Law Firms Slow to Awaken to Cybersecurity Threat
Differentiated from hackers, 'advanced persistent threats' spy on high-profile targets for long periods of time
The National Law Journal
March 09, 2010
An oddly worded e-mail was the first sign of something amiss at Los Angeles firm Gipson Hoffman & Pancione. It didn't read like the messages the firm's attorneys usually sent each other -- didn't pass the "smell test."
His suspicions raised, the recipient, associate Gregory Fayer, picked up the phone and discovered that the colleague who supposedly sent the e-mail knew nothing of it. Other attorneys at the firm also received the bogus e-mail, which was eventually traced to China -- where Gipson Hoffman is litigating a $2.2 billion copyright infringement suit against the government. Fayer was well aware that cyberattackers often use fake e-mail messages to break into computer networks.
The firm couldn't directly link the bogus messages to its lawsuit -- the FBI is still investigating the matter -- but found it hard to dismiss as mere coincidence. Notably, the episode followed closely on the heels of Google's announcement that hackers had broken into the Gmail accounts of several Chinese human rights activists.
Although the public acknowledgement of the attack was unusual, it was hardly the first time that a law firm has been targeted by a sophisticated network of overseas hackers looking to infiltrate computer systems in order to gather data or monitor attorney activity, according to attorneys and technology experts.
Law firms have dealt quietly with cyberattacks for years, but lately those strikes appear to be on the rise, said Marc Zwillinger, a former partner at Sonnenschein Nath & Rosenthal who this month opened Zwillinger Genetski, a Washington law boutique specializing in internet security and data privacy.
"The activity focusing on law firms has definitely picked up in the past year or two, compared to what it was," said Zwillinger, who has advised law firms dealing with cybersecurity breaches. "We've been seeing a fair bit of activity where the attacker is looking to acquire information that has strategic value."
Law firms are attractive targets for cyberattackers because they maintain sensitive client information on their systems, according to attorneys and technology consultants. Perpetrators may be digging for litigation strategies, negotiation tactics, details on pending deals, or other specific information that could aid governments, competitors, or other entities. The bulk of cyberattacks originate overseas, with China leading the pack, they said.
Firms don't often realize that their computer systems have been infiltrated and rarely go public if they do face a security breach, Zwillinger and other internet security experts said. That makes it difficult to pin down how pervasive the problems is, although "it's probably one of the top five things I worry about on a day-to-day basis," said Howard Niden, the chief information officer at Chicago's Mayer Brown.
'ADVANCED PERSISTENT THREATS'
A recent report by computer security firm Mandiant concluded that law firms -- along with nonprofit and government organizations, defense contractors, and other manufacturers -- are being targeted by sophisticated and well-funded teams of cyberattackers. Mandiant itself has assisted more than 50 law firms in the aftermath of computer breaches, many with clients or cases in China.
The report referred to these as "advanced persistent threats" and differentiated them from what people typically think of as hackers -- individuals who infiltrate computer systems to build their own reputations, crash those systems, or steal specific financial information such as credit card or Social Security numbers. The goal of advanced persistent threats usually is to spy on the target for long periods of time. The high-profile cyberattacks on Google and other U.S. companies in January were just examples of what Mandiant considers an advanced persistent threat attack.
"If you are a law firm that happens to be involved in litigation [the cyberattackers] are interested in, or you have a client involved in a potential merger or acquisition, then a great way to gain insight into your activity is to get into your system," said Stephen Surdu, vice president of professional services at Mandiant. "They will obtain intelligence about the negotiation strategies, about the pricing approaches. If you're sitting across the table from someone in a negotiation, it's great to know how they are going to move."
Mandiant would not disclose the names of any of the firms it has advised, but its report detailed a 2008 case concerning a law firm involved in a Chinese lawsuit. Cyberattackers infiltrated the firm's network and obtained more than 30 user passwords that allowed them to export thousands of e-mail messages. The attackers could access any server, laptop, and workstation in the law firm's network, according to the report.
"The reason they focus on e-mail is, if you don't know where the important information is, all you have to do is attach yourself to the right people in the organization and the information will come to you," Surdu said.
The most common way for cyberattackers to gain access to an organization's network is through so-called "spear phishing," in which the perpetrator sends a phony e-mail that, when opened, installs some sort of malware or other software that will allow them to exploit the target's network, according to the report.
It was this type of spear phishing that tipped off the attorneys at Gipson Hoffman & Pancione that someone was trying to gain access into the firm's system.
"I think the eye of the storm for these attacks has definitely been China," said Fayer, who is among the attorneys representing CYBERsitter. The firm is suing the Chinese government on the company's behalf for distributing what it says is pirated internet filter software. "It's no secret that these attacks have taken place in recent days, and we were firmly prepared for what was to come."
Often, law firms never figure out on their own that their networks have sustained serious breaches, largely because advance persistent threat attacks are designed to be difficult to detect. Most firms learn of network security problems from third parties, often law enforcement authorities, said Stewart Baker, a partner at Washington's Steptoe & Johnson LLP and former assistant secretary for policy at the Department of Homeland Security.
"I've heard stories of the FBI going to law firms and saying, 'We've found a bunch of your files in an intermediate server,'" Baker said. "They could be on their way to China."
Not all cyberattacks originate in China -- in fact, it often is difficult to determine points of origin because attacks are routed through a number of intermediate computers. The Mandiant report noted that the scale and logistics of recent attacks suggest that they may be state-sponsored, although the company has no way of proving that. However, the attacks tend to occur during daytime hours in China, the report said. Secretary of State Hillary Clinton criticized China in a Jan. 21 speech for cyberattacks against U.S. government agencies. She demanded that China investigate the attack on Google. Chinese government officials have denied that their military was involved.
A DELICATE DILEMMA
Although technology officers confirm that cybersecurity is a concern, the problem is a delicate one. "No law firm wants to acknowledge that confidential data was disclosed, so there's an incentive not to talk about it," Zwillinger said. "It doesn't get discussed a lot, and it only comes up when law firms have a good handle on the problem."
Another thorny question is how much to disclose to clients whose information may have been stolen. Law firms often fear that disclosing such a breach may prompt their clients to take their business to a competing firm, even though that competing firm likely has no better capacity to protect the client's information, Baker said.
Law firms have an ethical obligation to inform clients if confidential information has been compromised, Zwillinger said, but in many cases there is no legal requirement to disclose a breach. Most states require disclosure if the confidential information is financial in nature, such as credit card or Social Security numbers, he said.
When it comes to network security, however, law firms in general do not invest as heavily as do other industries, several attorneys and security consultants said.
"They've never embraced security like the high-tech organizations or the defense industrial base," Surdu said. "It just hasn't been a part of their mindset. I think the mindset among lawyers generally is to view security as a necessary evil that makes their lives more difficult."
Network security at law firms typically is handled by technology specialists and it's rare to find a senior partner with a comprehensive understanding of the issue, Surdu said. It's especially difficult for law firms to know how much they should spend on network security when they often don't even realize that they have been targeted by cyberattacks.
The sophistication of law firm network security varies, Zwillinger said. His former firm Sonnenschein uses a two-factor authentication system for attorneys to remotely access their e-mail. In addition to user names and passwords, attorneys need a continually changing password that is transmitted on a key fob in order to log on remotely.
Mayer Brown hires security experts to audit its defenses, and they try to break into the firm's network, Niden said. The firm monitors security activity and has seen periods in which there was an increase in outsiders trying to break in, but has not sustained any large-scale cyberattacks, he said.
"We try to create multiple hurdles people would have to get across," Niden said. "All of the things we're doing doesn't mean someone can't break in, but we will make it more difficult for them."
Law firms are not the only businesses grappling with cybersecurity threats. A recent report from security software company Symantec found that 75 percent of the 2,100 international companies it surveyed had been the targets of a cyberattack in 2009 and lost an average $2 million in revenue, productivity and customer trust. To avoid breaches, attorneys and firms should think about what information on their networks is likely to be of interest to the outside world and place extra security measures around that data, Zwillinger advised. "Lawyers should start thinking of themselves as more interesting targets than they have in the past," he said.
That's especially true if firms have business interests in China, Surdu said.
"As long as you have clients who have business dealings in that part of the world, I think you are as much a target as an organization that has physical facilities there," he said.