Duck, Cover, And Hold: A Lawyer’s Role In Securing Companies Against Nation-State Attacks

Protecting a company from nation-state actors was likely not an elective for many attorneys now practicing in the field. And lawyers are generally trained to trust subject matter experts so even if cybersecurity had been part of the curriculum, there would still be a sense of overwhelming deference to our counterparts in the security world. But in today’s digital world where cyber threats don’t limit themselves to just one stakeholder, there’s an undeniable need for lawyers to be part of the collaborative drumbeat of cyber vigilance within any organization.

So when the Cybersecurity and Infrastructure Security Agency (CISA) — a federal agency that was established two years ago to serve as “the Nation’s risk advisor” under the Department of Homeland Security — disseminated guidance this week on how companies should be thinking about the increased risk of nation-state actors attacking U.S. companies in light of heightened conflicts with Iran, lawyers took note.

That a U.S. corporation could face cyber consequences from the United States’ killing of top Revolutionary Guards commander, Major General Qassim Suleimani, is the new normal for corporate counsel given the declaration by the government of Iran and its supreme leader of Iran’s intent to strike back at the U.S.

The threat of cyber attacks against the U.S., its companies, and its critical infrastructure is imminent. Iran has long been an active source of Advanced Persistent Threat (APT) attacks which were quelled since 2015 when former President Barack Obama signed the Joint Comprehensive Plan of Action with Tehran.

A year ago, CISA came out with its user-friendly Cyber Essentials guidance in line with the National Institute of Standards and Technology (NIST) cybersecurity framework, propagated by the Department of Commerce, to help small businesses understand the importance of cybersecurity. That guidance is a jumping off point for cyber readiness within organizations, broken down into six “Essential Elements of a Culture of Cyber Readiness” where organizations “living the culture” demonstrate best practices within those elements. The guidance concludes with list of steps that small businesses can take immediately to increase organizational preparedness against cyber risks. These include backing up data, implementing multifactor authentication, enabling automatic updates, patching, and having experts on standby for help.

Years later, as general counsel of a technology-enabled cyber services and investigations firm, I no longer have the luxury of sitting on the sidelines of debates about what it means to properly protect the organization from security threats. But, quite frankly, none of us lawyers do. Ask any board member — cyber risk is no longer just a problem for the IT department.

Actively Defending Against Cyber Threats

Proactively addressing a company’s security posture means adopting an approach that proactively identifies and solves against known and unknown threats using best-in-class tools and experts. That stance -– call it “Active Defense” — includes advanced threat hunting and attack methodologies, the use of deception technologies to confuse attackers, and elite intelligence collection and analysis techniques. Within companies, there is a growing sense that internal teams can learn from external teams of experts who bring in varied backgrounds and see things differently, as an outsider. The purpose of these so-called purple teams, where an internal blue team is paired with an external red team to identify and shut down weaknesses within an organization’s security stance (whether physical or virtual), is to strengthen the organization against outside threats. Beyond the color spectrum, this recognition of the ever-growing risk presented by sophisticated malicious actors operating unchecked against the private sector is mirrored by the ever-growing opportunities for threat actors who can access advanced exploits more readily than ever before.

The calculation of the proper level of threat protection is specific to the organization. Assume that if you’re a company doing business with the U.S. government or part of the nation’s critical infrastructure, you’re going to need to lodge a stronger defense. Recommendations for shoring up on cyber from CISA include:

  • More frequent backups of data and storing backups offline, including backups of information critical to company operations
  • Creating and rehearsing an incident response plan
  • Implementing multi-factor authentication
  • Minimizing account privileges
  • Regularly scanning networks and systems
  • Automatically patching vulnerabilities
  • Monitoring network traffic
  • Whitelisting applications so that only approved programs are allowed to run on the network
  • Temporarily increasing the frequency of password changes on your system
  • Increasing the logging functions on your system to better monitor activity
  • Training staff on cybersecurity best practices
  • Conducting a cybersecurity risk analysis of the organization

Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at


This article is sourced from : Source link