Cybersecurity Law Firms Needed to Combat Terrorism Threat

Preston was part of a four-lawyer panel last month at the annual conference of the American Bar Association's International Law Section in Miami Beach.

The consensus was grim. The attorneys agreed if a cyberwar were declared on the United States, it would lose. The good news is there is plenty of room for improvement, and that means lucrative opportunities for law firms that want to move into computer and data security. The government will need to rely on private contractors increasingly in this area, opening up new areas for legal consulting and defense work.

Already, companies like Verizon Communications Inc. and Sony Corp. have had to ward off
litigation due to security breaches, panelists said.

But if it comes to war, cyberattacks almost certainly will be part of the battlefield.

“I expect it's inevitable that future major military conflicts will have a cyber-component one way or another,” said Jason C. Chipman, an attorney with Wilmer Cutler Pickering Hale and Dorr in Washington. “We have already seen early examples of that.”

Stuxnet

The highest-profile covert cyberattack may very well have come from the United States via a program called Stuxnet. The computer worm was designed to cause 100 uranium enriching centrifuges in Iran to spin out of control and shut down. The 2010 attack was designed to destabilize Iran's enrichment program that many fear could lead to a nuclear weapon directed at Israel.

Stuxnet was no home-grown worm unleashed by a hacker in his mom's basement. It was a highly sophisticated program.

“That was one of the most single technologically advanced viruses,” said panelist David Bodenheimer, a Washington partner at Crowell Moring. “It took months to prepare, millions of dollars. There were only five countries on the face of the Earth that could have put that together.”

The Joint Chiefs of Staff has confirmed repeated Iranian cyberattacks on U.S. banking institutions, including Bank of America and JPMorgan Chase, most likely in retaliation for Stuxnet.

Bodenheimer, a member of the ABA's Science and Technology Section, said cyberterrorism is the “biggest, scariest topic of our time.” He said foreign countries already have been detected in the U.S. power grid.

A 'Digital Pearl Harbor'

Secretary of Defense Leon Panetta warned of a potential “digital Pearl Harbor” during a speech in New York last month in front of Business Executives for National Security at the Intrepid Sea, Air, and Space Museum, an old aircraft carrier moored in New York City. “That means bringing down the water systems, bringing down air traffic control, essentially paralyzing the country without sending a single airplane or ship into U.S. territory,” he said. Panetta included a direct appeal to the nation's business community to cooperate with the U.S. government on cybersecurity measures: “Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure, and resilient global digital infrastructure.” Panetta revealed previously classified information in the speech: “We know that foreign cyber actors are probing America's critical infrastructure,” he said. “They are targeting the computer control systems that operate chemical, electricity, and water plants, and those that guide transportation through the country.” The defense secretary referred to cyber threats as being “at the very nexus of business and national security.”

Panetta also referred to the “so-called Distributed Denial of Service attacks” that targeted large U.S. financial institutions recently. “These attacks delayed or disrupted services on customers websites,” Panetta said. “While this kind of tactic isn't new, the scale and speed with which it happened was unprecedented.” Those attacks against the private sector represent a “significant escalation of the cyber threat,” he added.

Panetta said his department is “focusing on three main tracks” when it comes to defending the country. In addition to “developing new capabilities,” and creating the necessary policies and organizations, he said the department's third area of focus is “building much more effective cooperation with industry and with our international partners.”

Despite Panetta's emphasis on information sharing, he said that practice alone “is not sufficient.” He said the department also needs to work with businesses “to develop baseline standards” to protect critical infrastructure that's in private hands. “Although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity,” he said. (See, “Panetta Warns of Dire Threat of Cyberattack on U.S.,” The New York Times, Oct. 11, 2012, http://nyti.ms/S8tgls. A transcript is available at http://1.usa.gov/PSjynZ.)

The good news for legal firms is offensive and defensive cyberstrategies will pull in the private sector in what will amount to an electronic arms race, Bodenheimer told International Law Section meeting attendees. This will open up a rich vein for the legal field to advise companies on liability in case of a breach.

“The contractors who are on the battlefront, they are going to be caught in the crossfire of the cyberwar,” Bodenheimer said.

Breach Coaches

Panelist Mark Nackman, assistant general counsel for General Dynamics Advanced Information Systems in Fairfax, VA, said many companies are going to need “breach coaches,” and he said lawyers are perfectly suited for that role.

Breach coaches walk companies through a crisis when a security system has been infiltrated.

“I think there is a very strong argument to be made attorneys make the best breach coaches, and that is because what advice they are giving you is protected by attorney-client privilege,” Nackman said.

The panelists said other countries such as China and even Canada are more prepared for a cyberattack than the United States. President Barack Obama in 2009 said the “cyber threat is one of the most serious economic and national security challenges we face as a nation.”

He noted when Russian tanks rolled into Georgia in 2008, cyberattacks crippled Georgia's government websites.

Preston said the first documented use of cyber warfare was a 1991 attack in Iraq by the United States when the Internet was used to demoralize Iraqi officers and soldiers and instruct them how to surrender.

Since then, she said, political cyberattacks have become much more complex. In September, Preston said, at least nine Japanese websites ' including those of a government ministry, courts and a hospital ' were targeted, apparently by China.

Soft Underbelly

Attacks often are traced initially to innocuous sources, such as a community college server that has been hijacked. The potential for devastation is huge because relatively small terrorist cells can gain control of armies of computers.

Bodenheimer said shutting down power grids and other key infrastructure could cost $700 billion.

Mike McConnell, the former director of national intelligence, told President George W. Bush in 2007 that if the 9/11 attackers used computers instead of aircraft and targeted banks instead of buildings, the damage would have been much greater. He called cybersecurity the “soft underbelly of this country.”

The panelists said the question is when can a cyberattack be considered an act of war under the Geneva Conventions, the Hague Conventions or the U.N. charter.

Chipman said a cyberattack that takes down an electrical plant or opens a floodgate is clearly definable as aggression. He said the notion that cyberspace exists in the ether is not true. Servers are connected through satellites and cables. Chipman said they are as tangible as railroads and telephone lines.

Bodenheimer, though, said he thinks the law has yet to settle in the area of cyberterrorism.

“We are truly operating in the Wild West, on the frontier, and many of these legal issues will be determined in the next few years,” he said.

The next mass terrorism attack may not involve planes, trains or buildings. It very well may involve cyberspace and could be felt by Americans when their lights, computers or smart phones go on the fritz as networks are compromised.

Al Qaeda already has posted an online video calling for an “electronic jihad.”

“They likened the vulnerabilities within the Internet to be like the vulnerabilities found in the aviation security area pre-9/11,” says Elisabeth S. Preston, an attorney and cyberterror expert with McMillan in Ottawa, Canada.

Preston was part of a four-lawyer panel last month at the annual conference of the American Bar Association's International Law Section in Miami Beach.

The consensus was grim. The attorneys agreed if a cyberwar were declared on the United States, it would lose. The good news is there is plenty of room for improvement, and that means lucrative opportunities for law firms that want to move into computer and data security. The government will need to rely on private contractors increasingly in this area, opening up new areas for legal consulting and defense work.

Already, companies like Verizon Communications Inc. and Sony Corp. have had to ward off
litigation due to security breaches, panelists said.

But if it comes to war, cyberattacks almost certainly will be part of the battlefield.

“I expect it's inevitable that future major military conflicts will have a cyber-component one way or another,” said Jason C. Chipman, an attorney with Wilmer Cutler Pickering Hale and Dorr in Washington. “We have already seen early examples of that.”

Stuxnet

The highest-profile covert cyberattack may very well have come from the United States via a program called Stuxnet. The computer worm was designed to cause 100 uranium enriching centrifuges in Iran to spin out of control and shut down. The 2010 attack was designed to destabilize Iran's enrichment program that many fear could lead to a nuclear weapon directed at Israel.

Stuxnet was no home-grown worm unleashed by a hacker in his mom's basement. It was a highly sophisticated program.

“That was one of the most single technologically advanced viruses,” said panelist David Bodenheimer, a Washington partner at Crowell Moring. “It took months to prepare, millions of dollars. There were only five countries on the face of the Earth that could have put that together.”

The Joint Chiefs of Staff has confirmed repeated Iranian cyberattacks on U.S. banking institutions, including Bank of America and JPMorgan Chase, most likely in retaliation for Stuxnet.

Bodenheimer, a member of the ABA's Science and Technology Section, said cyberterrorism is the “biggest, scariest topic of our time.” He said foreign countries already have been detected in the U.S. power grid.

A 'Digital Pearl Harbor'

Secretary of Defense Leon Panetta warned of a potential “digital Pearl Harbor” during a speech in New York last month in front of Business Executives for National Security at the Intrepid Sea, Air, and Space Museum, an old aircraft carrier moored in New York City. “That means bringing down the water systems, bringing down air traffic control, essentially paralyzing the country without sending a single airplane or ship into U.S. territory,” he said. Panetta included a direct appeal to the nation's business community to cooperate with the U.S. government on cybersecurity measures: “Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure, and resilient global digital infrastructure.” Panetta revealed previously classified information in the speech: “We know that foreign cyber actors are probing America's critical infrastructure,” he said. “They are targeting the computer control systems that operate chemical, electricity, and water plants, and those that guide transportation through the country.” The defense secretary referred to cyber threats as being “at the very nexus of business and national security.”

Panetta also referred to the “so-called Distributed Denial of Service attacks” that targeted large U.S. financial institutions recently. “These attacks delayed or disrupted services on customers websites,” Panetta said. “While this kind of tactic isn't new, the scale and speed with which it happened was unprecedented.” Those attacks against the private sector represent a “significant escalation of the cyber threat,” he added.

Panetta said his department is “focusing on three main tracks” when it comes to defending the country. In addition to “developing new capabilities,” and creating the necessary policies and organizations, he said the department's third area of focus is “building much more effective cooperation with industry and with our international partners.”

Despite Panetta's emphasis on information sharing, he said that practice alone “is not sufficient.” He said the department also needs to work with businesses “to develop baseline standards” to protect critical infrastructure that's in private hands. “Although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity,” he said. (See, “Panetta Warns of Dire Threat of Cyberattack on U.S.,” The New York Times, Oct. 11, 2012, http://nyti.ms/S8tgls. A transcript is available at http://1.usa.gov/PSjynZ.)

The good news for legal firms is offensive and defensive cyberstrategies will pull in the private sector in what will amount to an electronic arms race, Bodenheimer told International Law Section meeting attendees. This will open up a rich vein for the legal field to advise companies on liability in case of a breach.

“The contractors who are on the battlefront, they are going to be caught in the crossfire of the cyberwar,” Bodenheimer said.

Breach Coaches

Panelist Mark Nackman, assistant general counsel for General Dynamics Advanced Information Systems in Fairfax, VA, said many companies are going to need “breach coaches,” and he said lawyers are perfectly suited for that role.

Breach coaches walk companies through a crisis when a security system has been infiltrated.

“I think there is a very strong argument to be made attorneys make the best breach coaches, and that is because what advice they are giving you is protected by attorney-client privilege,” Nackman said.

The panelists said other countries such as China and even Canada are more prepared for a cyberattack than the United States. President Barack Obama in 2009 said the “cyber threat is one of the most serious economic and national security challenges we face as a nation.”

He noted when Russian tanks rolled into Georgia in 2008, cyberattacks crippled Georgia's government websites.

Preston said the first documented use of cyber warfare was a 1991 attack in Iraq by the United States when the Internet was used to demoralize Iraqi officers and soldiers and instruct them how to surrender.

Since then, she said, political cyberattacks have become much more complex. In September, Preston said, at least nine Japanese websites ' including those of a government ministry, courts and a hospital ' were targeted, apparently by China.

Soft Underbelly

Attacks often are traced initially to innocuous sources, such as a community college server that has been hijacked. The potential for devastation is huge because relatively small terrorist cells can gain control of armies of computers.

Bodenheimer said shutting down power grids and other key infrastructure could cost $700 billion.

Mike McConnell, the former director of national intelligence, told President George W. Bush in 2007 that if the 9/11 attackers used computers instead of aircraft and targeted banks instead of buildings, the damage would have been much greater. He called cybersecurity the “soft underbelly of this country.”

The panelists said the question is when can a cyberattack be considered an act of war under the Geneva Conventions, the Hague Conventions or the U.N. charter.

Chipman said a cyberattack that takes down an electrical plant or opens a floodgate is clearly definable as aggression. He said the notion that cyberspace exists in the ether is not true. Servers are connected through satellites and cables. Chipman said they are as tangible as railroads and telephone lines.

Bodenheimer, though, said he thinks the law has yet to settle in the area of cyberterrorism.

“We are truly operating in the Wild West, on the frontier, and many of these legal issues will be determined in the next few years,” he said.