The recent wave of cybersecurity breaches at our country’s largest law firms makes it evident that the way the legal sector secures our digital assets must change. The White House’s National Cybersecurity Strategy (“NCS”) seeks to address this. In this series of articles, telecom veteran and legal tech CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of cybersecurity structure, and the evolving threats it hopes to thwart, mean for law firms, their clients, and the future of law in the digital age.

Part 1 of this series explored the National Cybersecurity Strategy, its Five Pillars and why law firm leaders need to care.

When most attorneys think of cybersecurity, what often comes to mind are data breaches and ransomware—and that’s for good reason. In the last few months alone, major law firms such as Quinn Emanuel Urquhart & Sullivan, Bryan Cave Leighton Paisner, Gibson, Dunn & Crutcher, Loeb & Loeb and Orrick Herrington & Sutcliffe have all reported data breaches. The threat actors I mentioned in the first article are getting smarter, better and greedier. That’s why the first pillar in the White House’s National Cybersecurity Strategy is “defending critical infrastructure,” and the second is “disrupting and dismantling threat actors.”

Currently, regulatory gaps create an environment ripe for cybersecurity incidents, which is one reason the White House created the National Cybersecurity Strategy. And while this initiative is coming from the Biden Administration, it is not a political issue: This framework builds on the work of prior administrations, according to the White House. “It replaces the 2018 National Cyber Strategy but continues momentum on many of its priorities, including the collaborative defense of the digital ecosystem.” This is a regulatory issue and is designed to answer a glaring need in the market. Law firms, their clients and everyone else can expect to see historically federal cyber strategies and regulations start to flow down into the private sector, with new regulation inevitable.

This touches on several of the strategic objectives upon which the five pillars are built:

Pillar 4 (Invest in a More Resilient Future) seeks a standardized approach to investing in the cybersecurity of today while maintaining and upgrading to make future cybersecurity infrastructure as robust as possible. One strategic objective of this pillar focuses on standardization with a strong emphasis on security protocols. This includes migrating vulnerable public networks to systems using quantum resistant cryptography.
Under Pillar 1 (Defend Critical Infrastructure), one strategic objective focuses on harmonizing and streamlining new and existing regulations. So, it’s helpful to consider this along with the recent EU-US Privacy Shield decision for regulatory alignment, under which personal data can flow freely from the EU to U.S. companies that participate in the Data Privacy Framework. These types of cybersecurity and privacy regulation will continue to grow and become more granular in definition and requirements. Enhancing collaboration is a theme throughout the National Cybersecurity Strategy.
But while law firms may be focused on minimizing the threats of ransomware, they are almost certainly not focusing on the right strategies. According to Verizon’s 2023 Data Breach Investigations Report, nearly three-quarters of data breaches involved the human element, such as social engineering attacks, errors or misuse. While this is an area that can be fixed, it requires ongoing investment and training. So, this represents an area where law firms need to focus their resources. One of the top returns on investment for cybersecurity defense is highly active security awareness training and exercises. This is also one of the lowest cost initiatives and reasonably easy to deliver.

Leaders at many law firms now may be reading this and thinking of all the different training methods they have in place to counter threats from ransomware and other attacks. And in fact, 100% of firms with more than 100 attorneys have some type of training, according to the ABA’s 2022 Legal Technology Survey Report. However, many of those training programs are ineffectual at best, as demonstrated by the recent spate of law firm breaches.

Other law firm leaders may find the prospect of more training to be a daunting task. But taking effective, proactive steps doesn’t have to be expensive or complicated. There are currently many low-cost and even free resources available to address the challenges the White House has identified. For example, the Cybersecurity & Infrastructure Security Agency (CISA) provides resources such as “tabletop exercise packages,” which provide tools to conduct planning exercises on a wide range of threat scenarios. After all, the costs of failing to act are much higher–and will only become more expensive, as regulations increase. And law firms must also consider the threats to their partners and others they work with—in our next article, we will tackle the challenges of vendor management.

David Roberts recently completed a stint as the CISO for a legal technology startup with an access-to-justice social mission. David is a highly credentialed cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technical organizations spanning over 2 decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance, and regulatory components for the companies winning part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds multiple degrees including a MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and recent programs in Technology Leadership from Cornell University. He currently holds the following industry credentialing: CISSP, CCSP, SSCP, CAP, CSM®, CCP, & AZ-900.