University of Virginia School of Law

The more sophisticated perpetrators often knocked on the biggest doors twice – demanding one payment to restore system functionality and a second to prevent a public data dump.

In responding to an attack, while a select few attorneys have advanced technical qualifications, the majority of attorneys hold the 30,000-foot view.

“It could be a call in the middle of the night,” said Web Leslie ’19, an associate working for Covington, DC law firm specializing in privacy and cybersecurity. But in general we are used to manage the bigger picture. “

In addition to recommending how and when to notify authorities, attorneys must “assess the broader risks of an attack, including cases where the information in the breach could affect other sensitive parts of the company,” Leslie said. Organizations can also help develop formal response plans so executives know what steps to take in the future. Lawyers and IT professionals can then do “tabletop exercises” to train a company’s reaction to executing the plan.

Not that anything ever goes exactly according to plan, said Leslie.

A violation can, among other things, lead to government intervention and disputes that lead to legal disputes. “These risk categories can create significant financial, brand, and distraction risks,” Woods and co-authors state in a chapter in the book, Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers.

In the worst case scenario, the result could be bankruptcy.

Seen in this light, the decision not to disclose a violation is imperative for many company leaders. All 50 states have some form of data breach reporting requirement related to the disclosure of consumer personal information. However, an alumnus who spoke about the background found that the extent of a breach is often ambiguous, so it is unclear whether the disclosure requirement was triggered. Still, he said, if a company’s day-to-day operations were to cease due to an attack, there would be no ambiguity; Notification has already been received.

LARGE ORGANIZATIONS need to change their attitudes towards cyberattacks, said Jake Olcott ’05, Vice President of Communications and Government Affairs at BitSight. The cybersecurity assessment service analyzes the security performance of more than 40 million companies, government agencies and educational institutions and enables its customers, including Lowe’s and AIG, to assess the risks of doing business with them.

“This is not just a technical problem; it is often a fundamental governance issue, ”said Olcott, who early in his career served as a cybersecurity advisor on US House and Senate committees. “I would be delighted if our alums really took up this challenge. Whether you are general counsel, CEO or board member, it is ultimately your responsibility. “

While IT may be best positioned to quickly implement the latest security patch, which Olcott says is a key indicator of whether or not a company is falling victim to ransomware, it’s the executives in charge of program funding and reporting decide structures and the like.

In fact, Olcott’s company makes it harder for C-suites to be lazy.

“We literally collect hundreds of billions of billions of corporate security incidents every day,” said Olcott. “BitSight makes our data available to insurance companies, and the insurance companies use this data during the underwriting process. If they see a concern, they can reach out to the company and say, ‘We really think you should take a look.’ ”

How does his company get his information? Olcott compared the service to a consumer credit report: “All of our data is externally observable. At no point do I, as a consumer, send information to the rating agency. ”

Instead, BitSight pings for system weaknesses in a similar way to the hackers: “In many situations we are able to identify the vulnerability of a system by making some very basic interactions with that system – browsers, operating systems, software in particular” network. ”

But the company also operates the largest sinkhole network in the world, using servers designed to intercept malicious traffic.

“Often times, when a bad guy tries to break into your network, they’ll send a spear phishing email,” said Olcott. “When the malware is downloaded, the first thing it tries to do is send back a beacon that says, ‘I’m in. What should i do next?’ A sinkhole intercepts this communication. When a bad guy sends one of these spear phishing emails, the link often includes a contact address. They have so many of these addresses that they sometimes forget to re-register them. When this address expires, anyone can take over and register these websites. We have taken over many addresses that used to belong to villains. “

In September, risk assessment firm Moody’s became the majority shareholder in BitSight, raising the profile of both companies as they collaborate on new offerings. BitSight is just one of many corporate efforts to address data vulnerability. Olcott said until the government can act to improve the situation, “businesses are on their own these days.”

CYBER CRIME LAW AND POLICY federally, it has struggled to keep up with trends over the past decade, let alone real-time threats. Prosecutors find themselves in the rare position of being unable to reach their full potential in other types of crime, with the culprits often beyond the reach of the US and its allies.

One alumnus said about the background that the authorities need to find more effective ways to stop the flow of money. As with an invasive plant, the procedure won’t end until the government can dry out the vine to ground level.

The Treasury Department first warned last year that intermediaries who allow ransomware payments will risk penalties, but that policy could prove difficult to enforce as there is no law prohibiting a victim or insurer from paying ransom . Legislators agree that such a move could be fatal for certain exposed companies.

Rival nations make law enforcement efforts difficult. Russia is perhaps the most notorious of the foreign powers that offer “black hats” a safe haven – as long as their illegal hacking doesn’t target the motherland. Russia, itself a formidable cyber adversary, has been blamed for the recent SolarWinds breach, which created backdoors into US government agencies’ systems that have also exposed private companies in their supply chains. But Russia is far from alone.

The US and its allies called on China and an affiliate group, Hafnium, in July over the Microsoft Exchange hack. The vulnerability allowed the Chinese to snoop around defense companies and universities, as well as small and medium-sized businesses and local governments. The vulnerability was later exploited by a ransomware scheme.

https://www.law.virginia.edu/uvalawyer/article/cyberinsecurity