In-House Cyber Security

[InfoSec News <isn () C4I ORG>]

http://www.law.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=law/View&c=Article&cid=ZZZG8HDWFJC&live=true&cst=1&pc=5&pa=0&s=News&ExpIgnore=true&showsummary=0

Corporate Counsel Must Plan Ahead to Minimize Risks of Data Security
Breaches
Marc J. Zwillinger
Legal Times

February 21, 2001

Intrusion detection systems, penetration testing, network firewall
configuration -- as in-house counsel, it is a relief that you do not
have to understand, much less address, these issues.

After all, while you focus on minimizing your corporation's legal
responsibilities, you have a chief information officer (CIO) or a
chief information security officer (CISO), and a technology-savvy
information Technology (IT) department to handle this area, right?

Wrong.

As your organization becomes increasingly reliant on technology, the
risks of cyber-incidents -- including computer penetrations, denial of
service attacks, and Web page defacements -- become more significant.

Simply put, as in-house counsel, you must become familiar with the
network security architecture and technology policies of your
organization. Without that knowledge, you may fail to recognize how
the organization may be exposed to serious security breaches, criminal
and civil litigation, and the spread of embarrassing and damaging news
to shareholders and the public.

As just one example, the configuration of your corporate network can
be an important factor in determining what foreign jurisdictions' laws
may apply to your information.

In light of the widespread deployment of efficient storage
technologies, corporate information may now be stored on the parts of
your network with the most available storage technology, regardless of
physical jurisdiction. Left to their own devices, the IT staff is not
likely to configure the corporate network in a way that takes into
account the relevant information security and data protection regimes
in all the jurisdictions traversed by the network. If your corporation
has proxy servers or backup storage located in Europe, information
stored on these systems may be subject to a variety of different
European data directives and may be accessible by foreign law
enforcement under unfamiliar rules.

Even more pressing than jurisdictional issues, however, is the need
for organizations with any Internet presence to adopt appropriate
computer incident response policies.

Why? If you haven't already, you will suffer an anomalous computer
incident, if not a full-blown computer penetration. If the Microsoft
Corp., a fairly security-conscious organization, can be penetrated by
hackers, it can happen to any organization with networked computers.

In light of the virtual certainty of such an occurrence, the failure
to adopt an appropriate incident response policy may result in
liability for the corporation and its board of directors.

Furthermore, because of the sophistication of computer networks and
technology, determining the correct way to respond to a specific
cyber-incident will not be intuitive. The first lesson learned by
those who have worked on these cases is that the initial detection of
an incident rarely provides enough clues to distinguish between the
actions of a curious teen-age hacker and a more nefarious
cyber-intruder acting on behalf of a corporate espionage agent or
nation-state. In either scenario, the consequences of responding
without thoughtful consideration, or not responding at all, can be
significant.

INHERENT DANGER

Consider the following fact pattern: Your IT department recognizes
some anomalous computer network traffic. Secure in the belief that no
one in the general counsel's office understands computer technology,
the IT staff investigates without consulting counsel. As part of the
investigation, they determine that a former employee, now working for
a competitor, has hacked into the corporate network. With computer
logs in hand, an IT staff member comes to your office and persuades
you that it is important to notify law enforcement immediately to
protect corporate trade secrets.

With the comforting presence of the IT department manager in the
office, you make the call. As soon as the law enforcement agent starts
asking questions, however, you discover that rather than reporting a
crime, you have just confessed to one because the IT staff discovered
the identity of the hacker by illegally intercepting electronic
communications or by hacking back into the perpetrator's computer.

Even where an internal investigation is done properly, the public
perception of your company in the wake of an incident can be even more
damaging than the computer penetration. Accordingly, any incident may
garner significant press attention, as did the February 2000 denial of
service attacks against major e-commerce providers including Yahoo,
eBay, and cnn.com.

In such circumstances, press relations officers or other senior
personnel should have sufficient technical competence to brief the
increasingly technically savvy press -- and thus, indirectly, your
shareholders and the financial analysts following your company -- in a
manner that preserves, rather than erodes, shareholder value and
investor confidence.

What does an incident response policy look like? Although such
policies will vary considerably across organizations, creating a basic
policy will require the following considerations:

Identifying the components of the incident response team. Because
incident response is a multidisciplinary process, the team should
consist of representatives from the counsel's office, the IT security
staff, the CIO or CISO, and people skilled in media and investor
relations. A crisis is no time for introductions, so this group should
meet periodically to ensure that members are familiar with the
organization's computer networks and understand who has access to the
network (including affiliates, strategic alliance partners,
subcontractors, and clients), where the information systems are
physically located, and what the specific provisions of a company's
acceptable use policy allow management to do when responding to an
e-crisis.

Defining events and actions requiring notification or disclosure. It
is difficult for professionals with years of experience in responding
to cyber-events to determine the appropriate response to an incident.
For people who have never done so, arriving at the right answer in a
crisis situation is virtually impossible.

Accordingly, the incident response policy should first identify
noncrisis IT events that require notification to the incident response
team. This will enable the team to gain experience in understanding
and analyzing computer incidents. In order to understand the magnitude
of an event, the team should have a basic familiarity with the amount
of normal traffic or "background noise" on the network.

Also, because the investigative activities of the IT staff can create
corporate liability, counsel should develop a working knowledge of the
organization's acceptable use and technology policies (as well as the
pertinent terms of employment and collective bargaining agreements) in
advance of a crisis to ensure that investigative activities are
consistent with the organization's existing policies and procedures.

Forming external reporting procedures and criteria. In the event that
the company chooses to report an incident to local or federal law
enforcement, the manner and method of the reporting should be
determined by the incident response policy.

Some companies will want decentralized reporting to allow local
personnel to develop strong personal relationships with local law
enforcement entities, provided that the counsel's office receives
notification or approves such contacts on an individual basis. Those
organizations wanting tighter control (and expecting fewer incidents)
might require counsel to handle all reporting centrally.

In either circumstance, the criteria for a reportable incident should
be established in advance, and such criteria must be consistent with
any obligations contained in industry specific regulations and those
required by the corporation's provider of cyber-risk or business
interruption insurance. Keep in mind, however, that any such
disclosures will likely make it difficult for the organization to
interpose attorney-client and work product privileges for information
developed in the course of the company's own internal investigation.

Similarly, notifying the apparent upstream source of a cyber-attack
must be done cautiously. If the upstream provider is the ultimate
source of the attack, a premature notification might eradicate any
possibility of obtaining evidence necessary to recoup civil damages or
criminal restitution.

If the upstream site is not the source, a premature notification will
result in the loss of executive control of the information surrounding
the incident while providing potentially embarrassing information to a
third party or competitor.

Specifying forensic response, outside counsel, and consultants.
Certain types of incidents, such as those involving theft of
proprietary information or significant damage to computer systems, are
more likely than others to result in civil or criminal litigation. In
such cases, a proper forensic response to a cyber-incident is
essential to preserve the evidentiary value of the computer evidence.

A crisis situation is not the time to select the forensic and legal
providers who will be contacted to preserve and analyze evidence and
provide legal advice and guidance. Where possible, incident response
providers should be selected and retained in advance, enabling the
providers of choice to clear any potential conflicts and to respond on
short notice. When this is not done, organizations often rely on their
existing counsel and security staff, who may not be trained in
forensic procedure and do not have experience in responding to
computer intrusions. Additionally, in circumstances where current or
former members of an organization's IT staff are the targets of an
internal investigation (a frequent scenario), using outside
consultants is advisable.

Obviously, a comprehensive incident response policy cannot provide a
response-by-the-numbers approach for each and every electronic crisis.
There is no substitute for the analysis and judgment accumulated over
time by experienced in-house personnel, consultants, and outside
counsel. Nevertheless, a detailed incident response plan is an
essential strand of the policy web that serves to shield an
organizations' networks and information infrastructure and to provide
organizations with tools to efficiently investigate potentially
hostile cyber-events.


Marc J. Zwillinger is a partner at Kirkland & Ellis in Washington,
D.C., and an adjunct professor of cyberlaw at Catholic University's
Columbus School of Law. Before joining Kirkland & Ellis, he was a
trial attorney with the U.S. Department of Justice Computer Crime and
Intellectual Property Section. He is also the legal instructor for
Foundstone's (www.foundstone.com) one-day continuing legal education
course for in-house counsel, "Understanding Cyber Attacks: Hands-On."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".