Legal BlackBook: The MIT article focused on the likely future targets of cyberattacks, including cloud storage companies, data brokers who store information about people’s Web browsing habits, and infrastructure such as
electric grids and voting machines. What potential targets strike you as the most important for in-house lawyers to pay attention to?
Daniel Garrie: Vendors and supply chains. They will have the biggest impact, and there is a high likelihood that they will be targeted. This presents a huge risk because larger companies can have many vendors, some of which may have connectivity to a company’s most sensitive information. If vendors get hit and they have the right level of connectivity, that can have the most material consequences to the organization.
LBB: What can they do to protect their companies?
DG: Three things. First, policies and procedures should be implemented and followed. It is not enough to simply make policies and consider the problem solved. Having a bunch of policies that no one at the company follows is a problem. Having a bunch of procedures that aren’t followed by managers or vendors is also a problem. That’s why it is critical to ensure that policies are being followed by anyone with access to company data. Second, there should be a robust structure for educating employees on good information security practices. It's important that the training is not threat-driven, but rather engages employees and focuses on the constructive rather than destructive aspects of security. The third area is insurance. They should make sure they’ve done an evaluation and adjustment of their insurance framework and coverages, and understand where the gaps are. They need to review their insurance in light of all their risks, and then determine what they may need to insure against from a cyber perspective.
LBB: Based on your experience, how do you think they’re doing?
DG: Most of the companies I have worked with struggle with all three—at different levels, depending on the resources they have available to them.
LBB: Both articles discussed new tech weapons. CSO said that internet of things (IoT) devices have been compromised by botnets and used to launch attacks. On the other hand, artificial intelligence has helped companies automate threat detection. But the MIT article pointed out that AI is also being used in spear phishing attacks because it crafts fake messages as effectively as humans. Are these the biggest threats, in your view?
DG: Those are great, but there are a lot more threats and weapons. There’s some very advanced custom-built ransomware coming to market that has learning algorithms—AI—built into it. That’s one of the known threats, and I think that’s a real issue.
LBB: Who do you think is winning the cyber arms race, the good guys or the bad guys?
DG: On the civilian side, the bad guys. On the military side, I’d say that the military is not losing the battle, but they’re not crushing it per se. The military has sophisticated capabilities, but the dynamics of this battle change on a daily basis.
LBB: What can companies do to keep up with the threats?
DG: They can identify their risk factors and work to understand their specific threat landscape and readiness. Because what’s generic isn’t going to work. And that’s what you have to embrace—the reality of your operating environment, not what everybody else is telling you. It’s different for everybody. And it’s near impossible to say that what works for one is going to work for the other.
LBB: CSO suggested that 2018 will finally bring an acceleration of multifactor authentication in place of password-only systems. One reason is the rise of what’s called “aftershock breach”—after a data breach at one company, stolen credentials are used to breach accounts at other companies. Do you agree with this predication?
DG: I think they’re right. Companies are starting to do this because they have to protect the consumer, they have to protect their brand. They’re realizing that they have to take a more proactive, assertive approach to all of this.
LBB: What role do you think in-house lawyers should play here?
DG: They need to identify the legal risks. It depends on the business, but there’s direct liability, third-party liability, customer agreements. It depends on the type of client company it is.
LBB: What do you think are the biggest challenges ahead for companies in this realm?
DG: The conversation between in-house counsel and outside counsel on protecting client data—one of the things that nobody talks about. That conversation, that dialogue is changing rapidly. And defining that partnership and how those dynamics work and operate is really interesting. Clients are changing the level of security requirements. They want outside counsel to secure their data. They want to know who can access the information. Company lawyers have to reevaluate
that relationship.
LBB: What guidance can you offer general counsel?
DG: When this subject comes up at their companies, they should make sure they have a seat at the table and are properly engaging the business, risk, cyber and communications team when addressing cybersecurity issues.