The recent wave of cybersecurity breaches at our country’s largest law firms makes it evident that the way the legal sector secures our digital assets must change. The White House’s National Cybersecurity Strategy (“NCS”) seeks to address this. In this series of articles, telecom veteran and legal tech CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of cybersecurity structure, and the evolving threats it hopes to thwart, mean for law firms, their clients, and the future of law in the digital age.

Part 3 of this series considered vendor management.

In our earlier three articles on cybersecurity for law firms and their clients, we’ve taken a close look at the White House’s National Cybersecurity Strategy and its five pillars, how attorneys and their firms are arming themselves against breaches (or in many cases, aren’t) and the best practices for so doing.

However, one of the tenets of the new cybersecurity strategy is that there’s an urgency in preparing existing systems and technology for the threats and challenges we are about to face. One of the goals of this series is to prepare law firms for the changes that are on the horizon, particularly as more firms and clients become global and data is moved around the world. Those are just some of the reasons that several of the five pillars focus on this: For example, Pillar 4 calls for Investing in a Resilient Future and Pillar 5 involves Forging International Partnerships to Pursue Shared Goals.

Preparing for the Future
Among the strategic objectives for Pillar 4 are to prepare for the post-quantum future. So, what does that mean? According to the National Cybersecurity Strategy, “Strong encryption is foundational to cybersecurity and global commerce. It is the primary way we protect our data online, validate end users, authenticate signatures, and certify the accuracy of information.” Law firms, like many other organizations, have relied on encryption to achieve these goals. But the rise in quantum computing means that some of these encryption standards can be broken.

What We Talk About When We Talk About Post-Quantum Computing
Post-quantum computing has emerged as a pivotal frontier in the rapidly evolving landscape of information technology. As traditional cryptographic methods face potential vulnerabilities in the advent of powerful quantum computers, the concept of post-quantum computing seeks to develop new encryption techniques that can withstand the quantum computational prowess. At its core, post-quantum computing represents a paradigm shift from classical computing approaches. While conventional computers rely on binary bits to process information, quantum computers leverage quantum bits or qubits, which can exist in multiple states simultaneously, enabling exponential computational speed-ups. This transformative potential, however, poses a significant challenge to current cryptographic systems, as quantum computers could potentially crack encryption algorithms that safeguard sensitive data.

Post-quantum computing endeavors to construct encryption methods that are resilient to quantum attacks. These cryptographic systems draw inspiration from diverse mathematical principles, such as lattice-based cryptography, code-based cryptography, and multivariate polynomial cryptography, among others. These novel approaches aim to create encryption techniques that remain secure even in the face of quantum computing’s computational prowess.
As our digital world becomes increasingly interconnected, the integrity and confidentiality of data become paramount. Post-quantum computing represents a crucial endeavor in ensuring that our digital infrastructure remains robust and resilient against emerging threats. By developing encryption methods impervious to quantum attacks, post-quantum computing pioneers the path to a secure and sustainable digital future. That includes the development of AES, or Advanced Encryption Standard, to replace the outdated DES, or Data Encryption Standard. AES, which offers far greater security, is the brainchild of two Belgian cryptographers, who created it in response to a National Institute of Standards and Technology (NIST) request in 1997 for candidates to replace DES.

This also poses new questions of the timeline for post-AES or post quantum encryption to be created (if it hasn’t been done already), whether the U.S. government will create or solicit this in similar fashion and whether it will it take 20 years to need a new encryption baseline at the pace of current computing horsepower. After all, it appears tat the National Security Agency (NSA) is already developing post-quantum cryptography algorithms, with limitations.

Managing Threats From Overseas
While it’s vital to monitor developments by the U.S. government, cybersecurity threats obviously don’t recognize boundaries, which is why Pillar 5 is focused on international partnerships. And it’s an area that law firms and their clients will also need to focus on in the post-quantum future. As we discussed in the last article, vendor management will be a critical component of this. One of the strategic objectives of Pillar 5 is to secure global supply chains for information, communications and operational technology products and services.

NIST also offers resources around Cybersecurity Supply Chain Risk Management or C-SCRM, which is a key aspect of supporting this pillar. According to NIST, C-SCRM should be part of an organization’s overall risk management approaches, including identifying and assessing possible risks and determining appropriate response actions. NIST recently updated Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations,” to include two new control families: Personally Identifiable Information Processing and Transparency and Supply Chain Risk Management. SCRM is historically in most major federal contracting opportunities, but NIST recently caught up to the supply chain issue with 800-53 rev.5. This is now pushed out federal wide as the baseline control for most System Security Plans (SSPs).

The Rise of New Regulations
It’s not just the United States exploring new regulations. The General Data Protection Regulation (GDPR), a milestone in data protection, was enacted by the European Union (EU) in May 2018 to fortify individuals’ privacy rights and regulate the processing of personal data. GDPR embodies a comprehensive framework aimed at empowering individuals with control over their personal data and enhancing transparency in how organizations, like law firms, handle this data. The primary rationale behind GDPR lies in addressing the digital age’s rapid proliferation of data, which has sparked concerns about potential misuse, breaches and unauthorized access. GDPR applies extraterritorially, meaning that any organization, regardless of its physical location, that processes EU citizens’ personal data is bound by its provisions. For American law firms conducting business overseas, GDPR imposes significant implications. In an era of global connectivity, law firms frequently manage client data that could involve EU citizens.

GDPR demands meticulous adherence to stringent data protection measures, necessitating enhanced security protocols, transparent data processing practices and timely breach notifications. By embracing GDPR’s principles and aligning their practices, law firms can reinforce their commitment to safeguarding data privacy while seamlessly conducting business across borders. In essence, GDPR heralds an era where the protection of personal data transcends geographical boundaries and becomes a universal hallmark of responsible data management.

The International Association of Privacy Professionals (IAPP) has also developed the Privacy by Design framework, which seeks to infuse privacy considerations into the very fabric of product and service design. By integrating privacy principles from the outset, the Privacy by Design framework ensures that data protection becomes an inherent and inseparable component of technological advancements. The Organization for Economic Cooperation and Development (OECD) has emerged as a pivotal player in shaping data privacy on a global scale. The OECD has crafted guidelines for the protection of personal data, setting forth a comprehensive framework for the responsible collection, utilization and safeguarding of personal information. These guidelines serve to harmonize practices across borders and promote a universal commitment to data protection.

The combined efforts of organizations like the IAPP and OECD underscore the urgency of prioritizing data privacy in an interconnected world. As technology continues to reshape the boundaries of human interaction, these guidelines propel the development and deployment of data-driven innovations while safeguarding the fundamental rights of individuals. By adhering to these best practices, law firms that practice globally can embrace data privacy as a cornerstone of their operations, fostering trust, accountability and security in a digital age.

Global law firms face their own challenges when it comes to both managing potential cyber threats as well as regulations. Along with the biggest of firms, though, smaller firms with smaller clients should also be working to get ahead of the coming regulatory curve by voluntarily meeting or exceeding current requirements.

Over these last four articles, we’ve taken a deep dive into the current and future state of cybersecurity, national and international regulations, what law firms need to know–and why they need to care. While the issues around cybersecurity may seem daunting, there are many available resources and guidances to help law firm attorneys navigate this ever-changing landscape. And law firms need to start planning now, before these regulations are finalized, so they aren’t caught unprepared and uninformed, and even worse, vulnerable to attacks.

David Roberts recently completed a stint as the CISO for a legal technology startup with an access-to-justice social mission. David is a highly credentialed cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technical organizations spanning over 2 decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance, and regulatory components for the companies winning part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds multiple degrees including a MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and recent programs in Technology Leadership from Cornell University. He currently holds the following industry credentialing: CISSP, CCSP, SSCP, CAP, CSM®, CCP, & AZ-900.

The recent wave of cybersecurity breaches at our country’s largest law firms makes it evident that the way the legal sector secures our digital assets must change. The White House’s National Cybersecurity Strategy (“NCS”) seeks to address this. In this series of articles, telecom veteran and legal tech CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of cybersecurity structure, and the evolving threats it hopes to thwart, mean for law firms, their clients, and the future of law in the digital age.

Part 2 of this series explored the rise and risk of ransomware attacks.

It was, according to NPR, a hack “unlike any other.” In 2020, SolarWinds, a Texas-based company, conducted a seemingly routine software update to its network management system. However, what happened next was anything but routine. As it turned out, hackers had inserted a code into that update that unleashed a massive cyberattack against the United States. And SolarWinds is still feeling the repercussions of that attack, known as Sunburst. In June, SolarWinds revealed that several current and former executives, including the CFO and CISO, received Wells Notices from the U.S. Securities and Exchange Commission indicating the intent to bring charges.

For many law firms and their publicly traded clients, a Wells Notice for a cyberbreach should be a serious wakeup call. In our last article, we discussed the perils of ransomware attacks and what law firms need to know about this in light of the White House’s National Cybersecurity Strategy. In this article, we discuss the cybersecurity perils involved with vendor management and the increasing liability that C-suite executives face when vendor management goes wrong.

The decision to serve a Wells Notice to SolarWinds’ CISO has sent shockwaves through the industry and raised substantial concerns about liability for those in that role. Smart law firms will start working very closely with their clients who have CIOs and CISOs to do a top-down reevaluation of reporting structures, insurance, portfolios and many other factors. Consider that many CISOs report to their CFOs; this type of organizational approach has always been problematic and now is increasingly a bad idea. As the SolarWinds situation demonstrates, CISOs need a seat on the board in order to do their job effectively—they don’t just need responsibility, they need authority to manage vendor relationships and ensure that vendors have the types of security protocols, such as SOC 2 and others, that can ensure the types of approaches the National Cybersecurity Strategy is designed to support. This type of approach is addressed in several of those pillars:

Pillar 4, Invest in a Resilient Future, includes a strategic objective to develop a national strategy to strengthen our cyber workforce.
Pillar 2, Disrupt and Dismantle Threat Actors, also addresses this in several strategic objectives, including increasing the speed and scale of intelligence sharing. The strategy also lays out strategic objectives to countering cybercrime.
Defeating ransomware by mounting disruption campaigns that are so effective that ransomware attacks are no longer profitable is another focus of this pillar. As discussed in the second article, ransomware is the number one cybersecurity breach portal today. It usually breaks down at a human level and via simple social engineering techniques.

Pillar 2 also lays out ways that federal disruption activities will be integrated; for law firms, that means they should expect that federal cyber regulations will start to flow down into the private sector. Pillar 2, in Section 2.2, also focuses on this public-private operational collaboration. This will not be a “make a law and require it to be met” methodology. Rather, it will be a working collaboration at the operational level.
Pillar 5, which deals with forging international partnerships to pursue shared goals, represents another area that will have a profound impact on large law firms, particularly those that represent clients that have their own international presences. The strategic objectives of this pillar address securing global supply chains for information, communications and operations technology products and services—in other words, vendor management. The focus here on Cybersecurity Supply Chain Risk Management, or C-SCRM, is critical. Although data privacy laws don’t always cover smaller business such as law firms, privately held corporations or companies with limited data, it is an opportunity for law firm leaders to get ahead of the coming regulatory curve by voluntarily meeting or exceeding current requirements for larger organizations.
Law firms not only must be prepared to respond to today’s threats, they need to consider what the future holds. In our next article, we will look at the threats we are about to face, including a post-quantum computing world.

David Roberts recently completed a stint as the CISO for a legal technology startup with an access-to-justice social mission. David is a highly credentialed cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technical organizations spanning over 2 decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance, and regulatory components for the companies winning part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds multiple degrees including a MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and recent programs in Technology Leadership from Cornell University. He currently holds the following industry credentialing: CISSP, CCSP, SSCP, CAP, CSM®, CCP, & AZ-900.

The recent wave of cybersecurity breaches at our country’s largest law firms makes it evident that the way the legal sector secures our digital assets must change. The White House’s National Cybersecurity Strategy (“NCS”) seeks to address this. In this series of articles, telecom veteran and legal tech CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of cybersecurity structure, and the evolving threats it hopes to thwart, mean for law firms, their clients, and the future of law in the digital age.

Part 1 of this series explored the National Cybersecurity Strategy, its Five Pillars and why law firm leaders need to care.

When most attorneys think of cybersecurity, what often comes to mind are data breaches and ransomware—and that’s for good reason. In the last few months alone, major law firms such as Quinn Emanuel Urquhart & Sullivan, Bryan Cave Leighton Paisner, Gibson, Dunn & Crutcher, Loeb & Loeb and Orrick Herrington & Sutcliffe have all reported data breaches. The threat actors I mentioned in the first article are getting smarter, better and greedier. That’s why the first pillar in the White House’s National Cybersecurity Strategy is “defending critical infrastructure,” and the second is “disrupting and dismantling threat actors.”

Currently, regulatory gaps create an environment ripe for cybersecurity incidents, which is one reason the White House created the National Cybersecurity Strategy. And while this initiative is coming from the Biden Administration, it is not a political issue: This framework builds on the work of prior administrations, according to the White House. “It replaces the 2018 National Cyber Strategy but continues momentum on many of its priorities, including the collaborative defense of the digital ecosystem.” This is a regulatory issue and is designed to answer a glaring need in the market. Law firms, their clients and everyone else can expect to see historically federal cyber strategies and regulations start to flow down into the private sector, with new regulation inevitable.

This touches on several of the strategic objectives upon which the five pillars are built:

Pillar 4 (Invest in a More Resilient Future) seeks a standardized approach to investing in the cybersecurity of today while maintaining and upgrading to make future cybersecurity infrastructure as robust as possible. One strategic objective of this pillar focuses on standardization with a strong emphasis on security protocols. This includes migrating vulnerable public networks to systems using quantum resistant cryptography.
Under Pillar 1 (Defend Critical Infrastructure), one strategic objective focuses on harmonizing and streamlining new and existing regulations. So, it’s helpful to consider this along with the recent EU-US Privacy Shield decision for regulatory alignment, under which personal data can flow freely from the EU to U.S. companies that participate in the Data Privacy Framework. These types of cybersecurity and privacy regulation will continue to grow and become more granular in definition and requirements. Enhancing collaboration is a theme throughout the National Cybersecurity Strategy.
But while law firms may be focused on minimizing the threats of ransomware, they are almost certainly not focusing on the right strategies. According to Verizon’s 2023 Data Breach Investigations Report, nearly three-quarters of data breaches involved the human element, such as social engineering attacks, errors or misuse. While this is an area that can be fixed, it requires ongoing investment and training. So, this represents an area where law firms need to focus their resources. One of the top returns on investment for cybersecurity defense is highly active security awareness training and exercises. This is also one of the lowest cost initiatives and reasonably easy to deliver.

Leaders at many law firms now may be reading this and thinking of all the different training methods they have in place to counter threats from ransomware and other attacks. And in fact, 100% of firms with more than 100 attorneys have some type of training, according to the ABA’s 2022 Legal Technology Survey Report. However, many of those training programs are ineffectual at best, as demonstrated by the recent spate of law firm breaches.

Other law firm leaders may find the prospect of more training to be a daunting task. But taking effective, proactive steps doesn’t have to be expensive or complicated. There are currently many low-cost and even free resources available to address the challenges the White House has identified. For example, the Cybersecurity & Infrastructure Security Agency (CISA) provides resources such as “tabletop exercise packages,” which provide tools to conduct planning exercises on a wide range of threat scenarios. After all, the costs of failing to act are much higher–and will only become more expensive, as regulations increase. And law firms must also consider the threats to their partners and others they work with—in our next article, we will tackle the challenges of vendor management.

David Roberts recently completed a stint as the CISO for a legal technology startup with an access-to-justice social mission. David is a highly credentialed cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technical organizations spanning over 2 decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance, and regulatory components for the companies winning part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds multiple degrees including a MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and recent programs in Technology Leadership from Cornell University. He currently holds the following industry credentialing: CISSP, CCSP, SSCP, CAP, CSM®, CCP, & AZ-900.

The recent wave of cybersecurity breaches at our country’s largest law firms makes it evident that the way the legal sector secures our digital assets must change. The White House’s National Cybersecurity Strategy (“NCS”) seeks to address this. In this series of articles, telecom veteran and legal tech CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of cybersecurity structure, and the evolving threats it hopes to thwart, mean for law firms, their clients, and the future of law in the digital age.

Surely every law firm leader knows they should be doing something about cybersecurity—and many of them believe they are doing enough. In fact, nearly 75 percent of law firm leaders think they are more or much more secure than their industry peers, according to recent study by the International Legal Technology Association and Conversant Group, “Security at Issue: State of Cybersecurity in Law Firms.” Yet according to that same report, “…the detailed results demonstrated significant security gaps across firms of all sizes.”

So, it’s time for law firms to double check their cyber sophistication and cyber readiness. Their clients and the federal government are starting to demand much more from everyone—including law firms. And I can vouch for the seriousness of these demands—earlier this summer, I was invited to the White House by the Office of the National Cyber Director (ONCD), the executive office which advises the president on cybersecurity and policy, to participate in the Technical Workshop on Space Systems Cybersecurity.

The ONCD workshop is part of the White House’s ongoing efforts to identify gaps in U.S. cybersecurity policies and systems and prepare plans for tangible next steps to remedy those gaps in support of their National Cybersecurity Strategy. The report, released in March 2023 as a continuation of efforts started by previous administrations, aims to coordinate cybersecurity strategy and usher in a concentrated and centralized approach to cybersecurity.

It’s become obvious that tech has moved faster than the current systems that regulate it and that the regulations need to catch up. And catch up quickly. The new approach by the federal government almost certainly means that all parties in the data stream—which is to say, anyone who possesses or has access to data, including and perhaps especially law firms—are going to see new regulations and new accountability for how they hold that data.

The National Cybersecurity Strategy rests on five pillars, all of which will affect law firms.

Pillar 1: Defend Critical Infrastructure
There are several strategic objectives involved with Pillar 1, including establishing cybersecurity requirements to support national security and public safety; scaling public-private collaboration; integrating federal cybersecurity centers; updating federal incident response plans and processes; and modernizing federal defenses.
According to Verizon’s most recent annual Data Breach Investigations Report, 74% of breaches involved the human element, which includes social engineering attacks. That’s actually good news, since these types of attacks are readily fixable. One of the top returns on investment for law firms is highly active Security Awareness Training and exercises within an organization. This is also one of the lowest cost initiatives and reasonably easy to deliver.

Pillar 2: Disrupt and Dismantle Threat Actors
The strategic objectives for this pillar involve integrating federal disruption activities; enhancing public-private operational collaboration to disrupt adversaries; increasing the speed and scale of intelligence sharing and victim notification; preventing abuse of U.S.-based infrastructure; and countering cybercrime and defeating ransomware.

And the threat is serious; the FBI noted earlier this year in its request for increased funding for cybersecurity, that it “has seen a wider-than-ever range of cyber actors threaten Americans’ safety, security, and confidence in our digitally connected world. Cyber-criminal syndicates and nation-states continue to innovate and use unique techniques to compromise our networks and maximize the reach and impact of their operations…”

Pillar 3: Shape Market Forces to Drive Security and Resilience
Strategic objectives here seek to foster market compliance by balancing burdens and potential liabilities on software developers and services (including law firms) that maintain inadequate cybersecurity and data security practices. Objectives include holding the stewards of our data accountable; driving the development of secure Internet of Things (IoT) devices; shifting liability for insecure software products and services; using federal grants and other incentives to build in security; leveraging federal procurement to improve accountability; and exploring a federal cyber insurance backstop.

Pillar 4: Invest in a Resilient Future
In order to invest in a resilient future, the objectives involve securing the technical foundations of the Internet; reinvigorating federal research and development for cybersecurity; preparing for our post-quantum future; securing our clean energy future; supporting development of a digital identify ecosystem; and developing a national strategy to strengthen our cyber workforce.

Pillar 5: Forge International Partnerships to Pursue Shared Goals
The objectives for Pillar 5 are to build coalitions to counter threats to our digital ecosystem; strengthen international partner capacity; expand U.S. ability to assist allies and partners; build coalitions to reinforce global norms of responsible state behavior; and secure global supply chains for information, communications and operational technology products and services.

To realize the vision these pillars lay out, every person and every entity that transmits data in the United States needs to make fundamental shifts in how we allocate roles, responsibilities and resources in cyberspace. In realizing these shifts, we aspire not just to improve our defenses, but to change those underlying dynamics that currently contravene our interests.

So, what does all this mean for law firms? First, law firms can no longer assume their cybersecurity defenses are robust, or even merely adequate. According to the ABA, 27% of respondents to its 2022 Legal Technology Survey Report have experienced a security breach. Even if clients don’t force their hand in adopting new policies, procedures and protocols, new regulations will.

Everyone is on board with this. The recent White House workshop I was invited to was attended by some of the leading cybersecurity experts in the country from the public, private, corporate, academic, state, local, tribal, industrial, technical and legal areas. The newly outlined National Cybersecurity Strategy certainly means that all those parties in the data stream will see new regulations and new accountability for how they hold that data. There will also be an increase in business associates agreements and, therefore, a greater emphasis on what third parties are doing to protect client data.

In future articles, I’ll discuss in greater depth what the new emphasis on cybersecurity means for law firms, what they need to be aware of in this new era and how the five pillars can be used to create a solid foundation that benefits clients. attorneys and the entire cybersecurity national infrastructure.

In the next part of this four-part series, I will focus on threats such as ransomware and the need to defend critical infrastructure.

David Roberts recently completed a stint as the CISO for a legal technology startup with an access-to-justice social mission. David is a highly credentialed cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technical organizations spanning over 2 decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance, and regulatory components for the companies winning part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds multiple degrees including a MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and recent programs in Technology Leadership from Cornell University. He currently holds the following industry credentialing: CISSP, CCSP, SSCP, CAP, CSM®, CCP, & AZ-900.