Feeds

Hacked? Call a lawyer

Feds urge security pros to call in shysters

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Network administrators tasked with investigating cyber attacks on corporate networks should consider adding a potentially strange and unfamiliar tool to their defensive arsenals: the phone number of the company lawyer.

At least, that was the consensus of a panel of current and former law enforcement attorneys and corporate security heads speaking at the 2001 BNA Cybersecurity and Privacy Forum in Washington Wednesday.

"When we deal with some organizations, such as local law enforcement, we've got to make sure we have good legal advice," said Howard Schmidt, head of Microsoft's security department.

At issue: when investigating a hack attack, security professionals collect and handle evidence that may eventually become Exhibit A in a criminal case. But unlike FBI agents, computer geeks don't have the benefit of a trained federal prosecutor at each elbow, guiding them through the thicket of evidentiary law that, in theory, stands between a cyber attack and a successful prosecution.

Enter a new type of corporate in-house counsel: lawyers who help companies deal with the legal side of cyber security, an emerging niche that's particularly well suited for former prosecutors entering the private sector.

"It is a specialty, like contracts law, or deal law or real estate law," said America Online assistant general counsel Christopher Bubb, who until last month was a New Jersey cybercrime prosecutor. "It's a certain skill set and a knowledge set that's needed to participate in these investigations... It's not something that you learn in law school."

As a deputy district attorney, Bubb participated in the 1999 Melissa virus investigation that eventually identified New Jersey programmer David Smith as the author of the malicious code.That case, said Bubb, hinged on information gathered by AOL's security department, with the careful guidance of the company's legal team. "There's no dichotomy" at AOL, said Bubb. "[Lawyers are] allowed in on the decision making at the front end."

But will hands-on computer security experts pause in their pursuit of an intruder to bring company attorneys into the loop? Christopher Painter, deputy chief of the Justice Department's computer crime section, cited a recent, unscientific survey conducted by the Computer Security Institute (CSI) and the San Francisco office of the FBI, in which only 30 per cent of respondents who suffered cyber attacks said they reported the incident to company lawyers.

"System operators don't think about that," said Painter, an attorney himself. "That's not their concern."

© 2001 SecurityFocus.com, all rights reserved.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.