-- ScottYakaitis - 22 Dec 2014

What Lawyers Need to Know

“Knowledge is power” is a sentiment uttered by Francis Bacon ages ago that has if anything become only more true. Though perhaps it could use a slight update; Information is power. Having inside information on mergers, government permits, patent application statuses and the like could make someone millions, or destroy a company. It is no surprise then, that gaining this sort of information is heavily regulated both by law and corporate security. Given the inherent value of all of this information, then equally unsurprising is the fact that hacking is extremely common. Corporations are paying billions of dollars to fight these threats to corporate security. One study found that the average company surveyed spent nearly 10 million dollars a year fighting electronic infiltration. Yet, according to some experts from that article, just showering corporate funds on the problem won't ever completely close up the threat. Companies are still vulnerable to attack.

There have been a few high profile hackings recently. One is of particular interest. Hackers, using perfect English and financial jargon, are sending e-mails to top-tiered executives in the financial, biotech and medical industries. But, executives haven't been the only targets. Lawyers who work directly with these companies have been targeted as well. What is particularly clever about this group of hackers is that they have brought “phishing” to a higher level. They send seemingly legitimate business concerns precisely tailored to the individual target. Instead of the broad Nigerian Prince scam, these guys, dubbed FIN4, have done their homework.

Crypto, a field I've recently been exposed to, has developed countermeasures to hackings. While I vaguely understand why the complex processing of two huge primes is an effective means of encrypting data, hacks that employ the breaking of encrypted data are not something I would be equipped to fight. However, breaking these codes isn't the only avenue of attack hackers have to gain access to information. What was particularly clever about the FIN4 hackers, according to authorities, is that they always found the weakest spot to attack in terms of actual processing power. From there, they would then use impersonation and spycraft to catch their targets.

Lawyers are supposed to be keepers of secrets. Once upon a time, that simply meant being relatively tight-lipped and making sure no one could physically break into an office and steal documents. Now, many more threats come from the internet. Lawyers, unfortunately, are not the most tech savvy people. Luckily for lawyers, there are relatively easy to use encryption softwares available. But that's only half the battle. These hackers didn't need to break the best encryption, they just needed to find someone who knew the target who was using weak encryption, pose as that person and they had an in.

What then do we need to do as lawyers to fight this problem? The first step is to actually learn spycraft. Given that lawyers are expected to keep clients' secrets, we should teach more effective methods of doing so. Every law student, along with classes on professional ethics should be required to take basic classes on spycraft and secret keeping. For us, being able to tell when a client is being impersonated via e-mail should be absolutely vital to our practices. We cannot expect to rely on expensive cyber-security companies to block out every threat. One, they will not be 100% effective. Two, if we are not working at a major firm we will not be able to afford wildly expensive cyber-security.

This brings me back to the technical side of the equation. Gnu encryption is a good start but won't be enough to solve all of cyber-security needs, especially after going into a smaller (non-mega firm) practice. What then is the most effective way to help create good security even for a small firm? While I know that building and setting up my own servers is a good start, it's just that, a good start. Ideally law school would teach server setup to all of its students, but that seems even less likely to happen than spycraft classes.

The best place to turn then, is perhaps the wide community interested in effective cyber security. Cities like New York, that have a vested interest in community learning, have set up a variety community based skill shares specifically designed as a way to help individuals to gain knowledge that might be outside of their ballpark. Those who have this knowledge and are willing to teach at various hackspaces could be counted as allies to gain insights into how to help set up effective security.

The paranoid among us might wonder, but how can we trust these people? Maybe they are trying to give us just enough information so that we keep most people out, but not them. Well, that brings us back to learning good spycraft. Because, you can't necessarily trust these people to help you. And perhaps you'll need to put the information together piecemeal.

We live in a more connected open world. That means keeping secrets is increasingly difficult. Good lawyers must be trained in ways to do this and both law schools and individual practitioners ought to take note.