Law in the Internet Society
-- ScottYakaitis - 22 Dec 2014

What Lawyers Need to Know

“Knowledge is power” is a sentiment uttered by Francis Bacon ages ago that has if anything become only more true. Though perhaps it could use a slight update; Information is power. Having inside information on mergers, government permits, patent application statuses and the like could make someone millions, or destroy a company. It is no surprise then, that gaining this sort of information is heavily regulated both by law and corporate security. Given the inherent value of all of this information, then equally unsurprising is the fact that hacking is extremely common. Corporations are paying billions of dollars to fight these threats to corporate security. One study found that the average company surveyed spent nearly 10 million dollars a year fighting electronic infiltration. Yet, according to some experts from that article, just showering corporate funds on the problem won't ever completely close up the threat. Companies are still vulnerable to attack.

There have been a few high profile hackings recently. One is of particular interest. Hackers, using perfect English and financial jargon, are sending e-mails to top-tiered executives in the financial, biotech and medical industries. But, executives haven't been the only targets. Lawyers who work directly with these companies have been targeted as well. What is particularly clever about this group of hackers is that they have brought “phishing” to a higher level. They send seemingly legitimate business concerns precisely tailored to the individual target. Instead of the broad Nigerian Prince scam, these guys, dubbed FIN4, have done their homework.

Crypto, a field I've recently been exposed to, has developed countermeasures to hackings. While I vaguely understand why the complex processing of two huge primes is an effective means of encrypting data, hacks that employ the breaking of encrypted data are not something I would be equipped to fight. However, breaking these codes isn't the only avenue of attack hackers have to gain access to information. What was particularly clever about the FIN4 hackers, according to authorities, is that they always found the weakest spot to attack in terms of actual processing power. From there, they would then use impersonation and spycraft to catch their targets.

Lawyers are supposed to be keepers of secrets. Once upon a time, that simply meant being relatively tight-lipped and making sure no one could physically break into an office and steal documents. Now, many more threats come from the internet. Lawyers, unfortunately, are not the most tech savvy people. Luckily for lawyers, there are relatively easy to use encryption softwares available. But that's only half the battle. These hackers didn't need to break the best encryption, they just needed to find someone who knew the target who was using weak encryption, pose as that person and they had an in.

What then do we need to do as lawyers to fight this problem? The first step is to actually learn spycraft. Given that lawyers are expected to keep clients' secrets, we should teach more effective methods of doing so. Every law student, along with classes on professional ethics should be required to take basic classes on spycraft and secret keeping. For us, being able to tell when a client is being impersonated via e-mail should be absolutely vital to our practices. We cannot expect to rely on expensive cyber-security companies to block out every threat. One, they will not be 100% effective. Two, if we are not working at a major firm we will not be able to afford wildly expensive cyber-security.

This brings me back to the technical side of the equation. Gnu encryption is a good start but won't be enough to solve all of cyber-security needs, especially after going into a smaller (non-mega firm) practice. What then is the most effective way to help create good security even for a small firm? While I know that building and setting up my own servers is a good start, it's just that, a good start. Ideally law school would teach server setup to all of its students, but that seems even less likely to happen than spycraft classes.

The best place to turn then, is perhaps the wide community interested in effective cyber security. Cities like New York, that have a vested interest in community learning, have set up a variety community based skill shares specifically designed as a way to help individuals to gain knowledge that might be outside of their ballpark. Those who have this knowledge and are willing to teach at various hackspaces could be counted as allies to gain insights into how to help set up effective security.

The paranoid among us might wonder, but how can we trust these people? Maybe they are trying to give us just enough information so that we keep most people out, but not them. Well, that brings us back to learning good spycraft. Because, you can't necessarily trust these people to help you. And perhaps you'll need to put the information together piecemeal.

We live in a more connected open world. That means keeping secrets is increasingly difficult. Good lawyers must be trained in ways to do this and both law schools and individual practitioners ought to take note.

I don't think a required law school course on spycraft would work out very well. Among other things, I believe there are by no means a sufficient corps of teachers, and I don't think they will be easily hired by the incumbents.

Perhaps you might ask this instead: which are the ancillary skills that lawyers should be taught in law school? Courses in information technology are necessary in business school. Are they also necessary in law school, and if so, how should the subject be taught? For a generation, law schools like this one assumed that their graduates would be well-paid office workers who really didn't have to graduate with any particular skills at all, which was nice for the teachers. Now, everyone graduating should be taught how to create, maintain and grow a law practice. Evidently some ancillary skills are needed.

But it's not that big a deal. An "IT for law practice" course that wasn't about selling iPads and did pay some attention to data security in practice, among other issues, would not be hard to devise or difficult to take.

This phishing that you are so impressed by is---as you gather---just social engineering for industrial espionage. It's quite old, really, and the people you would suspect of doing it are indeed the people doing it. Want to be completely immune? Just use a different mail reading program than the one you use right now. No one phishes me, no matter how clever the text, because I can't click on a link I haven't seen the URL of, which means that any URL pointing anywhere other than where I think I mean to go I won't ever go to. Also, if as I suggested, you have installed the NoScript extension in your browser, which should be Firefox, you have pretty much eliminated your likelihood of acquiring malware from a phishing mail. Problem solved. Unless the spies phishing you try something completely different.


Webs Webs

r2 - 04 Jan 2015 - 20:16:41 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM