targeted in a new
round of organized cyber-
attacks. According to the bureau,
the attackers were intruding into
individual computers using a tactic
known as “spear-phishing.”
A spear-phishing attack involves
an e-mail sent to a specifically tar-
geted individual. Using information
picked up from common sources like
Facebook and other social media sites,
the message looks like it was sent by a col-
league, client or some other trusted source, and it
asks the recipient to open a link or attachment, which
actually carries what the FBI terms a “malicious pay-
load.” So what the recipient actually does is open the
door for a botnet to enter the computer.
Gregory A. Fayer, an attorney at Gipson Hoffman
& Pancione in Los Angeles, received such an e-mail
just days after filing an intellectual property lawsuit
that named the Chinese government, among others,
as a defendant.
“These e-mails are specifically designed to target
specific individuals by making them think they’re
sent by someone that person knows or works with,”
Fayer says. “For that reason, they’re much more
dangerous than regular virus e-mails, which are
generally detectable right off the bat or caught in
anti-virus protections.”
Once hackers put their payload into a computer,
they will first look for user credentials, such as
administrator accounts, which allow them to move
undetected within the larger network, according
to Stephen L. Surdu, vice president of professional
services at Mandiant, an information security firm
headquartered in Alexandria, Va.
“It’s not traffic different from anything you would
normally see,” he says. “They blend right in. They
go in search of whatever brought them in the first
place. They’ll copy that out, usually to a different
location than where they’re doing their commands
from, so it doesn’t get in the way of their activity.”
Sometimes hackers get in and get out quickly;
other times they slowly harvest information over
a protracted period of time, Surdu says. “If they’re
stealthy enough, if they’re patient enough, it won’t
alert anybody,” he says. “If you’re not looking for this
type of thing, you’re not going to stumble across it.”
RESPONSE MECHANISMS It is crucial for law firms to develop cybersecurity
strategies, says Gabriel M. Helmer, a cybersecurity
attorney in Boston who is conducting research
projects in the field. “Figure out what information
is very valuable to you and your business, and protect
“Lawyers are in a position that they need to protect
that information. When we stop being trusted, we
stop having clients.”
But creating effective barriers to cyberattacks
is a difficult proposition, for a number of reasons.
More cooperation in responding to the cybersecurity issue is vital, say experts in both government
and the private sector. “Cybersecurity is a team
sport that we all need to play effectively together,”
says Reitinger from the Department of Homeland
Security.
The federal government has taken steps toward
developing a coordinated approach to the issue.
The Obama administration, for instance, has adopted
a 10-point near-term action plan recommended by
the panel that prepared the clean-slate review of
the government’s cybersecurity policies. Meanwhile,
the FBI and 17 other federal law enforcement and
intelligence agencies have formed the National
Cyber Investigative Joint Task Force.
The private sector, though, is still playing catch-up.
In September 2009, the ABA’s Standing Committee
on Law and National Security published a report
summarizing proceedings from a two-day workshop
in conjunction with the National Strategy Forum and
the McCormick Foundation.
“Creating incentives for security in the private
sector cyberdomain is a challenge,” states the report,
National Security Threats in Cyberspace. “One partici-
pant, rather unkindly, characterized the private sector
response as a ‘faith-based market failure’—one bot-
tomed on an act of faith that vulnerabilities would
not be exploited. That faith has, of course, gone
unrequited.”
But some efforts to address cybersecurity in the
private sector are under way. The ABA’s national
security committee, for instance, recently created a
task force to look at some of the key legal considera-
tions in dealing with cybersecurity. The task force
will have up to 40 members, including government
representatives and members of the private sector,
according to its chair, Suzanne E. Spaulding. She
is a principal in the D.C. office of the Bingham
Consulting Group, which advises companies on
public policy issues, and serves as a special adviser
to the ABA committee.
Three key issues the task force will address,
Spaulding says, are how to increase collaboration
between government entities and with the public
sector to develop effective policies; legal concerns
about how government surveillance of the Internet
would affect privacy concerns; and how the framework of the laws of war developed for conflicts in the
“kinetic” world should apply to attacks that occur
in cyberspace. Spaulding says the task force report,
which is expected in about a year, will focus on issue
analysis rather than policy recommendations.
