Why is cyber incident response so bad? Blame the lawyers…
"The tragectory of the law is doing a disservice to cybersecurity."
Lawyers frequently hobble cyber incident response in the US, preventing investigators from writing reports, offering advice, or passing any judgment on a firm’s security practices, because of obsession with confidentiality, according to a new paper.
Researchers interviewed lawyers and incident response professionals, whose responses painted a “stark picture” of deliberate restriction of investigations, artificial legal barriers, and deliberately poor communication of findings or risks. And even when reports are written, investigators are often told to avoid “gratuitous language like ‘these are the best practices in information security.’”
“Confidentiality concerns dramatically impact each stage of cybersecurity preparation and incident response. In many cases, moreover, these concerns significantly undermine the capacity of firms to learn from and prevent future cyberattacks,” said the paper, available at SSRN, by Daniel Schwarcz, law professor at the University of Minnesota, Josephine Wolff, cybersecurity policy professor at The Fletcher School, and Dr Daniel Woods, lecturer in cybersecurity at the University of Edinburgh.
“As one interviewee succinctly put it, ‘[t]he trajectory of the law is doing a disservice to cybersecurity.’”
See also: The changing face of Cyber Incident Response
(While the paper is focused on the legal situation in the US, Woods told The Stack there are “a set of lawyers trying to import the US ‘breach coach’ model” – but breach litigation is less important in the UK, and so the extreme approach outlined in the paper is much less prevalent.)
The main issue is the risk of cyber incident response documents not being legally privileged, and therefore being subject to discovery in the event of a lawsuit by people affected by a breach – such as users whose data was stolen. Legal concerns about discovery grew significantly after the 2019 Capital One data breach; Capital One retained a law firm, which in turn retained Mandiant, with the aim of keeping Mandiant’s work privileged, as they worked for the law firm, not the bank.
However, only work done either in anticipation of, or response to, a lawsuit is privileged – and in 2020 a court ruled Mandiant’s work on the incident was done for business, not legal, reasons. This was partly because Mandiant’s findings were not only shared with Capital One’s board and senior officers, but with its IT department as well – for which there was no legal justification (only a business one).
“The Capital One case, we find, marked a significant turning point in how confidently lawyers and breached organizations viewed the confidentiality protections that they could provide for incident-response investigations that they spearheaded,” wrote the paper’s authors.
As a result, lawyers turned to “even more aggressive strategies” to keep incident response finding confidential – which, in many cases, boils down to not documenting them at all.
“Every one of the twenty-one lawyers we interviewed said they did not always encourage forensic firms to produce a final, written report detailing the findings of their breach investigations. And about half of the lawyers we interviewed indicated that their standard practice was to direct the forensic firm not to author such a report,” wrote the authors.
“Lawyers that centered their practice on breach-response and received a significant amount of their work from insurers were particularly likely to insist that forensic firms should typically not produce any final written report.”
Follow The Stack on LinkedIn
Investigators said the same thing, with one telling the authors that lawyers only asked for a formal report in less than 5% of cases “because in such a report we would have to document all the screw ups.” And even when reports are commissioned, the lawyers spend a lot of time “shaping” the report, and insisting it only contains “factual information” – sometimes with the instructions such as “no adjectives, no adverbs”.
In a footnote, the authors wrote: “A former investigator recalled an investigation that involved ‘two or three days going back and forth with the lawyers about specific wording in the report where they didn’t want me to say that a specific server was vulnerable.’ What some law firms viewed as ‘editorializing,’ in other words, seemed to forensic investigators to be plain statements of the facts around vulnerabilities in a system.”
Another footnote added: “According to one lawyer, ‘there are times when the findings are just so bad that you don’t want to reduce that to writing.’”
Some law firms ask cyber incident response teams to produce a report, which the lawyers in turn rewrite for their client. This was mostly done with the aim of retaining attorney-client privilege over the document – but the authors noted one lawyer justified the practice as necessary to “make otherwise ‘incomprehensible’ forensic reports understandable.”
“Forensic investigators noted that lawyers often made errors in communicating security recommendations to clients or else failed to fully communicate these recommendations, likening the process to a game of ‘telephone’,” wrote the authors.
They said forensic experts were concerned about the consequences of not producing reports, suggesting this would make the immediate incident response less effective, or limit the ability of a forensic team to do its job.
See also: Global CISOs, White House, agree 10-point open source security plan
“For instance, the lack of a final report could limit accountability for deficiencies in the investigative process, inhibit efforts to reconcile potentially conflicting information discovered in the investigative process, and allow gaps in the investigative process to go unnoticed.”
Unfortunately, this appears to be exactly what some lawyers want – because of fears around the consequences of these findings ever emerging.
“One lawyer said: ‘A lot of times the incident response providers will say “we’ve got nine ideas for remediation” and we’ll say, “that’s great but don’t put those in the report.” What we really don’t want is a written report that says do these nine things and the client only does three of them and then there’s another incident later on that would have been stopped by one of those things they didn’t do,”’ noted the authors in a footnote.
“Another lawyer explained, “when I become concerned is when the forensics team is producing a paper trail. Because then plaintiff can say, “your outside expert said you should do this, and you didn’t so you were negligent.” So I don’t want that in writing.’”
The paper, which is very much worth reading in full, also offers some suggestions on how to improve the situation, from extending privilege to cover some cybersecurity work, along with requirements to collect and share forensic evidence.
“All of the lawyers, forensic investigators, and insurers we spoke to acknowledged that concerns about attorney-client privilege and confidentiality affected their work on cybersecurity incidents in ways that spanned the short-term immediate response to such incidents, the ex-ante preparation for them, and the longer-term collection of robust data sets and knowledge about online threats and effective countermeasures,” wrote the authors in their conclusion.