"Several years ago, while serving as the national counterintelligence executive, I sat with colleagues discussing how we would plan an espionage attack against an American business. And then a lightbulb went on: the law firms! Of course: A company’s outside intellectual property lawyers have its technical secrets, and their corporate law colleagues are privy to strategic business plans. And lawyers don’t like taking instructions from anybody, particularly their less well paid underlings who are responsible for network security. They’re impatient. In some firms the rainmakers have nixed even simple steps, like requiring a password on mobile devices that connect with the firm’s servers. They couldn't be bothered. Privileged with secrets, lawyers are the perfect targets. I cannot disclose what I know because it's classified, but I can disclose that I know that my surmise was soon justified. U.S. law firms have been penetrated both here and abroad.” -- Joel Brenner in his book, “America The Vulnerable”.
Take a moment to digest that, and then then ask yourself if you could say something like “any situation from this excerpt is fictional and any resemblance with real day-to-day operations is a coincidence,” generally speaking, of course.
Mr. Brenner by the way is a partner at Cooley, which means he is no stranger to our industry and how we operate. Do you think that I got hooked on reading book right at this point? You bet! If you are in legal and have kept up with the news, then you now know what Brenner knew. There are plenty of articles out there about attacks against law firms and how the FBI itself warned large firms in New York about the current state of security in the legal sector and how they were aware of succesful attacks to our sector, which former ILTA BoD member Jeff Brandt summarizes well here, or perhaps you’ve heard, or should have heard of recent Anonymous attacks to law firms. Dear lawyers and firm management, this is a real issue for us, and we must pay attention.
Yesterday ILTA’s Executive Director Randi Mayes announced the creation of the Legal Information Security Council, LegalSEC™, an incredible and talented group of volunteers led by the Servers Operations and Security Peer Group seeks to address the struggles that for many years law firms large or small have faced when it comes to Information Assurance and Network Security, which for many have become a bigger problem due to not only the issues mentioned before, but also the penetration of disruptive technologies such as mobility, virtualization, tablets and cloud storage.
How many security audits, RFPs, questionnaires, etc. have your firm received lately? Do you think that is coincidence? Have you had a chance to talk to folks in legal corporate departments about these issues? These client mandates will only continue to rise and I believe that they will continue to push firms to change their posture about Information Security and get more serious about it, after all many of them have already gone through these attacks including great security vendors such as Symantec, VeriSign, or RSA. Furthermore stronger regulations will continue to pass. Kevin Moore of Fenwick & West and leader within the LegalSEC™ committee says that “we are also facing stronger federal legislations such as H.R. 3523 ‘Cyber Intelligence Sharing and Protection Act’ that has passed The House of Representatives and is also being debated outside of Washington and need our attention”
LegalSEC™’s mission is to enhance the delivery of secure services to clients by raising and maintaining security awareness and by providing an asset protection framework for law firms. How do we do that? By working together to build better Security Programs supported by a strong community such as ILTA to deliver Collaborative Intelligence around Information Assurance (while I was not invited to the FBI\Law Firm party in New York I have reasons to believe that this point was touched on); leverage tools such as our annual Technology Survey to deliver robust Security Controls, and most important by Educating our user base and delivering comprehensive Security Awareness Programs that firms can adapt to their environments. In a recent article published by The National Law Journal titled "In the Tablet Age, Law Firms Face New IT Threats," Stewart Baker, partner at Steptoe & Johnson, said, "The weakest part of the security system is between the keyboard and the back of the chair." Not only I agree with Mr. Baker but I also believe that this is the biggest challenge that we face, and perhaps the one that could potentially deliver the quickest and most rewarding results.
Why are we doing this? During the two hours following LegalSEC™’s launch we received over 25 messages from you. That’s 25 firms of different sizes, regions (including outside The US), practices, etc. that expressed their support and shared concerns, adn they keep coming; oh and by the way, there was a corporate that also reached out expressing concern. What that means is “how bad this initiative is needed” according to LegalSEC™’s Tom Crowe, IT Director at Turner Padget Grahma & Laney. In addition, I strongly believe that Art Coviello, Executive Vice President of EMC and Executive Chairman of its RSA Division, was right during his Keynote speech at this year's RSA Conference when he said that "An attack on one of us is an attack on all of us." He knows what his talking about; his company was successfully penetrated. Once a group of attackers finds and exploit a vulnerability in a law firm, they are going to try to do the same in the next one, and the next one until they succeed again and chances are that they will. And notice I am using plural here; this no longer one person trying to do harm, it is a whole lot of them and we need to come together to fight back.
I want to thank you both personally and on behalf of ILTA and LegalSEC™ for reaching out and supporting this initiative. We will get back to you over the next few weeks; meanwhile continue to reach out and give us ideas and opinions so that we can deliver value to our industry together. You can do so by adding a comment to this post or you can email us at email@example.com.
Carlos Rodriguez, Servers Operations and Security PGVP