Guest post by Alan Paller
Alan Paller is director of research for the SANS Institute, a provider of security training and certification.
A few Sundays ago, two visitors from a large law firm in New York came to my home for conversation. The managing partner and IT partner flew to Washington to talk about what they might do in the aftermath of a troubling visit they had had from the FBI.
Here’s how the conversation went (after getting them coffee).
Alan: What exactly did the FBI agents tell you?
Attorneys: They said that our files had been found on a server in another country. The server was used as a way station for sending data to a large Asian country. Off the record they said it was China.
Alan: Did they tell you which files?
Attorneys: They showed us a listing of what they had. It was all our client files.
Alan: What would you like to know?
Attorneys: We understand we cannot get the files back, but we would like to know why they were stolen and how they are likely to be used. And then we hope you’ll tell us how we can stop those attacks in the future.
Alan: The first part is straightforward; the second is very hard. The Chinese People’s Liberation Army runs a very active industrial espionage program because the PLA has the joint mission of ensuring both military and economic security. So when companies from another country attempt to do business with a Chinese company or agency, in an important area of technology, the PLA helps give their side an advantage by stealing data from the other side using the same targeted cyber intrusion techniques they use to steal military secrets. They are after the “play books,” the collection of documents that tell what the company is willing to give up and where they will hold the line. That data gives them an advantage in negotiations. Sometimes, as in the Google case, they just steal the technology they want.
Attorneys: How do you know that?
Alan: Because Jonathan Evans, Director General of the British Security Service (MI-5) sent a private letter to the Managing Directors of the 300 largest companies in the UK telling them that this was happening . (At that time I was unaware that Bear Bryant, the U.S. Counter Intelligence Executive in the Office of the Director of National Intelligence was going to tell the U.S. the same thing in a press briefing in November).
Attorneys: That makes sense, but what does that have to do with us?
Alan: What the MI-5 director told the MDs was that their information was as likely to be stolen from their attorneys and international consultants as from their own computers. Most law firms have very weak security, attorneys are often arrogant so they don’t pay attention to security notices and guidelines, and the important files relating to clients’ international activities are usually much easier to find in the law firms’ files than in the corporate files.
So the question is, Do you have any clients doing business in China?
Attorneys: Sh*t.
Alan: So I have a question. What are you planning to tell your clients?
Attorneys: Are you crazy? Can you think of a better way to destroy their trust in us than letting them know we had lost every documents they gave us under (attorney-client) privilege.?
Alan: So let’s talk about how the attackers find you and how they get in and that may help you in stopping future intrusions.
To be continued in the next installment.
