Heading 1

Cyber In security News

TM

SUBSCRIBE FOR FREE
A CYBERSECURITY CLASS GETS REAL
Judith Germano
Students learn to view the issues through the eyes of a company in crisis.
By David Hechler
SOMETIMES FICTION HELPS give us a handle on the real world. That’s why companies stage so-called tabletop exercises. Simulated cyberattacks present them with opportunities to test both their incident response plans and the preparation and coordination of their response teams.
     But Matthew Waxman and Daniel Charles Richman arranged to have an expert conduct one of these scenarios for a different purpose. They are professors who teach a class on cybersecurity at Columbia Law School. Their students had spent weeks discussing the issues, studying laws and regulations, talking about tort liabilities and government intervention. “What they haven’t seen,” Richman said, “is how it works from the other side.”
     The teachers wanted their students to experience an attack on the receiving end—“from inside a boardroom, from inside a company’s general counsel’s office,” Waxman told the students, just before he turned the lesson over to Judith Germano, the guest he’d invited to lead the class. [See our interview with Waxman for more on him and the class.]
     Germano is a former federal prosecutor who opened her own law firm five years ago to specialize in this area. [See our interview with Germano for more about her work.] On this Tuesday afternoon in October, she’d brought PowerPoint slides designed to introduce the students to a hot new startup that had suddenly landed in a world of trouble.
     The story was entertaining—at times bordering on wacky. But the issues it raised under Germano’s expert guidance were ones that come up, as Germano knew from her own experience. And the discussion it provoked demonstrated some of the strengths of this technique, even with participants who had no previous training. 

The Scenario
The startup was called TeeVeeMee (TVM), and its big product was a cool new app that provided real-time video and audio monitoring through your phone. But that wasn’t the cool part. The best thing about it was that you could purchase anything you saw by saying what it was and then pointing at it with your phone. The app ordered the item, charged the card associated with your account, and delivered it by drone to your current location. High school kids often used it to order lunch.
     Obviously, TVM processed lots of data. It tracked your location through your phone’s GPS. And it also knew the identities of your friends and the locations of other users. And it had all that payment information.
     The company was doing very well, and it was considering an IPO. But since this was a tabletop scenario, you already know that trouble was a paragraph away—and all of that data was bound to be at risk.        
     Bad news arrived via telephone, of course. A security researcher was calling the founder-CEO. Germano paused there to explain that “security researcher” is the term used for hackers who call companies to report vulnerabilities. Some are white hats, some black hats, some gray hats. This one said that she was investigating complaints by privacy advocates who’d complained that TVM was misusing student data. The researcher said that she was quickly able to gain access to users’ purchase information, locations and more, after she’d found a configuration error in TVM’s cloud backup.
     Then she got to the point. She gave the CEO 48 hours to pay her $2 million in bitcoin. If he didn’t, she’d release information and live feeds from 100 of TVM’s users each day he failed to pay. To show the CEO that this wasn’t just talk, she sent him a short video she’d recorded using the app. It featured the CEO’s own son using illegal controlled substances. If the CEO contacted law enforcement, the researcher said, she would release the video.
     Germano pressed the remote and moved to the next slide. “What should TVM’s founder do?” The slide suggested three options: Contact law enforcement. Find someone to investigate and fix the glitch. Or pay up.

First Steps
“What do you guys think?” Germano asked. “Do you go to law enforcement or not for this?”
     Several students thought not. Too many unknowns. The founder should seek more information before doing something like that. They had different ideas about where he should turn. He needed to talk to his company’s security officer, said one student. He should talk to the company’s lawyer, said another, and its board. Several students thought that he needed to learn more about the researcher, and what she really knew.
     He should disable the app on his phone, one student suggested, provoking laughter. But Germano saw the student’s point. The founder needed privacy himself under these circumstances.
     Another student jumped in. “This might be really ill-advised,” Kevin Zhen began, “but you could hire the researcher” and fire the security team that failed to detect the breach. “That might be bad from a certain point of view,” he continued, amid scattered laughter, “but I see no reason to trust my old security team when this woman has obviously proven to be better.”
     “From a PR standpoint,” Matthew Zellner observed, “I’d consider having the CEO recuse himself or herself from some of the decision-making processes, because no matter what happens, it’s going to be bad. And if you have a CEO who has a personal stake with their child involved, I don’t think they’re in the best position to make a decision.” 

Homing In
After the students’ wide-ranging comments—largely in response to Germano’s questions—the discussion got down to basics.
     Was there proof that the researcher had access to all the data she’d claimed to have? Jennifer Howes suggested checking. Then, almost casually, she mentioned that perhaps it was time to dig out TVM’s incident response plan, assuming they had one, and begin following it.
     “So you think it’s time to roll out the incident response plan?” said Germano, sounding pleased that they’d finally checked this box.
     Returning to the possibility that the CEO would need to recuse himself, Noah Schwartz suggested that it was now imperative to contact the board. To which Erica Davis added: “I think my first call would be to counsel.”  
     “Smart,” Germano said. “Would you call in-house counsel, outside counsel, both?
     “In-house counsel first.”  
     “Why would you do that?”
     “If this does trigger a data breach notification,” Davis said, “your counsel’s going to know. That’s going to inform whether you need to contact outside counsel, and your understanding of whether law enforcement should be brought in.”

Day Two
The next day brought big developments. The CEO had plotted the company’s course. First he directed his security team to fix the vulnerability that the researcher had identified. He wired her $2 million from his wife’s private bitcoin wallet, and the researcher assured him that she’d destroyed all the data she’d accessed. Finally, he decided he didn’t need to report any of this, because the problem was “contained.”
     After reading them the script, Germano looked out at the class. “Can we just rest easy?” she asked.
     Apparently not.
     “I don’t know why we’re necessarily totally trusting this researcher that she destroyed all the data,” said Samantha Briggs. “So I think, at the very least, there have to be ongoing efforts to try and monitor what this researcher is doing, to make sure there are no further vulnerabilities.”
     She wasn’t the only one who had these concerns. “Nothing’s stopping the researcher from coming back and asking for more money,” said David Melgaard Knobel.  
     His classmates also had other concerns. “I don’t like not reporting the incident,” said Schwartz, “because these things get out eventually. I’d rather be in the place of being ahead of it and saying, ‘This is what happened, and we’ve taken these steps to control it going forward.’ ”
     “So who would you report it to?” Germano asked.
     “I was just thinking publicly,” Schwartz said.
     But Howes wondered whether a data breach notification law had already been triggered (which Germano thought was likely), even if the flaw had been fixed. And David Alpert argued that it would be best to contact law enforcement before making public announcements, if only for the PR benefit of being able to say, “We’re already cooperating with the FBI.”
     “Excellent point,” said Germano, who added that there were many reasons to contact law enforcement: “in terms of the insight that they may have, the broader perspective of whether this is happening to others. And you exactly hit it: It also gives you some cover. Particularly because you may not have all the answers.”
     Besides, Germano added, the Federal Trade Commission said several years ago that it would take into consideration a company’s cooperation with law enforcement as a demonstration that it was doing all that it could to mitigate harm.

The Plot Thickens
Day three brought a series of glitches. Drones were suddenly misdelivering purchases, and hovering over delivery sites rather than returning to their charging docks. And the new customer service manager couldn’t fix the problems.
     Furthermore, at this critical juncture, TVM’s board was far away at an executive retreat in Antigua, and a hurricane there had made communicating with them impossible.
     “A lot of time in tabletop scenarios,” Germano explained, “certain key decision makers will be unavailable, hiking through the jungle or on an airplane without Wi-Fi. Escalation is a tricky issue. When do you escalate? To whom do you escalate? What’s the redundancy? The chief information security officer tells the general counsel, who reports to the board. But what if the general counsel is cycling and out of cell service range? Does it stop there? Or does the CISO have the authority to go to the chief financial officer? So you need to know: What’s the chain of command, and what’s the flexibility?”
     When Germano returned to the slides, the story only got worse. More and more customer service complaints had come in. TVM’s chat room had frozen, and its website  had stopped functioning. After investigating, a security technician thought it might be under attack.
     Should this be reported? If so, to whom?
     The students were unanimous. Report, report, report. To your boss. To almost anyone, it seemed. One suggested the general counsel. “Yes!” said Germano, laughing. “Call the lawyer!”
     Erica Davis pointed out that the missing communications link in this mess was between the company and its customers. If the website was down, the company needed to tell them that it was aware of and working to fix the problem. In this case, the message would need to be communicated through the app. “Or Twitter,” suggested her classmate.
     “Do you go to Twitter?” Germano wondered. “Or am I unduly escalating a problem that I’m hoping I can just contain? There’s this balance. In a security incident, you want to get ahead of the problem. You want to help direct the story. You want to show you care. But if you get too far in front of the story, are you making news? Are you making bad news that doesn’t need to be made?”

An Unexpected Visit
It was then that the FBI paid a call. “Sometimes companies learn about a hack or an attack when there’s a visit from law enforcement,” Germano noted. In this case, the company knew that it had a problem, but it didn’t know the extent. Yet.
     The FBI was visiting because there had been many complaints about those hovering drones. After talking with the company’s chief information security officer, the agency investigated further and discovered that TVM’s network had been penetrated as a result of a variety of attacks independent of those of the researcher. And they’d been going on for months.
     The agency asked permission to install monitoring software to observe the malicious traffic. “Do you let the bureau in?” Germano asked.
     “It depends on the talent you have at the company,” said Briggs. “It depends on if you have outside people that you’ve worked with before and trust. And what their talent is. It depends on how much money you have to pay those people.”
     “Those are great considerations,” Germano said.
     “I think it also depends on your evaluation of what the downside risk is,” said Taylor Kelson. “If this turns out to be as bad as it could possibly be, and you refuse to cooperate with the FBI when they offer their assistance, that’s making a bad situation even worse.”
      At this point in the scenario, it was time for crisis management. Maybe past time. Germano’s preference was to bring in an outside firm and let it hire external forensic and PR teams. This would allow the firm to converse with the consultants under the protection of attorney-client privilege.
      “And don’t forget all of your employees,” she added. They need to know what’s going on, too. Internal communications are essential. If there are going to be public announcements, the board needs to be brought into the conversation. So do investors. “And you have to call regulators.”
     One more question loomed: “Who within the organization makes those calls?”
     This is the kind of issue that requires advance planning. As do so many of these details. Often the general counsel will decide when it’s time to call the board, and what to say to them, Germano noted. But in some companies the CFO wants that prerogative. And you don’t want to discover this kind of conflict in the throes of a crisis. Which is, of course, one of the points of tabletop exercises.
     “You have to kind of work that stuff out,” Germano emphasized. “Hopefully in a practice scenario. Before it’s real-time, hitting the fan.”