The US government and companies all over the world are experiencing a striking wave of highly organized, pervasive state-sponsored hacking, known as Advanced Persistent Threats (APT). These assaults began years ago with military and defense contractors, but more recently, APTs have targeted virtually every industry sector, including news organizations and energy, manufacturing, technology, telecommunications, project management and professional services organizations contracting with such firms.
This interview with Latham & Watkins partner Jennifer Archie and Co-President of Stroz Friedberg Eric Friedberg explores why APTs require an integrated, cross-functional response, and why as a matter of corporate governance, the legal function should be front and center in preparing for and responding to APTs.
Why do lawyers need to be fluent in this aspect of cybersecurity?
Archie: Lawyers, directors and officers all have legal and/or ethical duties to safeguard and protect a company’s confidences and assets.
For lawyers, there are serious issues of managing legal privileges in any kind of a legal crisis, and an APT most certainly is just that. Legal agreements with vendors, partners, suppliers and purchasers alike must be drafted with security threats and standards of care in mind, and similarly must be interpreted and followed after the fact. Finally, when the confidentiality of a company’s most sensitive trade secrets has been deeply compromised, as is the case with many APT attacks, the legal consequences to the company can be far reaching and persistent.
What are some of the common attributes of APT attacks, as a technical matter?
Friedberg: The average time that intruders are in the network before detection is six months, and that’s usually six months of having very significant network access. So the board- and the governance-level implications of discovery are very significant.
Attacks are often done with backdoors or other redundancies, so that if they are detected and you are able to kick them out on day five, they will come back in a different way on day six. They will try to come back for weeks, or months or sometimes for years. Therefore you have to have governance structures that are set up to deal with the fact that your adversary intends to keep after you for months or even years.
What trends are you seeing in recent APT attacks?
Friedberg: What we’ve found — and the FBI has confirmed — is that certain sectors have gotten much tighter, so what the attackers are doing is trying to come in through softer targets that are connected through to those harder targets. So we’ve seen a spate of attacks on law, public relations and headhunting firms because they can be treasure troves of information about their clients — and because of the connectivity between these types of companies and their clients.
As a result, we’ve seen clients come back to their law firms and impose IT security checks. We’ve also seen a number of law firms become very concerned given who they are representing because it can increase their likelihood of attack.
What are the most important steps non-IT executives can take to prepare for an APT?
Friedberg: First, it’s important to be aware of whether an APT has already happened, but not been detected. Senior executives need to consider whether to proactively undertake forensic analysis to evaluate and report on whether the threat is already real. Second, companies should immediately identify and train the in-house team (IT, legal, communications, internal audit, risk management, etc.), via table top exercises or other briefings designed to test and improve the incident response function. In this way, in an actual APT, man-hours, tools and resources will be better directed toward containment, communication and analysis of legal and technical risks arising from the attack.
Can you identify some of the pre-breach legal work organizations can do to prepare for a well-managed response to an APT threat?
Archie: Most companies will not have the policies, procedures or frankly in house forensic expertise necessary to detect or respond to an APT. Thus, the pre-incident objective is to be prepared with the right team and tools for quickly understanding the duration, scope and impact of the attack, and then making appropriate legal judgments about notification of and engagement with law enforcement authorities, affected contract partners and perhaps the public.
In addition, where possible, contracts should be drafted with these types of incidents in mind. Of course, many pertinent agreements will have been negotiated and signed. Ideally, in large organizations with diverse and complex customer, service provider and supplier agreements in place, the law department should have ready access to a searchable database of contracts that has already identified and catalogued key agreements for the applicable terms, on the topics of security performance standards and security incident handling.
In our experience, contract terms vary widely in terms of the level of specificity and immediacy required in the event of an attack on relevant data. Some may require immediate notification to your partners’ incident response team, and regular status updates or others may be as general as a duty to “notify of criminal violations of law” or to have and document a written security management plan. These contract terms should be identified and understood in advance of an attack, to avoid a reactive or uncoordinated response.