The recent wave of cybersecurity breaches at our country’s largest law firms makes it evident that the way the legal sector secures our digital assets must change. The White House’s National Cybersecurity Strategy (“NCS”) seeks to address this. In this series of articles, telecom veteran and legal tech CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of cybersecurity structure, and the evolving threats it hopes to thwart, mean for law firms, their clients, and the future of law in the digital age.

Part 3 of this series considered vendor management.

In our earlier three articles on cybersecurity for law firms and their clients, we’ve taken a close look at the White House’s National Cybersecurity Strategy and its five pillars, how attorneys and their firms are arming themselves against breaches (or in many cases, aren’t) and the best practices for so doing.

However, one of the tenets of the new cybersecurity strategy is that there’s an urgency in preparing existing systems and technology for the threats and challenges we are about to face. One of the goals of this series is to prepare law firms for the changes that are on the horizon, particularly as more firms and clients become global and data is moved around the world. Those are just some of the reasons that several of the five pillars focus on this: For example, Pillar 4 calls for Investing in a Resilient Future and Pillar 5 involves Forging International Partnerships to Pursue Shared Goals.

Preparing for the Future
Among the strategic objectives for Pillar 4 are to prepare for the post-quantum future. So, what does that mean? According to the National Cybersecurity Strategy, “Strong encryption is foundational to cybersecurity and global commerce. It is the primary way we protect our data online, validate end users, authenticate signatures, and certify the accuracy of information.” Law firms, like many other organizations, have relied on encryption to achieve these goals. But the rise in quantum computing means that some of these encryption standards can be broken.

What We Talk About When We Talk About Post-Quantum Computing
Post-quantum computing has emerged as a pivotal frontier in the rapidly evolving landscape of information technology. As traditional cryptographic methods face potential vulnerabilities in the advent of powerful quantum computers, the concept of post-quantum computing seeks to develop new encryption techniques that can withstand the quantum computational prowess. At its core, post-quantum computing represents a paradigm shift from classical computing approaches. While conventional computers rely on binary bits to process information, quantum computers leverage quantum bits or qubits, which can exist in multiple states simultaneously, enabling exponential computational speed-ups. This transformative potential, however, poses a significant challenge to current cryptographic systems, as quantum computers could potentially crack encryption algorithms that safeguard sensitive data.

Post-quantum computing endeavors to construct encryption methods that are resilient to quantum attacks. These cryptographic systems draw inspiration from diverse mathematical principles, such as lattice-based cryptography, code-based cryptography, and multivariate polynomial cryptography, among others. These novel approaches aim to create encryption techniques that remain secure even in the face of quantum computing’s computational prowess.
As our digital world becomes increasingly interconnected, the integrity and confidentiality of data become paramount. Post-quantum computing represents a crucial endeavor in ensuring that our digital infrastructure remains robust and resilient against emerging threats. By developing encryption methods impervious to quantum attacks, post-quantum computing pioneers the path to a secure and sustainable digital future. That includes the development of AES, or Advanced Encryption Standard, to replace the outdated DES, or Data Encryption Standard. AES, which offers far greater security, is the brainchild of two Belgian cryptographers, who created it in response to a National Institute of Standards and Technology (NIST) request in 1997 for candidates to replace DES.

This also poses new questions of the timeline for post-AES or post quantum encryption to be created (if it hasn’t been done already), whether the U.S. government will create or solicit this in similar fashion and whether it will it take 20 years to need a new encryption baseline at the pace of current computing horsepower. After all, it appears tat the National Security Agency (NSA) is already developing post-quantum cryptography algorithms, with limitations.

Managing Threats From Overseas
While it’s vital to monitor developments by the U.S. government, cybersecurity threats obviously don’t recognize boundaries, which is why Pillar 5 is focused on international partnerships. And it’s an area that law firms and their clients will also need to focus on in the post-quantum future. As we discussed in the last article, vendor management will be a critical component of this. One of the strategic objectives of Pillar 5 is to secure global supply chains for information, communications and operational technology products and services.

NIST also offers resources around Cybersecurity Supply Chain Risk Management or C-SCRM, which is a key aspect of supporting this pillar. According to NIST, C-SCRM should be part of an organization’s overall risk management approaches, including identifying and assessing possible risks and determining appropriate response actions. NIST recently updated Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations,” to include two new control families: Personally Identifiable Information Processing and Transparency and Supply Chain Risk Management. SCRM is historically in most major federal contracting opportunities, but NIST recently caught up to the supply chain issue with 800-53 rev.5. This is now pushed out federal wide as the baseline control for most System Security Plans (SSPs).

The Rise of New Regulations
It’s not just the United States exploring new regulations. The General Data Protection Regulation (GDPR), a milestone in data protection, was enacted by the European Union (EU) in May 2018 to fortify individuals’ privacy rights and regulate the processing of personal data. GDPR embodies a comprehensive framework aimed at empowering individuals with control over their personal data and enhancing transparency in how organizations, like law firms, handle this data. The primary rationale behind GDPR lies in addressing the digital age’s rapid proliferation of data, which has sparked concerns about potential misuse, breaches and unauthorized access. GDPR applies extraterritorially, meaning that any organization, regardless of its physical location, that processes EU citizens’ personal data is bound by its provisions. For American law firms conducting business overseas, GDPR imposes significant implications. In an era of global connectivity, law firms frequently manage client data that could involve EU citizens.

GDPR demands meticulous adherence to stringent data protection measures, necessitating enhanced security protocols, transparent data processing practices and timely breach notifications. By embracing GDPR’s principles and aligning their practices, law firms can reinforce their commitment to safeguarding data privacy while seamlessly conducting business across borders. In essence, GDPR heralds an era where the protection of personal data transcends geographical boundaries and becomes a universal hallmark of responsible data management.

The International Association of Privacy Professionals (IAPP) has also developed the Privacy by Design framework, which seeks to infuse privacy considerations into the very fabric of product and service design. By integrating privacy principles from the outset, the Privacy by Design framework ensures that data protection becomes an inherent and inseparable component of technological advancements. The Organization for Economic Cooperation and Development (OECD) has emerged as a pivotal player in shaping data privacy on a global scale. The OECD has crafted guidelines for the protection of personal data, setting forth a comprehensive framework for the responsible collection, utilization and safeguarding of personal information. These guidelines serve to harmonize practices across borders and promote a universal commitment to data protection.

The combined efforts of organizations like the IAPP and OECD underscore the urgency of prioritizing data privacy in an interconnected world. As technology continues to reshape the boundaries of human interaction, these guidelines propel the development and deployment of data-driven innovations while safeguarding the fundamental rights of individuals. By adhering to these best practices, law firms that practice globally can embrace data privacy as a cornerstone of their operations, fostering trust, accountability and security in a digital age.

Global law firms face their own challenges when it comes to both managing potential cyber threats as well as regulations. Along with the biggest of firms, though, smaller firms with smaller clients should also be working to get ahead of the coming regulatory curve by voluntarily meeting or exceeding current requirements.

Over these last four articles, we’ve taken a deep dive into the current and future state of cybersecurity, national and international regulations, what law firms need to know–and why they need to care. While the issues around cybersecurity may seem daunting, there are many available resources and guidances to help law firm attorneys navigate this ever-changing landscape. And law firms need to start planning now, before these regulations are finalized, so they aren’t caught unprepared and uninformed, and even worse, vulnerable to attacks.

David Roberts recently completed a stint as the CISO for a legal technology startup with an access-to-justice social mission. David is a highly credentialed cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technical organizations spanning over 2 decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance, and regulatory components for the companies winning part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds multiple degrees including a MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and recent programs in Technology Leadership from Cornell University. He currently holds the following industry credentialing: CISSP, CCSP, SSCP, CAP, CSM®, CCP, & AZ-900.