The new cyber vulnerability: Your law firm
Companies with top-notch IT security are still vulnerable to having their networks penetrated and their information stolen as hackers look to hit their subsidiaries, suppliers, and even law firms that don’t practice good network defense. Small subcontractors or law firms can often access the networks and intellectual property of a large firm although they don’t ...
Companies with top-notch IT security are still vulnerable to having their networks penetrated and their information stolen as hackers look to hit their subsidiaries, suppliers, and even law firms that don't practice good network defense.
Companies with top-notch IT security are still vulnerable to having their networks penetrated and their information stolen as hackers look to hit their subsidiaries, suppliers, and even law firms that don’t practice good network defense.
Small subcontractors or law firms can often access the networks and intellectual property of a large firm although they don’t necessarily have the security infrastructure of the big firms.
"The bad guys have really switched to things like going after third parties, places where the company’s data is stored or manipulated," Richard Bejtlich, chief security officer with the cybersecurity firm Mandiant told Killer Apps yesterday. "That’s why we’ve seen, over the last couple of years, [hackers targeting] law firms. You can’t get the data from the original source, so get it from somebody that has a copy or is processing it."
Law firms — which, ironically, are often the organizations tasked with helping to defend a company’s intellectual property — are "a very target-rich environment, their IT is generally not up to the level it needs to be, the victims themselves are very reluctant to implement any of the defenses that would work against this sort of thing," said Bejtlich. "All the confidentiality and privacy tends to work against seeing what’s happening [on a network]. If you tell a law firm partner, ‘Oh yeah, we’re going to monitor your computer and see everything that’s coming to and from that and everything that’s on the hard drive’…that’s completely antithetical to their culture; it’s pretty much the perfect place to steal data from."
This problem is exacerbated by the fact that so many businesses are connected to each other’s networks or have access to each other’s information — over the normal course of doing business — despite the massive disparity between the best players in the private sector and the business without much in the way of security standards.
Gen. Keith Alexander, chief of U.S. Cyber Command and the NSA, lamented this disparity in the private sector’s cyber security standards today.
"We have a problem, especially when you look at different sectors. So the banking industry and the higher-end defense-industrial base are pretty good. They’re right there at the top," said Alexander during a speech at a Symantec-sponsored cyber security conference in Washington. "Then you go out to some companies that are getting exploited, and they don’t know what the threat looks like, they don’t know what they should do. And some of those are in critical infrastructure."
Alexander reiterated his desire to see the private sector — especially so-called critical infrastructure providers like banks, defense companies, and energy and transportation firms — adopt cyber security best practices to quickly share information in the event of a cyber attack. Legislation that would deal with these issues, and several more, has been stalled in the Senate since August.
A host of other government cybersecurity officials today echoed Alexander’s point about the massive gap in security standards throughout the private sector, even among critical infrastructure providers.
Even in sectors like the defense industry that are better on the whole at implementing security standards, there is massive disparity in security practices.
"We do see some sectors who are in general more sophisticated. Now, if we’re talking about the defense-industrial base, what do you mean by that?" said Jenny Menna, acting director of the Department of Homeland Security’s Computer Emergency Readiness Team during the same conference. "They’re the big companies that we can all name off the top of our heads. But then there are little companies six levels down on the supply chain, and so I don’t think there is a consistent posture between the really big guys and the small companies."
She added that, among critical infrastructure providers, banks tend to be "extremely sophisticated. I sometimes refer to them as the AP class . . . Why is that? Because they’re protecting their money."
Brian Varine, director of cyber incident management at the Department of Energy, added that banks have high security standards because "they have had tangible loss" when their networks have been penetrated. However, "if I go into your company and I steal all your intellectual property, it’s still there, you don’t know it’s gone ‘til five years down the road and your competitor is kicking your butt because they’ve taken your product, reverse-engineered it, and produced a bigger, better, cheaper product."
John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.
More from Foreign Policy

Saudi-Iranian Détente Is a Wake-Up Call for America
The peace plan is a big deal—and it’s no accident that China brokered it.

The U.S.-Israel Relationship No Longer Makes Sense
If Israel and its supporters want the country to continue receiving U.S. largesse, they will need to come up with a new narrative.

Putin Is Trapped in the Sunk-Cost Fallacy of War
Moscow is grasping for meaning in a meaningless invasion.

How China’s Saudi-Iran Deal Can Serve U.S. Interests
And why there’s less to Beijing’s diplomatic breakthrough than meets the eye.