The Colonial Pipeline cybersecurity breach in May grabbed Americans by the shoulders. Supplying about 45% of the East Coast’s fuel demand, Colonial briefly paused deliveries after the attack on its online billing system, resulting in dry pumps in 11 states that rattled consumers and spurred gas hoarding.
The FBI attributed the hack to the Russian ransomware group DarkSide — among the better-known bad actors to exploit system vulnerabilities and extract large paydays. Through its malware, DarkSide made restoration of Colonial’s billing system contingent upon the transfer of 75 bitcoins, worth about $4.4 million at the time.
Like so many other marks, the business paid. Colonial CEO Joseph Blount told The Wall Street Journal that, because he was initially unsure about the extent of the breach, “it was the right thing to do for the country.”
The government, notably, was able to recoup about half of the extorted amount through its own tech savvy and with help from intermediaries, mitigating the damage to the company. DarkSide claimed to be disbanding due to pressures.
For some, it might be comforting to downplay the incident. A missed fill-up is a passing inconvenience. A corporate stickup is a problem for IT departments, insurance companies and, sometimes, federal law enforcement.
Yet, as the Colonial breach shows, the line where business interests end and national security interests begin has blurred. Perpetrators of cybercrime are outpacing countermeasures. The bad guys are seemingly only limited by the bandwidth of their cunning and the timing of the latest patch.
As with other precarious moments in our nation’s history, enter the lawyer to help. Alumni and faculty of the Law School are working to solve many of the high-level problems created by cyber intrusions.
CALLING FROM THE ROAD, John Woods ’95 of Baker McKenzie was en route to a client he couldn’t disclose — an intrusion on some organization, somewhere. Having evoked images in a reporter’s mind of a “CSI”-like procedural, except with attorneys and IT staff instead of police, Woods downplayed the notion. What he does would not translate well to the screen, though the stakes are often quite high.
A partner based in the firm’s Washington, D.C., office, Woods is co-head of the firm’s global cybersecurity practice. For more than 20 years, he has helped large organizations address the legal consequences of hacking — from a Fortune 500 client that was victimized by the Russian NotPetya malware to serving as special investigative counsel to a major retailer after hackers compromised 45 million credit cards.
Attacks by cyber opportunists increased by 69% in 2020 over 2019, according to the FBI’s Internet Crime Complaint Center. The transition to working from home during the pandemic allowed criminals to exploit less-protected home computers as users accessed office networks remotely. While financial gain motivates the bulk of the criminal activity, from Woods’ perspective, keeping too narrow a focus on ransoms misses the point. Businesses and their information are interconnected. The breach of one company can extend to many other players, threatening a functioning society.
“Operationally impactful malware, which includes ransomware, has been causing real-world problems at an increasing pace over the past five years,” Woods said. “And over time that is likely to change the policy debate around cybersecurity regulation from a privacy-focused disclosure regime to something that is more operationally focused — i.e., ensuring that critical business services are secure, such as in the financial sector.”
Law firms simply advise and, within the bounds of the law and their ethical obligations, serve their clients’ wishes. That means if the client wants to quietly pay a ransom, so long as the entity to which payment is directed isn’t on the U.S. Treasury sanctions list, few regulations prevent it. Not every company will get the priority treatment that Colonial received if they do report a crime. The FBI successfully froze $380 million in transferred funds in 2020, but the overall reported losses exceeded $4.1 billion. With underreporting, the true scope of the problem is unknown.
The more sophisticated perpetrators often knocked twice on the biggest doors — seeking one payment to restore system functions, and a second to prevent a public data dump.
In responding to an attack, while a select few lawyers do possess advanced technical credentials, attorneys for the most part take the 30,000-foot view.
“It could be a call in the middle of the night,” said Web Leslie ’19, an associate practicing in data privacy and cybersecurity at the law firm Covington in D.C. “Or in some cases we might come in later in the process to assist with the forensic work to determine what’s going on. But generally, we’re brought in to manage the bigger picture.”
In addition to recommending how and when to notify authorities, lawyers must assess “the broader risks posed by an attack, including where the information in the breach could implicate other sensitive parts of the company,” Leslie explained. Firms may also help with the drafting of formal response plans, so that leaders know what steps to take in the future. Attorneys and IT experts can then run “tabletop exercises” to drill an organization’s response in implementing the plan.
Not that anything ever goes exactly as planned, Leslie said.
A breach can lead to regulatory intervention and the kind of disputes that cause litigation, among other outcomes. “These risk categories can create significant financial exposure, brand risk, and distraction,” Woods and co-authors note for a chapter in the book “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers.”
In the worst of scenarios, the result could be bankruptcy.
Put in those terms, a decision not to disclose a breach is compelling for many business leaders. All 50 states do have some form of data breach notification requirements related to the exposure of consumers’ personal information. However, one alumnus speaking on background noted that the extent of a breach is often ambiguous, making it unclear if the need to disclose has been triggered. Still, he said, if a company’s daily operations were to be shut down due to an attack, there is no ambiguity; notification has already occurred.
LARGE ORGANIZATIONS need to shift how they think about cyberattacks, said Jake Olcott ’05, vice president of communications and government affairs for BitSight. The cybersecurity ratings service analyzes the security performance of more than 40 million companies, government agencies and educational institutions, allowing its clients, which include Lowe’s and AIG, to assess the risks of conducting business with them.
“This is not just a tech problem; it’s often a fundamental governance problem,” said Olcott, who was a cybersecurity adviser to U.S. House and Senate committees earlier in his career. “I would love for our alums to really engage in this challenge. Whether you’re a general counsel or CEO or a board member, it’s actually your responsibility at the end of the day.”
While, yes, the IT department may be best positioned to quickly implement the latest security patch, which Olcott said is a crucial indicator of whether or not an organization will be a victim of ransomware, the executives are the ones who decide program funding, reporting structures and the like.
Olcott’s company, in fact, is making it harder for C-suites to be lazy.
“We are continuously collecting literally hundreds of billions of security events about organizations on a daily basis,” Olcott said. “BitSight provides our data to insurance companies, and the insurance companies use that data during the underwriting process. If they see a concern, they can reach out to the company and say, ‘We really think you should take a look at this.’”
So how does his company get its information? Olcott compared the service to a consumer credit bureau: “All our data is externally observable. At no point am I, as the consumer, sending information to the credit rating agency.”
Instead, BitSight pings for system weaknesses in ways similar to how the hackers probe: “In many situations we’re able to discern the vulnerability of a system by doing some very basic interactions with that system — browsers, operating systems, software on a particular network.”
But the company also operates the world’s largest sinkhole network, which makes use of servers designated to snag malicious traffic.
“When a bad guy tries to break into your network, they often send a spear-phishing email,” Olcott explained. “When the malware is downloaded, the first thing it tries to do is send a beacon back that says, ‘I’m in. What do you want me to do next?’ A sinkhole intercepts those communications. When a bad guy sends one of those spear-phishing emails, the link often includes an address to contact. They’re running so many of these addresses that sometimes they forget to reregister them. When that address expires, it’s kind of open for anyone to take over and register those websites. We’ve taken over a lot of addresses that used to belong to bad guys.”
In September, the risk assessment firm Moody’s became the majority shareholder of BitSight, increasing the profile of both companies as they partner on new offerings. BitSight is just one of numerous entrepreneurial efforts springing up to solve the problem of data vulnerability. Olcott said that until the government can act to improve the situation, “companies these days are on their own.”
CYBERCRIME LAW AND POLICY at the federal level have struggled to keep pace with the trends of the past decade, much less the real-time threats. Prosecutors find themselves in the rare position of being unable to flex in the ways they can on other types of crime, with culprits often being outside of the reach of the U.S. and its allies.
One alumnus, speaking on background, said that authorities must find more effective ways to cut off the flow of money. Like an invasive plant, the encroachment won’t end until the government can dry up the vine at ground level.
The Treasury Department first advised last year that intermediaries who facilitate ransomware payments will risk sanctions, but that policy may prove tricky to enforce because there’s no law prohibiting a victim or insurer from paying ransoms. Lawmakers agree such a move could be fatal to certain exposed businesses.
Rival nations complicate law enforcement efforts. Russia may be the most notorious of the foreign powers that provide safe haven to “black hats” — as long as their illicit hacking doesn’t target the motherland. A formidable cyber adversary in its own right, Russia was blamed for the recent SolarWinds breach that created backdoors to U.S. government agencies’ systems, which also exposed private companies in their supply chains. But Russia is far from alone.
The U.S. and its allies called out China and an affiliated group, Hafnium, in July for the Microsoft Exchange hack. The security flaw allowed the Chinese to snoop on defense contractors and universities, as well as small- and medium-sized businesses and local governments. A ransomware scheme later piggybacked on the vulnerability.
Notably, the U.S. retaliated with sanctions against Russia for the SolarWinds attack. The White House has not retaliated against China, other than via press announcement, for the Microsoft Exchange hack.
But UVA Law professor Kristen Eichensehr, an expert in cybersecurity and national security law who joined the faculty last year and runs the school’s National Security Law Center, said official statements are not inconsequential. The tech community and the media often lead on pointing blame for attacks, making it more likely officials will then speak out.
“Attributions by private companies can make clear what’s happening before the government speaks, and such attributions also tend to put some pressure on the U.S. government to speak publicly,” Eichensehr said. “The United States has moved recently to do attributions in a coordinated way with allies. It’s an opportunity to define norms of responsible state behavior in cyberspace, but it’s an opportunity that’s not being fully utilized.”
The U.S., for example, could call out particular actions as violations of international law, not just international norms, or commit to providing evidence to support accusations against states, she said. In her article “The Law & Politics of Cyberattack Attribution,” Eichensehr argues that states should set evidentiary standards for attributions as a matter of international law to prevent states from lobbing evidence-free accusations. Currently, the U.S. is resisting the development of such standards, as are France, the Netherlands and the United Kingdom.
Olcott worked at the House of Representatives as director for the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology in 2007. He helped elected officials conduct some of the first investigations and hearings into critical infrastructure cybersecurity. When discussion of reform measures arose, there was often pushback, he said, along with the quandary of the carrot or the stick.
“The key question for the government folks is what is the best way to improve the cybersecurity posture of our country?” Olcott said. “Should we increase our regulations in this space or are there things we should do to incentivize better behavior?”
U.S. Sen. Mark Warner of Virginia sponsored a bipartisan bill this summer that would require federal agencies and their contractors, as well as other companies that run critical infrastructure, to notify the Department of Homeland Security of an incursion. In exchange for the heads up, the Cyber Incident Notification Act would provide limited immunity and offer technical help to the victims, such as anonymizing exposed data.
SO COULD THE U.S. GO TO WAR over a cyberattack that destroys an oil pipeline or increases the chlorine at a water treatment plant to toxic levels? What about a breach that sets back Wall Street and later tanks the economy?
“I don’t think anyone wants to get into a shooting war over ransomware,” Eichensehr said. “Below the threshold of armed conflict, there’s a lot more confusion about what the legal rules actually are.”
Article 51 of the United Nations Charter recognizes the right to self-defense in response to an “armed attack.” But further guidance about when a cyberattack allows a forcible response under the article has been vague and slow-coming.
After three years, members of a U.N. cybersecurity working group reached consensus in March about upholding some basic norms. The report, reflecting the participation of 150 countries and observers, stressed maintaining the “general availability and integrity of the Internet” and the importance of protecting critical infrastructure such as hospitals.
What’s considered off limits still may vary from country to country. The U.S., while encompassing the obvious, such as airports, broadly defines critical infrastructure to include movie theaters, campgrounds and casinos.
Professor Paul Stephan ’77 returned to the Law School this fall from academic leave as special counsel to the general counsel of the U.S. Defense Department. He recently wrote an essay on the future of armed conflict in cyberspace for the forthcoming Oxford University Press book “The Law of Armed Conflict in 2040.” He addressed what constitutes a defensive posture.
“One way of framing the issue is how much do we want to make of the distinction between impairment of well-being and functionality, on the one hand, and of death and destruction in the physical world, on the other hand,” Stephan said. “Everyone agrees that cyber actions that lead to death and destruction should be treated no differently than physical actions, but is that all there is?”
He noted that Israel, in its ongoing conflict with Hamas, appeared to have justified an attack on a building as lawful because it contained computers “that were undertaking cyber invasions and compromising Israeli data without necessarily causing direct death and destruction.”
Stephan said the discussion of how to conduct a conflict all too often transforms into a question of when to strike first.
“Imagine a hypothetical adversary, but not a country with which we are at war, that does not have significant deterrent capabilities — no nukes, in other words — bringing down a financial market. Could we launch cruise missiles against that adversary? I would like to see the jus ad bellum, the conditions under which states may resort to armed force, function as an obstacle to such retaliation.”
He added, “I worry that treating costly but not deadly cyberattacks within armed conflicts as subject to legal regulation under the jus in bello, the limits on how to use force once a conflict has started, can lead to more armed conflicts.”