Feed
all
around the bar
February 11, 2013

National Security Experts Discuss Options for ‘Active’ Cyber Defense

Left to right: Emily Frye, principal engineer, The MITRE Corporation; Stewart Baker, former general counsel, National Security Agency; Steven Chabinsky, senior vice president, CrowdStrike; and Harvey Rishikof, chair, ABA Advisory Committee on Law and National Security

Left to right: Emily Frye, principal engineer, The MITRE Corporation; Stewart Baker, former general counsel, National Security Agency; Steven Chabinsky, senior vice president, CrowdStrike; and Harvey Rishikof, chair, ABA Advisory Committee on Law and National Security

If a cybercriminal hacks into your network and steals your files, what legal right do you have to track down the thief and perhaps hack into his network and recover or destroy the files? National security experts discussed the legality of varying degrees of such “active” cyber defense, as opposed to passive efforts to lock down information through conventional cybersecurity measures, during an ABA Midyear Meeting panel discussion Feb. 10 sponsored by the ABA Standing Committee on Law and National Security.

The risk of cyber theft is faced not only by companies with valuable intellectual property and strategy documents, but also by the law firms that service such clients. Panelists agreed that while private-sector cybersecurity is as strong as ever, systems that are designed merely to keep out thieves are bound to be breached by those determined to steal information.

“We have tried to defend our way out of this problem. It has failed,” said Stewart Baker, a partner with Steptoe & Johnson in Washington, D.C., and former general counsel of the National Security Agency.

Related Video: Panelists weigh in on the role of the private sector in the defense against cyber threats

This realization is why some companies are exploring the legality of more active security measures, whose legality are in question and may call for coordination between government and the private sector. As articulated by Stephen Chabinsky, chief risk officer at security firm CrowdStrike, the private sector has the technology and reach, but not the legal authority, to take an active role on cyber defense, whereas the government has the authority but not the technology or reach.

Panelists agreed that such problems point to the value of the ABA Cybersecurity Legal Task Force, created by ABA President Laurel Bellows. The panelists noted that cybercrime raises a host of legal issues that the organized bar must help figure out and address.

Also participating in the program were James McPherson, chair of the ABA Standing Committee on Law and National Security; Harvey Rishikof, chair of the ABA Advisory Committee on Law and National Security; and Emily Frye, principal engineer with the MITRE Corp.

For a podcast of the entire program, click here.