Part 1: Cybersecurity—What Law Firms Need to Know Now, From a CISO in the Know

The recent wave of cybersecurity breaches at our country’s largest law firms makes it evident that the way the legal sector secures our digital assets must change. The White House’s National Cybersecurity Strategy (“NCS”) seeks to address this. In this series of articles, telecom veteran and legal tech CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of cybersecurity structure, and the evolving threats it hopes to thwart, mean for law firms, their clients, and the future of law in the digital age.

Surely every law firm leader knows they should be doing something about cybersecurity—and many of them believe they are doing enough. In fact, nearly 75 percent of law firm leaders think they are more or much more secure than their industry peers, according to recent study by the International Legal Technology Association and Conversant Group, “Security at Issue: State of Cybersecurity in Law Firms.” Yet according to that same report, “…the detailed results demonstrated significant security gaps across firms of all sizes.”

So, it’s time for law firms to double check their cyber sophistication and cyber readiness. Their clients and the federal government are starting to demand much more from everyone—including law firms. And I can vouch for the seriousness of these demands—earlier this summer, I was invited to the White House by the Office of the National Cyber Director (ONCD), the executive office which advises the president on cybersecurity and policy, to participate in the Technical Workshop on Space Systems Cybersecurity.

The ONCD workshop is part of the White House’s ongoing efforts to identify gaps in U.S. cybersecurity policies and systems and prepare plans for tangible next steps to remedy those gaps in support of their National Cybersecurity Strategy. The report, released in March 2023 as a continuation of efforts started by previous administrations, aims to coordinate cybersecurity strategy and usher in a concentrated and centralized approach to cybersecurity.

It’s become obvious that tech has moved faster than the current systems that regulate it and that the regulations need to catch up. And catch up quickly. The new approach by the federal government almost certainly means that all parties in the data stream—which is to say, anyone who possesses or has access to data, including and perhaps especially law firms—are going to see new regulations and new accountability for how they hold that data.

The National Cybersecurity Strategy rests on five pillars, all of which will affect law firms.

Pillar 1: Defend Critical Infrastructure
There are several strategic objectives involved with Pillar 1, including establishing cybersecurity requirements to support national security and public safety; scaling public-private collaboration; integrating federal cybersecurity centers; updating federal incident response plans and processes; and modernizing federal defenses.
According to Verizon’s most recent annual Data Breach Investigations Report, 74% of breaches involved the human element, which includes social engineering attacks. That’s actually good news, since these types of attacks are readily fixable. One of the top returns on investment for law firms is highly active Security Awareness Training and exercises within an organization. This is also one of the lowest cost initiatives and reasonably easy to deliver.

Pillar 2: Disrupt and Dismantle Threat Actors
The strategic objectives for this pillar involve integrating federal disruption activities; enhancing public-private operational collaboration to disrupt adversaries; increasing the speed and scale of intelligence sharing and victim notification; preventing abuse of U.S.-based infrastructure; and countering cybercrime and defeating ransomware.

And the threat is serious; the FBI noted earlier this year in its request for increased funding for cybersecurity, that it “has seen a wider-than-ever range of cyber actors threaten Americans’ safety, security, and confidence in our digitally connected world. Cyber-criminal syndicates and nation-states continue to innovate and use unique techniques to compromise our networks and maximize the reach and impact of their operations…”

Pillar 3: Shape Market Forces to Drive Security and Resilience
Strategic objectives here seek to foster market compliance by balancing burdens and potential liabilities on software developers and services (including law firms) that maintain inadequate cybersecurity and data security practices. Objectives include holding the stewards of our data accountable; driving the development of secure Internet of Things (IoT) devices; shifting liability for insecure software products and services; using federal grants and other incentives to build in security; leveraging federal procurement to improve accountability; and exploring a federal cyber insurance backstop.

Pillar 4: Invest in a Resilient Future
In order to invest in a resilient future, the objectives involve securing the technical foundations of the Internet; reinvigorating federal research and development for cybersecurity; preparing for our post-quantum future; securing our clean energy future; supporting development of a digital identify ecosystem; and developing a national strategy to strengthen our cyber workforce.

Pillar 5: Forge International Partnerships to Pursue Shared Goals
The objectives for Pillar 5 are to build coalitions to counter threats to our digital ecosystem; strengthen international partner capacity; expand U.S. ability to assist allies and partners; build coalitions to reinforce global norms of responsible state behavior; and secure global supply chains for information, communications and operational technology products and services.

To realize the vision these pillars lay out, every person and every entity that transmits data in the United States needs to make fundamental shifts in how we allocate roles, responsibilities and resources in cyberspace. In realizing these shifts, we aspire not just to improve our defenses, but to change those underlying dynamics that currently contravene our interests.

So, what does all this mean for law firms? First, law firms can no longer assume their cybersecurity defenses are robust, or even merely adequate. According to the ABA, 27% of respondents to its 2022 Legal Technology Survey Report have experienced a security breach. Even if clients don’t force their hand in adopting new policies, procedures and protocols, new regulations will.

Everyone is on board with this. The recent White House workshop I was invited to was attended by some of the leading cybersecurity experts in the country from the public, private, corporate, academic, state, local, tribal, industrial, technical and legal areas. The newly outlined National Cybersecurity Strategy certainly means that all those parties in the data stream will see new regulations and new accountability for how they hold that data. There will also be an increase in business associates agreements and, therefore, a greater emphasis on what third parties are doing to protect client data.

In future articles, I’ll discuss in greater depth what the new emphasis on cybersecurity means for law firms, what they need to be aware of in this new era and how the five pillars can be used to create a solid foundation that benefits clients. attorneys and the entire cybersecurity national infrastructure.

In the next part of this four-part series, I will focus on threats such as ransomware and the need to defend critical infrastructure.

David Roberts recently completed a stint as the CISO for a legal technology startup with an access-to-justice social mission. David is a highly credentialed cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technical organizations spanning over 2 decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance, and regulatory components for the companies winning part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds multiple degrees including a MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and recent programs in Technology Leadership from Cornell University. He currently holds the following industry credentialing: CISSP, CCSP, SSCP, CAP, CSM®, CCP, & AZ-900.