There Are Only Law Firms That Have Been Hacked And Those That Will Be

What do the legal departments of Volkswagen, Ikea, Jones Lang LaSalle, Citibank, and Caterpillar all have in common? Some amount of their legal work in Russia may have been made public this summer by hactivist group Anonymous’ action against Russian law firm Rustam Kurmaev and Partners, also known as RKP Law.

I had written in Harvard Business Review about the potential for Wikileaks and related groups to “expose your corporate brain” back in 2010 before the groups had ever done so to private companies. Not long after, the director of the FBI put forward the oft-cited point of view that “there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” From where we sit today, this is categorically true.

Law firms are finding themselves as unique nodes under attack in a geopolitical environment with cross-cutting adversarial intentions. In the risk world, we typically think about threat as a function of intent and capability. Without a doubt, the capability of groups to breach law firm IT defenses is very real. For instance, the hackers that took down RKP law told the International Business Times that they spent a month getting into the systems, sending RKP’s IT team emails from their bosses’ accounts to taunt them every time they were kicked out.

What’s really shifting is intent. In this case, the corporations outlined at the top fall victim to the fact that Anonymous set its sights on taking down major Russian entities in the wake of Russia’s invasion of Ukraine. One of those entities happened to be a law firm foreign companies turned to for litigation and anti-corruption work — none of which they would want to see in the public sphere.

Of course this cuts the other political way too — I wrote recently about Russia sanctioning an unprecedented number of U.S. lawyers, whose law firms are all likely in the Kremlin’s focus as well as that of its hackers. And, of course, firms can become collateral damage without necessarily being the target as well. It’s worth recalling the 2017 Ransomware hit on DLA Piper that locked up the firm’s systems — and which was alleged to have been traced back to a Ukrainian payroll supplier hit by fast-spreading Russian malware.

In the past few days, we’ve seen China’s strong-handed response to a visit from U.S. Speaker of the House Nancy Pelosi’s visit to Taiwan — everything from missile launches around Taiwan to cutting off collaboration on climate change. Just this week, the U.S. and Taiwan announced they are progressing on a mutual trade deal, which will no doubt provide the opportunity for huge amounts of legal work and lobbying by private companies that want to influence and prepare for such a deal. It is not hard to imagine those law firms assist them, in the process becoming increasingly attractive targets for Chinese hackers.

The good news is that many law firms understand the risk environment they face and have put in place policies to do their best to increase the time and effort it would take hackers to breach their systems. The American Bar Association’s (ABA) “2021 Legal Technology Survey Report” noted that roughly half the law firms surveyed have policies in place around data retention, email use, internet use, remote access, and social media, with higher scores as firm size increases. Of course, this sits next to their statistic that 35% of law firms with over 100 attorneys have experienced a data breach at some point.

The question I’m most interested in, however, is whether corporate customers are able to adequately assess the risk they face in engaging with particular law firms. Traditional cyber assessments are not good enough in a world where we live in the digital equivalent of the assumption that a burglar can break into any house if they want to badly enough. What’s really needed is to actually understand the DNA of the law firms you are working with and figure out if they are also likely to be a target.

Without that type of analysis it is particularly difficult to have confidence in any threat or risk assessment. This is like assuming the risk of terrorism on a plane flight is equivalent across different flag carriers just because they all follow the same security protocols. Actually, it makes a pretty big difference whether adversaries want to cause damage or not, which of course is a function of many factors like country of origin in the case of a plane flight. Or the nature of a law firm’s work in that case.

So, as in-house counsel, did you know that over a third of your larger law firms have experienced a breach? Do you have a way to differentiate those law firms you work with that are most likely to be targeted from those that aren’t? Are you confident that the higher-risk partners are handling your data in a way that, in the event of an exploit, you could mitigate the damage?

Technology solutions like Hence can be helpful in learning everything possible about your law firms, but of course traditional approaches like media monitoring about the work your external law firms are doing and forcefully raising concerns can go a long way too.

“By SEAN WEST, originally carried on Above The Law”