This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Cyber vulnerability - minimising the risk

Feature
Share:
Cyber vulnerability - minimising the risk

By

Ashley Roughton provides practical advice on how law firms can take steps to reduce the risk of cyber attackers stealing information

At present, law firms have not been in the line of fire (or the line of press interest) concerning cyber-attacks. However, this does not mean that law firms are not or will not be vulnerable to attacks or a cyber invasion of one sort or another. There are plenty of incentives on the part of a cyber attacker to attack a law firm; the principal purpose being to appropriate information. That information could be confidential or secret information belonging to clients or concerning their affairs, bank details, or financial information concerning the law firm itself. The type of attack or event can vary and can be latent or patent. Just when you think you can sigh in relief that an attack is over, your problems could have only just begun.

A denial of service attack and intrusion

The most immediate and disruptive attack one can think of is the denial of service attack where a cyber warrior will engage a number of computers (most of them acting unwittingly) to relentlessly make calls on a firm server or the server directing traffic to the firm server. This is the main type of attack at the moment and the one law firms are likely to be subject to. However, these attacks make no sense on their own: the aim of any rational attacker will be penetration in order to obtain information. Therefore, law firms are likely to expect this sort of attack in the short term, but they will progress and change in the medium term to more subtle means of perpetration.

Surprisingly, such denial of service attacks can arise in a wide variety of ways but, importantly, any attack of this sort will lead to server instability and that, in turn, will inevitably lead to a lessening of security. Up until about four years ago it was believed that the sole purpose of a denial of service attack was to stop a business from operating in some way, and that it was no more malevolent than that.

The usual response and in the short term the only response was to wait for the storm to pass. As a strategy this had much to commend it. Nobody's data got lost, no files were copied, and nothing else happened. In a sense, it could be regarded as an enforced cyber holiday. Then things started to get more complicated - a trend which is starting to emerge in cyber situations being that malefactors are getting clever - and businesses were not just having their service denied, but intrusion was also taking place. In denial of service situations, intrusions became more possible because of the instabilities that a businesses' server exhibited in response to a denial of service attack.

Intrusion is a much more insidious problem. In analogue it is (a little) like dealing with a fox in a chicken coop, rather than preventing the fox from getting into the chicken coop in the first place. However, and to stretch an already inapposite metaphor, the fox can sometimes be invisible and can sometimes do things which are not noticed… not for a time anyway. The basic denial of service attack ushered the way for a tiered attack. A first wave (and probably a first team) sets up the denial of service, the second wave (and probably a second team) intrudes, and the convoyed information (usually bank information) is then sold on to a third team who make the phone calls to complete informational gaps before causing balances to be transferred. Even more insidiously, if a second team hears of an attack, then there is nothing to stop that team from intruding even though they have nothing to do with and had no knowledge of the activities of the first team - there is a notion of turf wars being fought in the cyber arena. Hence it seems that the last thing that you should worry about in the face of a denial of service attack is the denial of service attack itself. Instead, you should be thinking about what other acts that denial of service attack will cause.

The one thing a malefactor cannot get round is that denial of service attacks cause the target to react. Might it be better not to place a target in that position? If the answer to that (admittedly rhetorical) question is yes, then two points emerge: that a denial of service attack is very clumsy and as such its utility from a malefactor's point of view is going to be limited; and if the supreme purpose is entry why not use other means of entry which do not alert the target? The overriding strategy on the part of the potential target must be to avoid entry or penetration or the consequences of it.

Cyber entry for the purpose of just looking was certainly something people did in the 1970s and 1980s. However, it can now be assumed that entry means danger. Penetration attacks, whether covert or overt, only take place with the object of expropriating something or placing some code in the target system with a view to enabling doors to be opened and data to be transferred at a later date. With this second form of attack there is no knowledge on the part of the target as to what is happening. Further, this second form of attack - a covert penetration, which is not discovered until after (sometimes long after) the event - is likely to make detection all the more harder or impossible. However, armed with a few basic precautions, covert attacks and the consequences of them can be minimised.

The Computer Misuse Act 1990

Part of the deterrence of cyber attackers is a recent government initiative to upscale damage causing penetration from being something that was regarded as naughty, to a serious matter. On 3 May 2015 the Computer Misuse Act 1990 was amended in three respects:

  • For acts of computer misuse (essentially, impairing the operation of a computer without authorisation) resulting in material damage or risk of material damage, there is now a maximum penalty of life imprisonment in some cases. To attract that penalty, the damage must be serious and the risk must be significant. Very importantly, whether the damage or risk of damage is material falls within four areas: human welfare; the economy; the environment; and national security. There is a mental element, meaning that there must have been an intention to carry out the unauthorised act or the person must have acted recklessly, i.e. wanton indifference to a clear and obvious risk. For cases involving the environment or the economy the sentence is capped at 14 years imprisonment. For the other two (human welfare or national security), however, the maximum term is life. Entering a hospital's server or that of GCHQ may have very serious consequences if damage is caused or there is a significant risk of such damage being caused.

  • Hackers who are UK nationals are not safe even if they act abroad and the effects are only felt abroad. As long as the act carried out in the other jurisdiction was a criminal act there, then they can be prosecuted in the UK.

  • Those acquiring computer damaging software (such as hacking software or virus writing software) will commit an offence by the mere act of acquisition of that software. Their intention in doing so must have been to commit a misuse offence or to assist others to do so. Previously the rule was that the acquisition had to have been made with the intention of supplying the software to others to commit an offence or assist in an offence being committed. The new state of mind is marginally easier to prove.

It is too early to know whether the Computer Misuse Act will act as a deterrent. Statistics are unlikely to reveal much, since targets are hardly going to want the world to know if they have been attacked or scammed. As the use of the Act was rare beforehand, it may be in even rarer use in years to come.

The General Data Protection Regulation

In addition to the Computer Misuse Act 1990 is the General Data Protection Regulation which will shortly place liabilities on data controllers (i.e. the would-be targets) if, among other things, personal data is 'accidentally lost or damaged' though, in fact, all infringements of the regulation may potentially be the subject of a fine to such a level as shall be 'effective, proportional and dissuasive'. The maximum level of fine is 4 per cent of worldwide turnover up to a limit of €20 million (2 per cent/€10 million in some cases).

Therefore it is worthwhile thinking of things that can be done to avoid or mitigate any penalty. Policies (e.g. those for bring your own device and detachable media are particularly important), employee training, and regular maintenance by penetration specialists are highly likely to mitigate the likelihood of an attack or the severity of a fine. Insurance is also an option, but bear in mind that the insurance industry is at a nascent stage in the provision of cyber products and that exceptions may be rigorously applied - terrorism is likely to be a key and wide exception. It is also the case that an assured may have to give up control of its business to loss adjusters (including, in some cases, giving them a power of attorney to enable them to make key and quick decisions) for the first few days of an attack or the first few days after an incident is discovered.

Ashley Roughton is a consultant barrister at Nabarro LLP (www.nabarro.com)