Law firms can take a page from Macron

High-profile stories about cybercriminals and government cyber espionage this year have pushed names like WikiLeaks, The Dark Overlord, and Weeping Angel into news reports and water cooler talk this year. While these code names, and images of hackers lurking in the dark corners of the internet may seem cartoonish or the stuff of bad spy novels, there's nothing funny about the cyberattacks carried out last month against Netflix, major television networks, cable companies and another presidential campaign — this one in France.

Netflix was reported to have been the target of a ransom demand by a cybercriminal known as "The Dark Overlord" who hacked into the network of a production company and downloaded 10 of 13 episodes of the upcoming season of "Orange is the New Black," a popular crime drama that is among Netflix's original programming lineups. The hackers reportedly made a demand for an unspecified amount of money to prevent public release of the episodes. When Netflix refused to pay, the hackers made the episodes available on a file-sharing site called Pirate Bay. The Dark Overlord hackers also reportedly obtained copies other shows from ABC, CBS, NBC, Fox and cable companies and made the same ransom demands.

In the French presidential election, candidate Emmanuel Macron reported that his campaign was subjected to a cyberattack similar to the attack that reportedly targeted candidate Hillary Clinton. A major component of the attack was fake emails that appeared to be from campaign staffers which included a link that prompted the user to log in, which if completed, enabled the hackers monitor the recipient's keystrokes and therefore to obtain passwords and access to email accounts and files. Macron's campaign, however, mounted its own cyber counteroffensive which reportedly included flooding the links with fake passwords and planting fake content on campaign staffers' computers.

While the Macron campaign appears to have slowed down the cyberattack enough to prevent the wide dissemination of fake news, the measures his campaign had to take were extreme. The counter offensive likely worked because the attack took place during the compressed time frame of an election, rather than the months and years cybercriminals have to mount attacks on businesses and governments.

Law firms have become an increasingly attractive target for cybercriminals because they have highly confidential client information such as Social Security numbers and bank account information that is directly useful to the hacker, as well as information about upcoming deals that could be used to profit from unannounced business deals or to divert payments from the intended recipient. Law firms have been sued for malpractice and more when client information was hacked, and this trend is likely to continue.

Law firms should not expect much help from the government to prevent cyberattacks. Internet service providers (ISPs), the portal through which cyberattacks must travel, are encouraged to take down materials believed to be infringing copyrights, but are not required to do so. If the ISP does respond to a so-called "take down notice" from a copyright owner who believes his or her materials are being infringed, the ISP can avoid monetary damages under safe harbors in the Digital Millennium Copyright Act, 17 U.S.C Section 512. But laws like the DMCA do not stop malicious use of ISP services unrelated to stolen digital materials. There have been efforts to require ISPs to block suspicious or malicious content, but of course, the problem is who gets to decide what is truly malicious.

The new chairman of the Federal Communications Commission, Ajit Pai, has shown disdain for regulations generally, and for cybercrime and privacy in particular. Since being confirmed, Pai halted the cybersecurity provisions in the FCC's Broadband Privacy Order, opposed inclusion of cybersecurity in communications outage reporting and rescinded a notice of inquiry regarding cybersecurity risk reduction for next-generation wireless networks.

Ironically, the best defense against cybercrime may be old fashioned solutions. Rather than communicating with clients largely through emails, which can be spoofed, stolen or misdirected, lawyers may have to get used to calling the client on a landline. If a firm has sensitive client information, lawyers might consider restricting it to paper-only storage rather than on the computer network, which can be hacked.

Most importantly, though, law firms must focus on training attorneys and staff how to keep information secure because humans are still the weakest link in the security chain. Macron was savvy enough to have a digital director who recognized the cyberattack when the fake emails began showing up. He began intensive training of staff so they wouldn't fall for the trap. Reportedly the director captured screen shots of all of the fake emails and associated addresses and sent them to the campaign staff so they would be alerted not to click on links or attachments in those suspicious emails.

Law firms should be doing the same. Most lawyers and staff are not highly technical and need training to learn how to spot suspicious communications. Firms should have policies and reminders on simple techniques like never storing sensitive documents in the cloud, not using public Wi-Fi and never downloading applications from unfamiliar sources. With a bit of training, law firm personnel could learn to spot suspicious communications by viewing the expanded headers in emails. If the email is sent through a long string of routers, there could be a problem. If an email has an unusual time stamp, the recipient should be careful. If an email has typos or uses stilted language, it may be from foreign hackers.

Given the ever-expanding scope of cybercrimes and increased litigation against firms for failure to protect client information, law firms are going to have to take the threats more seriously, and focus on what they can control — the human weak links.

Anita Taff-Rice is the founder of iCommLaw, a Bay Area firm specializing in technology and telecommunications matters. She may be reached at anita@icommlaw.com