The FBI began warning law firms that they were being targeted by hackers back in 2009. That warning was repeated at LegalTech last week by the FBI's Mary Galligan, the special agent in charge of cyber and special operations for the FBI's New York Office.
As Law Technology News reported, Galligan was blunt, saying, "We have hundreds of law firms that we see increasingly being targeted by hackers." The word "hundreds" should give law firms pause. Too many seem complacent even when faced with the unpleasant truth that their information security is sorely short of the mark.
As Galligan pointed out, FBI agents sometimes work with other government units, such as the Department of Homeland Security and the National Security Agency, though the FBI agents take the lead. They use custom-built software, including BACSS, a binary analysis characterization and storage system which helps investigators figure out what happened in an attack. To my surprise, Galligan said that BACSS may become unclassified in the next 6-12 months, which could be a boon to private security firms.
Galligan noted that there is a stereotypic view of the FBI which says: 'I give the FBI information, they give me nothing back'. She said that is absolutely not the case because, "Information sharing in cyberinvestigations is probably more important than any other investigations we do."
It might allay the fears of law firms to learn that the FBI does not tell people they've come to your firm and they don't come in raid jackets. There's no SWAT team and they don't unplug your servers. As Galligan noted, "You need to run your business. We'll tell you the impact of certain actions that we want to take." I do wonder if the correct wording is "certain action that we will take."
Galligan pointed out the obvious, that the increasing mobility of lawyers has complicated information security. She urged having up-to-date network diagrams, physical access logs and legal notices upon logging in. Firewalls, intrusion detection systems, remote access servers, virtual private networks, and web servers all should be logging activity of course.
Galligan said that meetings between FBI agents and major law firm began in 2012 (I would gently amend that to 2011 in light of press reports) and that these meetings will continue on a regular basis. I too have been on the receiving end of a call which my receptionist announced as: "FBI agent _________ is on the line for you." I know my stomach knotted, so I understand why law firms have the same reaction. But the time to say "we can take care of ourselves" is long over. We clearly can't.
E-mail: firstname.lastname@example.org Phone: 703-359-0700