University of Virginia School of Law | #government | #hacking | #cyberattack


The more sophisticated perpetrators often knocked twice on the biggest doors — seeking one payment to restore system functions, and a second to prevent a public data dump.

In responding to an attack, while a select few lawyers do possess advanced technical credentials, attorneys for the most part take the 30,000-foot view.

“It could be a call in the middle of the night,” said Web Leslie ’19, an associate practicing in data privacy and cybersecurity at the law firm Covington in D.C. “Or in some cases we might come in later in the process to assist with the forensic work to determine what’s going on. But generally, we’re brought in to manage the bigger picture.”

In addition to recommending how and when to notify authorities, lawyers must assess “the broader risks posed by an attack, including where the information in the breach could implicate other sensitive parts of the company,” Leslie explained. Firms may also help with the drafting of formal response plans, so that leaders know what steps to take in the future. Attorneys and IT experts can then run “tabletop exercises” to drill an organization’s response in implementing the plan. 

Not that anything ever goes exactly as planned, Leslie said. 

A breach can lead to regulatory intervention and the kind of disputes that cause litigation, among other outcomes. “These risk categories can create significant financial exposure, brand risk, and distraction,” Woods and co-authors note for a chapter in the book “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers.” 

In the worst of scenarios, the result could be bankruptcy. 

Put in those terms, a decision not to disclose a breach is compelling for many business leaders. All 50 states do have some form of data breach notification requirements related to the exposure of consumers’ personal information. However, one alumnus speaking on background noted that the extent of a breach is often ambiguous, making it unclear if the need to disclose has been triggered. Still, he said, if a company’s daily operations were to be shut down due to an attack, there is no ambiguity; notification has already occurred. 

LARGE ORGANIZATIONS need to shift how they think about cyberattacks, said Jake Olcott ’05, vice president of communications and government affairs for BitSight. The cybersecurity ratings service analyzes the security performance of more than 40 million companies, government agencies and educational institutions, allowing its clients, which include Lowe’s and AIG, to assess the risks of conducting business with them.

“This is not just a tech problem; it’s often a fundamental governance problem,” said Olcott, who was a cybersecurity adviser to U.S. House and Senate committees earlier in his career. “I would love for our alums to really engage in this challenge. Whether you’re a general counsel or CEO or a board member, it’s actually your responsibility at the end of the day.”

While, yes, the IT department may be best positioned to quickly implement the latest security patch, which Olcott said is a crucial indicator of whether or not an organization will be a victim of ransomware, the executives are the ones who decide program funding, reporting structures and the like.

Olcott’s company, in fact, is making it harder for C-suites to be lazy.

“We are continuously collecting literally hundreds of billions of security events about organizations on a daily basis,” Olcott said. “BitSight provides our data to insurance companies, and the insurance companies use that data during the underwriting process. If they see a concern, they can reach out to the company and say, ‘We really think you should take a look at this.’”

So how does his company get its information? Olcott compared the service to a consumer credit bureau: “All our data is externally observable. At no point am I, as the consumer, sending information to the credit rating agency.” 

Instead, BitSight pings for system weaknesses in ways similar to how the hackers probe: “In many situations we’re able to discern the vulnerability of a system by doing some very basic interactions with that system — browsers, operating systems, software on a particular network.” 

But the company also operates the world’s largest sinkhole network, which makes use of servers designated to snag malicious traffic.

“When a bad guy tries to break into your network, they often send a spear-phishing email,” Olcott explained. “When the malware is downloaded, the first thing it tries to do is send a beacon back that says, ‘I’m in. What do you want me to do next?’ A sinkhole intercepts those communications. When a bad guy sends one of those spear-phishing emails, the link often includes an address to contact. They’re running so many of these addresses that sometimes they forget to reregister them. When that address expires, it’s kind of open for anyone to take over and register those websites. We’ve taken over a lot of addresses that used to belong to bad guys.”

In September, the risk assessment firm Moody’s became the majority shareholder of BitSight, increasing the profile of both companies as they partner on new offerings. BitSight is just one of numerous entrepreneurial efforts springing up to solve the problem of data vulnerability. Olcott said that until the government can act to improve the situation, “companies these days are on their own.”

CYBERCRIME LAW AND POLICY at the federal level have struggled to keep pace with the trends of the past decade, much less the real-time threats. Prosecutors find themselves in the rare position of being unable to flex in the ways they can on other types of crime, with culprits often being outside of the reach of the U.S. and its allies. 

One alumnus, speaking on background, said that authorities must find more effective ways to cut off the flow of money. Like an invasive plant, the encroachment won’t end until the government can dry up the vine at ground level. 

The Treasury Department first advised last year that intermediaries who facilitate ransomware payments will risk sanctions, but that policy may prove tricky to enforce because there’s no law prohibiting a victim or insurer from paying ransoms. Lawmakers agree such a move could be fatal to certain exposed businesses. 





Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

5 + one =