cybersecurity attorney

Why Every CIO Should Have a Cybersecurity Attorney

Every day, the digital world expands by leaps and bounds, and someone could be taking advantage of your company’s information to commit illegal or unethical actions. Today, many crooks are using the Internet to disguise their identity. It can be challenging to protect your company from outside attacks. A high-quality cyber lawyer has the experience to advise businesses as to the reasonable steps to take to avoid becoming a victim and to be protected from within.

Differentiating technical specialists from those responsible for legal responsibilities and hazards enables businesses to create more effective breach response strategies. Understanding the function of a third-party cybersecurity company can aid in this process.

Cybersecurity has always been one of the primary concerns of chief information officers (CIOs). Since the number of high-profile hacks seems to increase month after month, security is plaguing Information Technology (IT) executives throughout the workday.

What is a CIO?

The Chief Information Officer, known as the CIO, holds the top technical position within a given organization. A CIO is responsible for managing, implementing, and using information and computer technologies. Because technology is increasing and reshaping industries globally, the role of the CIO has increased in popularity and importance.

The CIO analyzes how various technologies benefit the company or improve an existing business process and then integrates a system to realize that benefit or improvement.

This person makes crucial business decisions concerning the organization’s technological strategy and interfaces with other C-level executives to communicate needs, processes, and progress. One role of the CIO is to provide an executive-level interface between the technology department and the rest of the business.

What is a Cyber Security Attorney?

Cybersecurity attorneys typically advise on implementing strategies to meet state, federal, and international legal requirements. They may also represent clients before regulatory bodies and serve as the quarterback and crisis manager during incident response to mitigate loss and guide toward  compliance with the law.

A cybersecurity attorney must be knowledgeable with fundamental cybersecurity laws. It is for them to contribute effectively to the company’s operations. These laws include:

  • Electronic Communications Privacy Act 
  • Homeland Security Act
  • Cybersecurity Information Sharing Act of 2015, 
  • Federal Trade Commission Act, 
  • laws on data breach notification,
  • applicable sector-specific state and federal laws

Additionally, the cybersecurity attorney must have a firm grasp of privacy legislation. They must, at the very least, be familiar with privacy legislation. Privacy regimes set obligations to enhance data security since security is necessary for data to stay private.

A cybersecurity attorney should be bilingual in both legal and technological language. Oftentimes, a critical function of such an attorney is to convert legal requirements into design requirements and comprehend technical specifics. As a result, the attorney must grasp the fundamentals of technology or possess a genuine interest and desire to study.

Cyber Security Attorney as a Need

When you don’t have an experienced professional to help protect your company from an inside attack, you subject your operations to a higher level of risk. It’s better to hire a specialist today than at the moment you find out you’ve been compromised.

Many crooks rely on attacks from abroad to gain access to U.S. corporations. Law firms with a reputation for solid cybercrime protection have the upper hand when defending their clients. It is why every CIO should have a comprehensive cyber defense attorney to advise them. When it comes to demonstrating in court that a corporation’s security has been compromised despite implementing reasonable security controls, a professional cyber law firm is more likely to be able to fight back and win. If a cyber crimes attorney does not represent you, you may never know.

A skilled cybercrime attorney can help them get that understanding. They are more likely to know what to ask in court and potentially defeat the government’s case against the company. It can be an expensive process to fight a cyber case. However, the outcome could mean the difference between accepting a settlement or paying big money to defend against an action. Every CIO needs to make sure their law firm is fully staffed to handle cyber cases. The best ones will be located in cities with thriving cybercrime defense attorneys.

The Internet has created a world where criminals can create a fake Twitter account to impersonate a famous person. They can use burner accounts to send emails to spammers. There are even some who use false identity information to try to trick people into opening bank accounts or PayPal accounts under pretenses. An experienced law firm can make these and other cases stick. When cases do make it through the system, the attorney representing the company will know when they have a winning situation.

A good CIO will be aware of the need for an experienced lawyer who can work on cyber cases. Because cyber crimes often involve stealing information, the information may need to be presented as evidence in court. It may mean the company’s entire network should be checked, from top to bottom and back up. In this kind of scenario, an ounce of prevention is worth a pound of treatment. Any company that fails to put in the necessary time and resources to protect itself is putting itself at risk of getting sued.

For a cyber law firm to win its cases, it must also put its client’s interests on the same level as their own. Any information that is stolen or misused needs to be appropriately represented. That means the management must train every employee working to treat documents over the Internet and any company’s computer systems. A good lawyer will also work closely with the IT department to stop any unauthorized access to the company’s computers.

When a CEO realizes that they may be subjecting their companies to cyberattacks, the company’s CIO and cybersecurity attorney should help them out. Law firms should work hard to track down every instance of cybercrime they are liable for, not just the common ones. Every person should know how to prepare defenses in cyber cases. Every business should have an IT department that can track down any attacks when they do happen.

To know what you need for your cybersecurity attorney, contact Metaverse Law today and learn more.

Image of the United States Capitol Building at night.

Strengthening the U.S. Government Supply Chain: Cybersecurity under Executive Order 14028

Image Credit: Michael Jowen from Unsplash.

U.S. government agencies have a reputation for occasionally clinging on to outdated technology. Some illustrative examples include the U.S. Department of Defense (DoD) paying Microsoft $9 million to continue supporting the defunct Windows XP in 2015 and a U.S. Government Accountability Office (GAO) report from 2019 documenting multiple agencies using legacy systems with 8 to 50-year-old components. In its findings, the GAO unsurprisingly concluded that such legacy systems using outdated or unsupported software languages and hardware poses a cybersecurity risk.

In the wake of the SolarWinds, Microsoft Exchange, and Colonial Pipeline security incidents that impacted U.S. government agencies and/or U.S. critical infrastructure, President Biden issued Executive Order 14028 to update minimum cybersecurity standards for all software sold to the federal government and throughout the supply chain.

Existing Requirements under FedRAMP, DFARS, and CMMC

The new obligations arising out of Executive Order 14028 add to existing security regulations for certain government contractors and subcontractors.

The Federal Risk and Authorization Management Program (FedRAMP) oversees the safe provisioning of cloud products and services from a Cloud Service Provider (CSP) to any government agency. As part of the FedRAMP authorization process, an accredited Third-Party Assessment Organization (3PAO) assesses the CSP’s controls under NIST SP 800-53, a security framework for federal government information systems. The 3PAO also assesses additional controls above the NIST baseline that are unique to cloud computing.

Contractors who supply products or services specifically to the DoD are subject to the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS standards establish compliance with fourteen groups of cybersecurity requirements under NIST SP 800-171, meant to protect Controlled Unclassified Information (CUI).  

In November 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC) framework, which builds upon DFARS. Contractors undergo an audit by a CMMC Third Party Assessment Organization (C3PAO), which issues a certification for the contractors’ assessed cybersecurity maturity level. The certification ranges from CMMC Level 1, indicating a low, ad-hoc maturity, to CMMC Level 5, indicating a high, optimized maturity. As contractors progress further up the DoD supply chain all the way to prime contractors—those working directly with the DoD—the DoD scale requirements for those contractors to meet higher certification levels. Meeting all DFARS controls and 110 controls in NIST SP 800-171 roughly correlates to CMMC level 3.

Cybersecurity Requirements of Executive Order 14028

Continue Reading Strengthening the U.S. Government Supply Chain: Cybersecurity under Executive Order 14028
Image of a space with many servers. A server room.

Microsoft vulnerability leaves over 60,000 email servers vulnerable to Hafnium attack. CISA Advisory provides guidance on how to protect email systems.

Image Credit: Schäferle from Pixabay.

***Updated March 13, 2021 – CISA has identified seven webshells associated with this activity. This is not an all-inclusive of webshells that are being leveraged by actors. CISA recommends organizations review the following malware analysis reports (MARs) for detailed analysis of the seven webshells, along with TTPs and IOCs. 

  1. AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell
  2. AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell
  3. AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell
  4. AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell
  5. AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell
  6. AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell
  7. AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell

***Updated March 12, 2021 – Check my OWA tool for checking if a system has been affected.

Earlier this month Microsoft disclosed a set of vulnerabilities in Microsoft Exchange server products. Microsoft has provided a blog post where you can find an explanation of the attack on Exchange servers, information on HAFNIUM, and more.

Check out this latest advisory from the Cybersecurity and Infrastructure Security Agency (CISA), with step-by-step instructions on how to gather evidence with FTK Imager and KAPE. The Alert includes information on how to mitigate the vulnerabilities, including tactics, techniques and procedures (TTP) and the indicators of compromise (IOCs) associated with this attack.

As of March 10, 2021, CISA recommends the following:

  • Organizations should run the Test-ProxyLogon.ps1 script as soon as possible—to help determine whether their systems are compromised.
  • Organizations should investigate signs of a compromise from at least January 1, 2021 through present.

Furthermore, according to Bloomberg, the Chinese state-sponsored hacking group has claimed at least 60,000 known victims globally.

Cell phone with image of lock on the screen.

Reasonable Security: Implementing Appropriate Safeguards in the Remote Workplace

Photo by Franck on Unsplash

In 2020, with large portions of the global workforce abruptly sent home indefinitely, IT departments nationwide scurried to equip workers of unprepared companies to work remotely.

This presented an issue. Many businesses, particularly small businesses, barely have the minimum network defenses set up to prevent hacks and attacks in the centralized office. When suddenly everyone must become their own IT manager at home, there are even greater variances between secure practices, enforcement, and accountability.

“Reasonable Security” Requirements under CCPA/CPRA and Other Laws

Under the California Consumer Privacy Act (CCPA), the implementation of “reasonable security” is a defense against a consumer’s private right of action to sue for data breach. A consumer who suffers an unauthorized exfiltration, theft, or disclosure of personal information can only seek redress if (1) the personal information was not encrypted or redacted, or (2) the business otherwise failed its duty to implement reasonable security. See Cal. Civ. Code § 1798.150.

Theoretically, this means that a business that has implemented security measures—but nevertheless suffers a breach—may be insulated from liability if the security measures could be considered reasonable measures to protect data. Therefore, while reasonable security is not technically an affirmative obligation under the CCPA, the reduced risk of consumer liability made reasonable security a de facto requirement.

However, under the recently passed California Privacy Rights Act (CPRA), the implementation of reasonable security is now an affirmative obligation. Under revised Cal. Civ. Code § 1798.100, any business that collects a consumer’s personal information shall implement reasonable security procedures and practices to protect personal information. See our CPRA unofficial redlines.

Continue Reading Reasonable Security: Implementing Appropriate Safeguards in the Remote Workplace
china data privacy law

China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime

[Originally published as a Feature Article: China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime, by Carolyn K. Luong, in Orange County Lawyer Magazine, April 2020, Vol. 62 No.4, page 31.]

By Carolyn Luong

U.S.-China relations have been a trending topic throughout the past year due to several conflicts involving the alleged encroachment upon free speech principles and perceived threats to U.S. national security. The NBA and Activision-Blizzard, both U.S.-based organizations, fielded criticisms in October of 2019 for supposed political censorship motivated by the fear of losing Chinese customers. Furthermore, as the U.S. races to build out its 5G infrastructure, the U.S. government has explicitly restricted U.S. corporations from conducting business with Chinese technology manufacturer Huawei upon apprehension that Huawei equipment may contain backdoors to enable surveillance by the Chinese government.[1]

Dr. Christopher Ford, Assistant Secretary of the U.S. State Department’s Bureau of International Security and Nonproliferation remarked in September that, “Firms such as Huawei, Tencent, ZTE, Alibaba, and Baidu have no meaningful ability to tell the Chinese Communist Party ‘no’ if officials decide to ask for their assistance—e.g., in the form of access to foreign technologies, access to foreign networks, useful information about foreign commercial counterparties . . . .”[2] These Chinese firms in response firmly deny any allegations of contemplated or actual instances of required cooperation with the Chinese government to compromise user information or equipment.

Continue Reading China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime
1 2 3