The federal government-state government partnership really needs to be negotiated. And as you can imagine, there are lots of electrical companies and other infrastructure companies that support state and federal operations and bases and military installations, so there needs to be an understanding and cooperation there. Who’s protecting what, and who manages what at what times? So there are lots of ways that DOD interacts with the private sector.
LBB: Did you observe tension between government agencies and the private sector over cybersecurity issues?
SR: Yes. Everyone gets ticked off by everyone else. Everyone wants more information and better information and quicker, faster, stronger. One of the big issues that’s kind of a firestorm is the vulnerabilities equities process (VEP). It’s the U.S. government policy around what they do with the special kinds of vulnerabilities that they may know about. If a breach vulnerability exists that no one else knows about but the U.S. government, where lots of computers are vulnerable in the U.S., then there’s an equity decision, a decision of whether the government should tell everyone about that so that they can patch their system and be more secure, or whether they should hold it temporarily and use it for intelligence collection. Maybe U.S. systems are vulnerable, but maybe an adversary's systems are also vulnerable and maybe they also want to collect intelligence on that adversary. How do you weigh that? How do you balance that? The private sector, of course, is always very adamant that you should tell us every single time, and do it right away. The U.S. government, you can understand, has a different kind of role. They see the interests of everyone and everyone’s equities. And so this VEP process is contentious.
Recently the Security Council released the charter for the VEP, which is the set of policies and procedures around how it makes these decisions and what the whole process looks like, and who’s involved in decision making and all that. And it’s been fairly well received. I think most reasonable people understand that it’s not an easy decision. And the U.S. is really one of the only countries that has such a process. Most other countries may just use the vulnerabilities and really don’t care or don’t tell their citizens what they’re doing and why. It’s a small piece of cyber operations and cybersecurity at a federal level, but it’s a specialized, important piece of it.
LBB: Is this one way in which the government and the private sector have actually made progress in dealing with these tensions and communicating better?
SR: I think so. It was a big, big step to release this charter to the public before it was classified. It had been available through a freedom of information act request, but only part of it. I think it was a really good step, helping to create more trust and be more transparent.
LBB: You recently wrote about an interesting development. Sometimes our government attributes cyberattacks to foreign governments, as it did when it pointed the finger at North Korea for the WannaCry ransomware attacks last year. And sometimes private companies do the same thing. First, what’s unusual about this situation?
SR: This kind of attribution has really been the purview of a government. Is there another instance where private sector companies have had these capabilities to identify attacks or incidents or malicious behavior by other nation states and been able to comment on that with authority and develop capabilities to identify that? I don’t think it has happened. The question is: What should governments do about this? Is this something that helps them in their dialogues with other countries—their negotiations, their diplomacy? Or does it undermine what it is they’re trying to do?
LBB: Is there an upside for business and the public in the fact that private companies are gaining skill and sophistication in this area, and making more information available?
SR: That is definitely true. If nothing else, they’re helping their clients out. If they have advanced capabilities and can create a service out of that and sell that service, that’s what innovation is about, and competition. So that’s good.
LBB: But there’s also a potential downside, right?
SR: The concerns are that it really could undermine any sensitive negotiations. Like if we’re trying to negotiate with North Korea, or even China let’s say on the theft of intellectual property and cyberattacks, and all of a sudden Mandiant blurts out, “Look, there’s all this activity by China doing X, Y and Z.” The risk is that it pisses China off and they leave the table. Now has that happened before? I don’t know. But it’s possible.
On the other hand, if the U.S. wants to negotiate with China or some other country and they have classified information about an attack but they can’t really share it, maybe what they can do is point to a report by FireEye and say, “Look, we all know what you’ve been doing. This very credible company says this. Let’s talk about it.” So it does have the potential of being able to foster discussion in an open forum. The issue is, on balance, is it a good thing or not? And that’s what we’re trying to figure out.
LBB: Has there been much communication between these specialized companies and the government?
SR: I don’t know. I do know that the government can be a consumer of these companies like everyone else. So they may purchase their services and learn everything that the company knows, and that’s all good. And we know that some of the company employees are former government intelligence people, so inherently there are some relationships. But specifically what conversations they’ve had, I can’t say.
LBB: You’ve written a lot about data breaches. Are there clear legal guidelines spelling out when and how companies must share information about breaches and with whom?
SR: State data breach disclosure laws require that companies notify people when their first name and last name in addition to some other piece of information, like a driver’s license, passport or financial information have been disclosed without authorization to some other party, either publicly on a website or lost in a shipping container stolen by an attacker. So 48 states have this law. There is some variation among them, but basically they just say, “Company, you need to tell affected consumers when this happens.” Sometimes there are penalties if you don’t comply. Sometimes there is a private right of action for consumers to bring a lawsuit. Sometimes there are notification requirements to states’ attorneys general. There may be exceptions if the data is encrypted or there’s already a notification requirement through other financial regulation statutes. There’s been lots of issues and questions around whether they’re effective and how they should be changed and what consumers can actually do when this happens.
LBB: Then there’s also the time factor. Sometimes companies realize that they’ve been breached, but they’re not quite sure what has been taken. Or they decide that they really need to get a handle on how broad the breach was. Is it clear how fast they have to reveal what they know?
SR: There is tension. It’s not really settled. People are still trying to figure out the right time window. Some say as quickly as possible. Others say 60 days or 90 days or 30 days. It’s unclear what the perfect answer is because you can see how premature notification can just cause confusion. The company may not have all of the information. Or it may take time for them to figure out exactly what happened, so forcing them to notify too early may be not be helpful. In addition, it may corrupt a police investigation. But then you can’t wait too long because you want to notify people as soon as possible so they can take prevention measures—monitor their credit, watch out for charges on their credit cards, close accounts. That’s the best we have in terms of recommendations.
LBB: What roles do in-house and outside lawyers need to play?
SR: The first things counsel need to do is figure out if in fact there was a breach. It they answer is yes, then they need to figure who is affected and which laws for which states they need to comply with. There are lots of firms and lots of practice groups that do this kind of thing. So if they don’t have the capabilities in-house, they can go outside.
LBB: Some experts have talked about the limited knowledge many in-house lawyers bring to this subject, and their failure to make it their business to educate themselves sufficiently to really help protect their companies. What do you think about that?
SR: I suppose as counsel you have lots of laws you really need to figure out and understand. Breach laws are just one set of them. It’s 2018. You should have some awarness of all this cyber stuff. If you’re not the expert, it’s pretty easy to make a call and find someone who can guide you. I guess at the end of the day, they’re supposed to be risk-averse and have some idea of how to manage risks.
LBB: A lot of people have been saying for years now about data breaches: “It’s not a matter of if but when.”
Do you buy that?
SR: it’s a familiar marketing story by this one guy from a threat intelligence company. In some sense it’s a little silly because there are what, six or seven million companies in the country? What are you saying, all six million of them have been breached? That just seems hard to believe. There is an overall question of how many breaches we know about. Like what is the underreporting percentage of breaches? There’s something like 15,000 that we know about since 2003, when these breach laws were first adopted. Everyone wants to know whether that’s just the tip of the iceberg. And the answer is probably yes, but we don’t have a good feel.
LBB: You’ve been spending time researching the way insurance functions in this realm. What are you finding?
SR: Everyone is trying to figure out how to fix cyber. And one of the possible fixes people suggest is insurance. Is there an opportunity to create incentives for discounts, like your car insurance will bring you a discount if you drive safely? What can we do in cyber? That’s what people are really trying to figure out. It’s unresolved, but it’s a big market in the sense that there are billions of dollars in premiums. And it’s expected to grow by an order of magnitude. But the real issue for people who are standing where systemic risks are is the notion that one attack might affect thousands of companies. And there could be billions of dollars in losses. So it could be something catastrophic, like attacks on critical infrastructure. One incident, many affected people. That’s what’s on everyone’s mind—that’s the real fear. For companies, for insurance companies, for reinsurance companies, for the government especially: How do you protect it, how do you mitigate it?
It’s not clear
how quickly companies need to notify customers when there’s been a data breach.
wants more information
and better information
and quicker, faster, stronger.
If you are interested in contributing thought leadership or other content to this platform
please contact Lester Goodman, Publisher
elcome to Legal BlackBook, a platform that features writing about the legal arena.
The subject of the moment, and it’s a moment that’s likely to last for some time, is cybersecurity. Or, as we call this newsletter, CyberInsecurity. And if you're wondering whether your insecurity is justified, we've included survey data in a graphic that should provide confirmation (What the Numbers Say).
One facet of this subject that’s been fascinating to watch is the complicated relationship between government and business. Are they friends, enemies, frenemies?
The government can pass along tips to protect companies from attack. It can also pressure them to provide access to their customer information, which may be less
Source: 2017 U.S. State of Cybercrime (published by CSO).
Survey responses about cybersecurity events reported by 510 executives at U.S.businesses,
law enforcement services and