imberly Peretti is a partner and co-chair of Alston & Bird’s Cybersecurity Preparedness and Response Team and
National Security and Digital Crimes Team. She is the former director of PwC’s cyber forensic services group and a former senior litigator for the U.S. Department of Justice’s Computer Crime and Intellectual Property Section. She draws on her background as both an information security professional and a lawyer in managing technical cyber investigations, assisting clients in responding to data security-related regulator inquiries, and advising boards and senior executives in matters of cybersecurity and risk. Peretti is a Certified Information Systems Security Professional (CISSP).
Legal BlackBook: FBI Director Christopher Wray recently spoke at a cybersecurity conference in Boston, and during his speech he highlighted the FBI’s continuing need for cooperation from victim companies. The FBI “treats victims as victims” and has been working to better share information with them, he said. Has that been your experience in working with the FBI?
Kimberly Peretti: For the most part, yes. And generally over the years I’ve seen a significant transformation of federal law enforcement—both the FBI and the Secret Service—in how they interact with companies that have been victims of cyberattacks. In my experience, law enforcement has become more sensitive to the issues facing victims of cyberattacks, and is often more amenable to developing strategies to help minimize the impact that working with law enforcement may create. Fundamentally, law enforcement is dependent on companies, both for reporting cyber intrusions to them and for investigating those types of crimes. So I think that’s a very important point that separates investigations of cybercrimes from other types of crimes. They’re often more sensitive to understanding the critical role that both sides play. And they understand that they need to work together for each to be successful in their missions. Law enforcement often understands that the victim may be in the best position to gather and preserve the digital evidence in an immediate fashion, and that law enforcement coming in and saying that “we need all relevant information” could be a significant distraction at a time when a company really needs to devote significant attention to protecting the company, its systems and its data.
LBB: Some people who don’t have a lot of experience dealing with cybersecurity investigations may be surprised that the Secret Service can be involved. Can you explain to them why that is?
KP: It just so happened that when I was at the DOJ cyber crime unit, most of the cases I worked were with the Secret Service. We were working with companies that weren’t aware that the Secret Service had jurisdiction to investigate cyber crimes, but they do. They share that jurisdiction with the FBI. You tend to see them more in the area of financial crimes, because they’re an entity that has had jurisdiction to investigate counterfeits of currency going back to when they were part of the Treasury Department. Now, of course, they’re a part of the Department of Homeland Security.
LBB: It seems as though there should be a natural partnership between a law enforcement agency and a company that has been the victim of a cybercrime and is conducting an internal investigation. After all, they’re both trying to solve the same crime, right? Is that how it works in the real world?
KP: I think most often their interests can be aligned, and they often are aligned in the early stages of an investigation. But it’s important to recognize that there’s a different interest in why they’re conducting the investigation. For companies, the primary interest is often to protect the company—its systems and its data. And to protect its customers and employees as quickly as possible. They also may want to see criminals identified and apprehended. But that can be a secondary benefit or purpose. Whereas for law enforcement, their primary purpose, of course, is to catch the criminals behind the attack. In the later stages of the investigation, though, a company may want to wrap it up, fix the systems, remediate and move on. And that may be just when law enforcement is beginning its investigation in earnest. This can be a place where interests begin to diverge.
LBB: Has the role of law enforcement—and working with law enforcement—changed since you were at the Justice Department and prosecuting hackers, from 2002 to 2008?
KP: Yes, I would say that there have been some significant changes. In the early days of cyber crime, we were often looking at lone wolves—solo hackers hacking into systems for intellectual curiosity or for bragging rights. And we were investigating those individuals in order to bring them to justice and convict them for the crimes they had committed. But as we’ve seen the cyber landscape grow and change over time, there are other purposes for law enforcement’s involvement. It’s not just to apprehend individuals. Now, because of the global nature of cyber crime, and often the inability to identify those behind these crimes, there are other goals. These could be intelligence gathering, disrupting the infrastructure of the criminal organization, or information sharing to help other potential victims protect themselves against a similar attack. And then, of course, we’ve seen over time the significant increase in state-sponsored involvement, which has brought in other law enforcement priorities, including a national security interest, and the increasing need to push out intelligence learned from state-sponsored activity to victim companies. The recent joint Technical Alert issued by DHS, the FBI and the United Kingdom’s National Cyber Security Centre, addressing the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors, is a good example.
LBB: Given the number of different federal, state and foreign law enforcement authorities that may have jurisdiction over cyber crimes, how does a company determine the right law enforcement authority to contact when it’s in the middle of responding to an incident?
KP: Well, hopefully they’ve identified those contacts prior to having an incident. Most companies nowadays face frequent security incidents, whether it’s attempted access to their networks or otherwise. It’s often helpful to have an established relationship with law enforcement prior to an incident, because knowing which agency to contact, and who within that agency, can be challenging to navigate during a crisis. Equally important, law enforcement is increasingly disseminating information on cyber threats through various information-sharing platforms, and companies may want to establish such relationships with law enforcement in order to ensure that they are receiving that information. In terms of who to contact, as a general matter for cyber intrusions, I would say that often companies turn to federal law enforcement, because there is usually jurisdiction, and there are more likely to be resources and capabilities to investigate cyber crime, in contrast to local jurisdictions or state jurisdictions.
So it often becomes a question of which federal law enforcement agency to contact. I often refer companies to the Computer Crime and Intellectual Property Section, an entity within the U.S. Department of Justice that has published a document called “Reporting Computer, Internet-Related or Intellectual Property Crime.” It’s on its website. For most types of cyber crime, you can report to either the FBI’s local office or the Secret Service local office. It may be a preference of the company, whether they’ve worked with one of these agencies, or it could depend on the industry that they’re in. Or it could be because of a relationship they have within their company. But it’s a good idea to establish a point of contact on both the Secret Service side and the FBI side, because both are pushing out information, and both can likely assist in investigating most types of cyber crime.
LBB: Let’s take up the age-old question: To report or not to report? A few years ago, that question often arose when a company discovered evidence that one of its employees or vendors had paid a bribe that may have violated the Foreign Corrupt Practices Act. Now the big issue is data breaches. Can you walk us through some reasons that a company may want to report a cyber crime and some reasons why it may not?
KP: Absolutely. And these haven’t changed over time. I recall that when I worked at DOJ in the computer crime section, we were speaking about the myth of what law enforcement does if they’re involved in investigating a cyber crime. And I think it largely has remained the same. The top three or four that I would identify as reasons that a company may not want to report: No. 1 is fear of loss of control of the investigation. There is a misguided perception of law enforcement raids. Often companies are more aware of working with law enforcement when they are targets, when they are being investigated for committing a crime. And it immediately pops to mind: law enforcement showing up at your door with 50 agents and taking files. Second, fear of the incident becoming public through a government leak or indictment—or fear of losing control over when the incident becomes public. Some cybersecurity incidents never become public and don’t need to. Others will naturally become public because there are reporting obligations to individuals or regulators. But companies would rather stay in control. Three is that information would be shared by law enforcement with regulators, who are interested in cyber intrusions for a very different purpose than law enforcement. Regulators protect consumers, and they’re often investigating cyber intrusions to identify whether the victim company complied with various consumer protection-related laws and regulations. So there’s the fear that information will be turned over to regulators. And then there’s the sense that there will be no benefit inuring to them if they do cooperate with law enforcement.
I would say that for each of these, law enforcement is aware of the fears or myths and has taken steps to address them, often telling victims that they will not “show up with 50 agents and start taking things.” Law enforcement is often comfortable with having the victim entity preserve and provide digital evidence in a time frame that works with the company’s competing demands to conduct an internal investigation. As for concerns about information being shared with regulators: That’s generally a misconception, and I think that’s what FBI Director Wray was attempting to address in his recent comments indicating that the FBI does not believe that it has a responsibility to share information it receives with other “less enlightened” enforcement agencies. Certainly, when law enforcement is conducting a grand jury investigation, the Federal Rules of Criminal Procedure dictate with whom responsive information can be shared, which does not include those—such as regulators—that do not have a need to know.
Now, what are the reasons for reporting a cyber intrusion to law enforcement? No. 1, law enforcement may have intelligence to share on the particular threat group or criminal activity that can be critical to the company’s investigation—it may enable the company to short-circuit its investigation, provide clues of where to look in its systems or what to look for. And that information can be extremely valuable. This one factor is increasingly the overarching reason that companies reach out to law enforcement in the aftermath of an incident—especially given the rising level of sophistication of some of the attacks. A second reason is that law enforcement often has more tools available to investigate that aren’t available to victims, so there may be some methods that can be used to identify the perpetrators or to stop the activities.
LBB: It sounds as though this could potentially save a company quite a bit of money, because these investigations are not cheap, are they?
KP: They can be very expensive, because forensic investigations take time and require skilled experts. Often many systems need to be imaged, logs need to be collected, and technical experts need to be hired to do the collection and analysis. Digital evidence is fleeting, so there may not be all the clues available of what happened. If you could have law enforcement fill in some of the gaps, some of that information may ultimately help you mitigate the risk of the incident, or identify that actually there wasn’t access to certain data or systems. Filling in pieces of the puzzle can be very helpful.
LBB: As outside counsel, how do you advise the general counsel and management? Is it your practice to provide a specific recommendation when they’re deciding whether and when to report a breach, for example?
KP: Yes, generally we get involved in that decision. It’s a big decision for the company. And for me it’s often a question of timing and the level of sophistication of the attack. If the incident occurred months prior and isn’t ongoing, sometimes it helps to take some initial investigatory steps, to have a sense of what may have happened before notifying law enforcement. It may influence what agency you notify. So sometimes it’s more of a question of when. Similarly, if there is uncertainty around the type of attack or the threat actors, law enforcement may be able to provide valuable information to assist with the investigation. Either way, there often is an important decision of whether to notify, and many different considerations come into play when making that decision. And we, as outside counsel, help the company navigate those issues.