Heading 1

Legal BlackBook

TM

APRIL 2018
ADD THIS TO YOUR CYBERSECURITY READING LIST
Cisco’s annual report is comprehensive and also accessible to lawyers.
By David Hechler
IN LATE FEBRUARY, Cisco  released its  2018 Annual Cybersecurity Report . It’s the company’s 11th, and it’s undoubtedly required reading for chief information security officers. After all, the people who put out this report aren’t just researchers or bloggers (or newsletter editors). Cisco is intimately involved in building the products and offering the services (including training) designed to help enhance our digital security. It also partners with a network of companies and conducts a benchmarking
  But what about in-house lawyers? Should the 68-page report be required reading for them? Probably not required, but definitely recommended. Given the burgeoning risks, the ever-morphing threats and the host of legal and compliance issues involved in cybersecurity, it’s a good idea for inside lawyers to keep up with developments. And the Cisco report offers an excellent overview. 
  It’s also loaded with detail. And that can be intimidating. Most of us don’t speak tech. Or at least we’re not fluent. But that may actually be an excellent reason to dive in. After all, how do you learn a language? Not all at once. You learn the basics, and then you add words and phrases as you go. If you’re reading this article, you already have a cybersecurity foundation. You know enough to absorb a lot from Cisco’s report, and it may help prepare you for what’s ahead.
  Let’s start with the big picture. One key takeaway is that both the “defenders” and the “attackers” (as they’re called in the report) have come a long way. Cisco’s report is a wide-ranging document that backs up assertions with a wealth of statistics. It studiously avoids hyperbole and even calls out other defenders who have not always been so cautious. 
  For example, the report points out that in May 2017, when the WannaCry attack was first detected, many organizations in both the private and public sectors mistakenly attributed the source to a phishing campaign and malicious email attachments. This proved to be an imprudent rush to judgment, the report said. Wrong information leads organizations to adopt the wrong defensive measures. 
  Sounding like careful—and mature—journalists, Cisco’s team wrote: “Being right is better than being first.” 
  Later, when they’re talking about the attackers, they describe evidence of, if not maturity (which somehow seems like the wrong word), then sophistication. As companies have moved data into the cloud, attackers have found new vulnerabilities, partly due to “the lack of clarity around who exactly is responsible for protecting those environments,” Cisco says. Attackers have managed to conceal their assaults by launching them using legitimate services like Twitter, Google Docs, Dropbox and Hotmail.com. 
  Sounding here like The Wall Street Journal, the report notes: “Attackers benefit from this technique because it allows them to reduce overhead and improve their return on investment.” 
  If the language seems almost respectful, it’s not an aberration. Attackers have clearly upped their game, according to Cisco. Malware attacks have reached “unprecedented levels of sophistication and impact.” And like the cloud, the internet of things (IoT) is an environment left lightly guarded. Supply chains are another such target. Attackers have become adept at recognizing and taking advantage of these weaknesses. 
  Yet another mark of the adversaries’ progress is their use of encryption. It’s not only the defenders who use it to their advantage. Both legitimate and malicious web traffic is often encrypted these days. It’s another way that the attackers conceal their handiwork. And they have also increased their productivity by using automation, machine learning and artificial intelligence.
  The deeper you read, the more evidence you find that each side is fighting fire with fire. AI is used to attack, and AI is used to detect attacks. 
  Toward the end of the report, there are statistics that paint a picture of the volume and types of attacks, the average costs of the damage they do, and the budgetary trends in the departments that struggle to defend against them [see “What the Numbers Say”, below]. Cisco also includes lots of recommendations defenders will want to study.
  It’s not surprising that cybersecurity professionals expect plenty of challenges in the year ahead. Or that companies are having a hard time filling open positions as they try to hire reinforcements. What is surprising, given all of the Sturm und Drang devoted to this topic, is how realistic the leaders of these defense teams seem to be. 
  “Most security leaders said they believe their companies are spending appropriately on security,” Cisco noted near the end of the report. That was probably one of the few passages that would elicit a sigh of relief from their bosses. 
  No, this is not the kind of reading to begin as you try to relax for a comfortable night’s rest. It’s more likely to provoke nightmares. But the upside is that, taken to heart, it may help you avert the waking kind.