A basic concept of computer security is known as the CIA Triad, which stands for
This blog will explore the application of these three basic security conditions to the legal profession and electronic discovery. As part of this exploration the meaning of 9ec4c12949a4f31474f299058ce2b22a will be explained. As many of my readers will know immediately this is an MD5 hash value. See eg. HASH: The New Bates Stamp, 12 Journal of Technology Law & Policy 1 (June 2007). But do you know the secret meaning of this particular hash?
As we used to say in the Sixties, my consciousness has been raised recently by a new book on cybersecurity: Cybersecurity and Cyberwar: What everyone needs to know by P.W. Singer and Allan Friedman (Oxford, 2014). I recommend this as a must read on the big picture of cybersecurity. We are living in a dangerous world where cybersecurity is a constant threat. The latest Hearbleed security flaw scandal is a good example of this. HEARTBLEED: A Lawyer’s Perspective On Cyber Liability and the Biggest Programming Error in History.
Security information vigilance is everyone’s responsibility, but especially lawyers. Information is our stock in trade.The Internet may seem like the Wild West, but it is not a no-mans-land of lawlessness. The Texas Rangers are around and have the firepower of what is perhaps the most developed legal system the world has ever seen. Do not doubt the ability of the U.S. and British court systems to get to the truth of disputes and render justice.
For this system of open justice to continue in the new emerging cyber world the legal profession must quickly adapt to the times. We lawyers must learn how to apply established principles of law to completely new facts, to cyberspace. This is a challenge that must and can be met. I know hundreds of lawyers in the U.S. alone who are up to the task. There may be thousands by now. At first there were only a few dozen. So things are getting better all of the time.
We all need to just up our game again to get a better grasp of the dark side of hackers. We need to better understand the principles of cybersecurity.
A good place to start is the explanation of Singer and Friedman of the CIA Triad. It is a core principle of information security. According to Wikipedia:
The members of the classic InfoSec triad -confidentiality, integrity and availability – are interchangeably referred to in the literature as security attributes, properties, security goals, fundamental aspects, information criteria, critical information characteristics and basic building blocks.
Obviously a core principle of all information security is to keep confidential information secret. As Singer and Friedman explain:
Confidentiality refers to keeping data private. Privacy is not just some social or political goal. In a digital world, information has value. Protecting that information is thus of paramount importance. Not only must internal secrets and sensitive personal data be safeguarded, but transactional data can reveal important details about the relationships of firms or individuals. Confidentiality is supported by technical tools such as encryption and access control as well as legal protections.
In the legal profession maintaing the confidentiality of client data is more than a goal, it is an ethical imperative. Rule 1.6, ABA Model Rules of Professional Conduct. Among other things, the ethics rule requires that:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
This means a law firm has to maintain a secure IT infrastructure to keep all communications with a client confidential, and all documents received from the client. The burden of keeping client information confidential increases exponentially in e-discovery when large collections of unreviewed client ESI are involved. Unless a law firm is willing to invest millions of dollars in information security systems to protect such large collections of client data, which can easily run into hundreds of millions of confidential computer files, the best practice is for law firms to outsource this task. As I stated in Best Practices in e-Discovery for Handling Unreviewed Client Data, 3/16/14:
Attorneys should only handle evidence. Law firms should not take possession of large, unprocessed, unreviewed stores of client data, the contents of which are typically unknown. They should not even touch it. They should stay out of the chain of custody. Instead, lawyers should rely on professional data hosting vendors that have special expertise and facilities designed for data security. In today’s world, rife as it is with hackers and data breaches, hosting is a too dangerous and complex a business for law firms. The best practice is to delegate to security professionals the hosting of large stores of unreviewed client data.
The second pillar of cybersecurity is Integrity. As Singer and Friedman explain in Cybersecurity and Cyberwar: What everyone needs to know:
Integrity is the most subtle but maybe the most important part of the classic information security triumvirate. Integrity means that the system and the data in it have not been improperly altered or changed without authorization. It is not just a matter of trust. There must be confidence that the system will be both available and behave as expected.
Integrity’s subtlety is what makes it a frequent target for the most sophisticated attackers. They will often first subvert the mechanisms that try to detect attacks, in the same way that complex diseases like HIV-AIDS go after the human body’s natural defenses. For instance, the Stuxnet attack (which we explore later in Part II) was so jarring because the compromised computers were telling their Iranian operators that they were functioning normally, even as the Stuxnet virus was sabotaging them. How can we know whether a system is functioning normally if we depend on that system to tell us about its current function?
Hash algorithms are a key to authenticating the integrity of all ESI, and thus a key to protection from cyber attacks. Hash algorithms are the best tools we have to verify that computer files have not been altered, and thus lay a proper foundation for their admissibility as evidence. They are a legal guaranty of data integrity. All reputable vendors in the e-discovery space will hash all client data they receive as a matter of course. If disputers arise as to whether a file has been altered, the hash values will provide definitive proof of authenticity. It also makes possible secure transmission of computer files.
U.S. Cyber Command
Hash values are so important to cybersecurity that they have even been incorporated into the logo created for the U.S. military’s Cyber Command, a new organization formed in 2010. You will see the hash value 9ec4c12949a4f31474f299058ce2b22a in the inner gold ring.
The United States Cyber Command website has a recruitment video that you may find interesting. (Yes, I borrowed it from their embedded code.)
I for one am glad that Cyber Command exists, especially considering that China has supposedly recruited over 100,000 volunteer experts for their cyber espionage activities. In point of fact China seems to be primarily engaged in trade secret theft for commercial advantage, and not traditional state espionage. I urge companies to summon the courage (and evidence) to sue the Chinese government.
The meaning of 9ec4c12949a4f31474f299058ce2b22a in the logo was supposed to be a kind of secret message, but the word has gotten out. Turns out that this is the MD5 hash of the Cyber Command’s mission statement:
USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.
Hardly Snowden-worthy I know, but an interesting demonstration as to just how important hash is to cybersecurity, especially when it comes to protecting data Integrity.
As Singer and Friedman explain:
Availability means being able to use the system as anticipated. Here again, it’s not merely the system going down that makes availability a security concern; software errors and “blue screens of death” happen to our computers all the time. It becomes a security issue when and if someone tries to exploit the lack of availability in some way. An attacker could do this either by depriving users of a system that they depend on (such as how the loss of GPS would hamper military units in a conflict) or by merely threatening the loss of a system, known as a “ransomware” attack. Examples of such ransoms range from small-scale hacks on individual bank accounts all the way to global blackmail attempts against gambling websites before major sporting events like the World Cup and Super Bowl.
In the world of law and e-discovery availability means ability to find the evidence needed to prove a case. It is the ability to accurately search and review vast quantities of data that may have information relevant to a case. If you have information, but do not know where it is, or how to get your hands on it, then your information is not secure. It is lost. Someone could steal it and you would not even know it.
Many security experts find these three principles a bit too constrictive and so add a fourth to make a point they consider important. P.W. Singer and Allan Friedman are no exception. The fourth principle they add is resilience. In their words:
Resilience is what allows a system to endure security threats instead of critically failing. A key to resilience is accepting the inevitability of threats and even limited failures in your defenses. It is about remaining operational with the understanding that attacks and incidents happen on a continuous basis.
I agree with them, as this is the reality. No defense is fool proof. A dedicated team of attackers will get in. Intrusions are inevitable. Another book I recently read by the infamous Kevin Mitnick makes this point very well. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers. So you need to be prepared to stay calm and carry on.
I equate this to the use of Clawback orders and agreements in e-discovery. Mistakes will be made, inadvertent disclosures of secret documents are inevitable in large projects. For that reason built in contingencies for a second level of defense of confidentiality are imperative. That is what clawbacks do.
Memorandums to file that keep a record of your search activities and basic decisions also serve a kind of resiliency function. If your efforts should fail somewhat, and some files are missed and not disclosed that should have been, you will still survive a sanctions attack based on a showing of reasonable efforts.
Lawyers, especially e-discovery and technology law specialists, need to have a basic understanding of cybersecurity principles, including the CIA Triad. We need to understand that law firms can and will be a target of bad hackers. (As opposed to good hackers whose management style I admire. The Solution to Empty-Suits in the Board Room: The “Hacker Way” of Management – Part Two.) The attackers will probably be after the client data that the firm holds, and not the firm’s own data, but firms will be attacked nonetheless.
Law firms should take cyber security very seriously. They should take precautions to protect all of the confidential information they maintain, but especially when they must control and review large collections of unreviewed computer files in e-discovery. Data security is not something to be left to amateurs. Maintain control, but outsource possession in these circumstances to the best cyber security professionals you can afford. Use a vendor who can host and provide you with online access in a totally secure manner.
Remember, computer security not only means keeping your information and your client’s information secret and free from prying eyes, but also keeping it safe and unaltered. It is especially important to maintain the authenticity of client data in e-discovery so that it will be admissible in any court proceedings. Important data should always be hashed. Remember the secret U.S. Military’s Cyber Command logo.
Computer security also means easy accessibility to confidential information by the attorneys with a need to know. If you have information but cannot find it, then it is useless. Software must not only protect information from intruders, but allow for search and review. That is especially critical in e-discovery when the smoking guns can easily be lost in plain view, invisible in vast collections of millions of emails, texts, messages, tweets, comments, likes, pokes, etc. Cyber security must include secure hosting and state of the art search and review software. With large complex search projects that means AI-enhanced review – predictive coding. Most simple cases will, however, only need keyword and other simpler methods to make the information accessible. Fears and Loathing (and Pain) in Seattle: a Case Lesson in How NOT to Implement a Litigation Hold and Search for Email – Part Two.
True security demands that law firms have access to the latest software to allow for search and review in a secure environment. Only a few law firms in the world today are willing and able to invest the millions needed for state of the art IT security and review software. This is what it now takes to maintain Confidentiality, Integrity, Availability and Resiliency in cyberspace. For 99% of law firms the best way to attain the cybersecurity they need is to outsource, to use software as a service in encrypted clouds with a high quality vendor.
Security means that you do not just take the lowest cost provider, you take the provider with the high quality security systems that your clients deserve. There is a real cost to doing security properly. Do not be fooled by the something for nothing hucksters. Do real due diligence in your vendor selection. I spent hundreds of hours in diligence investigations just to renew my firm’s preferred vendor relationship with Kroll Ontrack. That included an extensive interview with their PhD in charge of cybersecurity. I would tell you the Dr’s name, but I would probably be violating a NDA if I did. These security spook types are all very paranoid and dedicated. I like that.
As lawyers we all have an ethical duty to protect our client’s data. Be sure any vendor you retain has the necessary security to protect your client and your firm. The liability from any mistakes can be enormous. The average cost now to remediate is running $142 per record.
Even if you do outsource protection of the riskiest data to professionals – to high quality established vendors – a law firm should still also invest in establishing basic cyber liability controls and procedures for its own data. Information security should be a part of every lawyers training. Further, any law firm IT department should have one or more security experts and a well designed security infrastructure. Changing passwords routinely is annoying, but necessary. So too are encrypted portable devices. Law firms should also purchase cyber liability insurance. Malpractice insurance alone is probably inadequate. Certainly any vendor you use should also be so protected.
If I were to add a fourth principle to the CIA Triad, it would be Insure. Singer and Friedman in Cyber Security and Cyberwar estimate that premiums for cyber liability insurance were already up to $1 Billion in 2012. Spread the risk. As insurers become more sophisticated in this new kind of insurance they will gather important information on losses and best practices. They will eventually impose serious audits with discount offerings to help all of us raise our security fitness level.