Caveat 4.4.24
Ep 212 | 4.4.24

The ins and outs of being a good cyber lawyer.


Dave Bittner: Hello, everyone, and welcome to "Caveat," N2K CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hey, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: On today's show, Ben and I are joined once again by our frequent special guest, Caleb Barlow. He is CEO of Cyberbit. We're going to be exploring what exactly makes a good lawyer. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [music] All right, well, let's jump into things here and start off by welcoming our special guest, Caleb Barlow. Welcome back.

Caleb Barlow: Oh, hey, guys. It's always fun to join you on "Caveat." So thrilled to be here.

Dave Bittner: Yeah, we're happy to have you. So, we are going to start off here with a very interesting and I would say open-ended topic here. Caleb, why don't you lead us in here and give us a little- maybe a little insight as to what led to this question you're going to face us with here today.

Caleb Barlow: Well, you know, I think one of the things we're finding as the cybersecurity profession grows, you know, if we wind back like five years, when you get into, let's say, a major incident, you know, you have the instant responders show up, the lawyers show up and you kind of get in the proverbial of "let's say nothing, do nothing and hope this goes away." And we've all seen many instances of that not ending well. I mean, I think the favorite lawyerly advice five years ago, no matter what happened, was "this was the result of a sophisticated nation state actor."

Dave Bittner: Right, right.

Caleb Barlow: And there was no avoiding- it didn't matter the fact that we had no multi-factor authentication, the passwords had not been updated because it must have been a sophisticated nation state actor. Well, that's not the case anymore. Right? I think now we have some very sophisticated legal counsel in the cybersecurity incidents that understands not only the legal implications, but also the business implications. And, you know, one of the things that we've talked many times about on the "CyberWire Daily," Dave, is you know, the impact of crisis communications in this and that words matter. And it's not just words matter in terms of their legal implications, but you cannot be tone deaf in the middle of a cybersecurity incident where your customers, your partners may be impacted. So, what I wanted to talk a little bit about is, you know, what makes a good cybersecurity lawyer, because I think- and I'm very curious of, you know, kind of your gentlemen's opinions on this. I think that's becoming a bit of a nuanced profession. And there are some really good ones out there and there are some really aspiring ones that aren't so hot.

Ben Yelin: That's a nice way of saying it.

Caleb Barlow: Yes, yes. And being that you're in the business of educating lawyers, I thought you might have a very interesting set of opinions on this.

Ben Yelin: Yeah, I do. So, we have this certificate program at our law school for cybersecurity and crisis management. And one of the goals is that it is really an interdisciplinary domain. We have our students, they have the option of taking a one-week crash course in the technological issues around cybersecurity. So, that's the first step is that I feel like there's this bifurcation between people who have technical knowledge and people who knew the law. And I think especially over the past 10 years or so we've seen an integration where our cyber lawyers might not be subject matter experts, but they are certainly far more well versed in the technical issues than they used to be. And then, yeah, I mean, I think there's a reason why our certificate program, cybersecurity, is coupled with crisis management. I think it requires those same types of skills that you're referring to, whether it's communications skills, being able to think on your feet. The type of negotiating that you would previously only see in very complex litigation, now you're seeing with, say, ransomware suspects. So, I think you're really on to something here that the profession is changing. I also think that the people who have jobs as cyber lawyers are now stationed at very distinct types of institutions in a way they weren't a decade ago. So, you have in-house counsel who are experts and cybersecurity at Fortune 500 companies, that's not as new, but you have subject matter experts in cybersecurity who are attorneys at government agencies. So, our tentacles in the cyber lawyer field are starting to spread into places that they had not previously existed.

Dave Bittner: I'm imagining a big- you know, a big-time, big city law firm in the same way that they would have their real estate person, they would have their- your medical par- lawyers with particular specialties, would they have an office where that's where the cyber lawyer lived? Right? And did it come to private- was it in the private sector first?

Ben Yelin: Yeah, I think it was. But we're seeing just in- you know, the biggest and best companies know that they have to have some cyber expertise with an in-house counsel because it's also a very specialized field. So, you can't bring over the real estate guy and be like, "Hey, you come handle this cyber issue." I think what you're getting at, Caleb, is that it's a whole different job entirely. I mean, I think it's like we need to create a brand-new category because it's not exactly just a cyber lawyer, it's like a cyberspecialist who happens to have a law degree.

Caleb Barlow: Well, I think it's a different motion, too. Like, you know, one of the things I think is so intriguing about your program, and I honestly didn't know this till you just said it, I want to go kind of dig into it more, is the fact that you're combining law with communications. I mean, if we- you know, if we think of kind of the historical approach to any type of risk, right, the answer usually from a lawyer is "say as little as possible." Right? And the- and even in the early days of cybersecurity incidents, probably the best example of getting this really, really bad was of course the Equifax case study. In fact, there's even a Harvard, you know, Business School case study on how bad this went. Which, honestly, largely were less legal issues, there were a few legal issues in there, but mostly communications. I think what's also astounding is that the reaction of customers, partners, even governments in general can be dramatically impacted by how a company positions an incident. You know, the minute that people see a cover up, they see a lack of transparency, they start to double-click, you know, the regulators start to come out. So, I'm very curious of your thoughts on this because, at least in my opinion and I'm obviously not a lawyer for a whole lot of reasons, but like-

Ben Yelin: You made some good choices back in the day.

Caleb Barlow: Well, I try to think so.

Ben Yelin: Let's put it that way.

Caleb Barlow: I try to think so. Insert your favorite lawyer joke here. But, you know, the normal kind of focus of a lawyer is say the facts, say as little as possible and get out of the situation. Now, I think somewhere between that and admitting to everything, there's a lot of room where a crisis communication specialist steps in and can really start to lay out a framework of how do you start to dialogue with clients when you don't know everything that's going on, when the situation you're in might change. So, I'm very curious if you're thinking of like- do you see lawyers starting to get more into that space or do you think this is more about them also recognizing that there's a crisis communications element to this that's another specialty that needs to be at the table?

Ben Yelin: Yeah, I mean, I think it depends on the business, agency, organization. Some of them are going to have public information officers who will speak on behalf of the business or the organization no matter who's doing the lawfare. Right? But for smaller organizations, it might be the cyber person who has to play a role in communications. And even for larger organizations, the PIO's going to be relying on somebody with cybersecurity expertise for messaging. I think it also comes down in some cases to the CEO or C-suite that maybe needs to be informed by these individuals on different paths. You know, I've done a lot of work in my career with crisis communication specialists that specialize in cyber. And one of them in particular has this- it's literally a physical binder they carry around with them of research of every breach, what was said, did it work, did it not work, what was the situation surrounding it. And it's amazing because, you know, these thing- history repeats itself. So, you can kind of look at a situation and go, "Okay, what's the best approach to this?" And I'll give you an example. I'm curious of your thoughts of this because I think this- so, take the case of Maersk when they were impacted by NotPetya. Now, Maersk [inaudible 00:09:20] world's largest global shipper taken completely out. You know, their whole IT infrastructure gone. And everything I'm saying here, by the way, is public information. Their CEO historically has been, you know, very out there about what they did and how they did it. What was most amazing from a case study perspective was the communications that came out of Maersk within about 20 minutes of them realizing the extent of the problem and that their entire IT environment was basically gone forever. Their CEO, via WhatsApp because it was the only thing working at the time, you know, phones are down, everything's down, sends out a message that, you know, I kind of view this as a commander's intent type of message, "Do what is right by the customer. Do not wait for headquarters. We will accept all costs." Now, that is- from my perspective, from a leadership perspective, that's putting your cojones on the table in a big way. And I've got to imagine most lawyers would look at a statement like that and go, "Oh, no." Yep.

Caleb Barlow: "What did you just do?" But the reality of what happened in that situation, which is so amazing, they had customers and partners coming to them like it was they heard of a relative that just came down with a horrible health care diagnosis. How can we help? We're on the way. What do you need? I mean, their credibility grew out of this incident versus declined. And I'm curious of your thoughts. Like how do you parse that with what you would normally think a lawyer would do in a situation like that?

Ben Yelin: Yeah, I mean, I think part of it is what you say is striking that balance. And the balance and the balance has to do with expectations. So, I think 10 years ago, you could have gotten away with a sort of "No comment." You know, "We're engaging in a preliminary investigation. We were hit by a nation state actor. What are you going to do?" I think that was acceptable 10 years ago because we didn't know better. Now we know better. And I think every organization should expect and their- the public-facing portion of that organization should expect that you're going to get attacked. You know, there- certainly the whens and the hows vary by situation, but it's going to happen. And the public that relies on you, if you're a public agency, that's your constituents; if you're a company, it's your customers, it's your clients, they are- they have greater expectations for how you handle something like this. Not to mention things like regulatory requirements. There are now, based on federal guidelines, reporting requirements. Well, there's only like 52 different breach disclosure laws in the U.S.

Caleb Barlow: Yes, yes. Exactly.

Ben Yelin: I mean, not for nothing.

Caleb Barlow: Yeah. I mean, we need, you know, 10 lawyers just to figure out all 52 of those breach notification laws.

Ben Yelin: But isn't that part of the issue? Right? Like, I mean, one of the things I tell people all the time, I'm like, "You better bring in expertise for this because all it takes is one of those regulatory agencies to you- to go sideways with what you're doing." Many of them have subpoena power. And now you have lost control of the dialogue. And, more importantly, you've lost control of the response. So, is it a huge part of that lawyer's responsibility along with kind of the communications first and to figure out like how do I make sure I inoculate a lot of this. And a lot of them are really simple. You just need to let us know that you've got something going on with it a specified period of time. Like- and it's amazing to me how many people don't do that.

Caleb Barlow: Yeah, I mean, largely because they're just not aware of breach notification laws, which is understandable. I mean, as you say, there's 52 of them. And, especially for smaller organizations, it's a relatively new concept. But, yeah, I mean that's another part of the job. You have to be aware of not only suffering regulatory penalties, but also things like reputational damage, getting humiliated because you not only suffered an incident, but also failed to comply with the reporting requirements. [music]

Dave Bittner: Where do you guys come down on the notion that there is automatically a tension between the legal folks and the crisis communication folks? Is that true?

Ben Yelin: Oh, hell yes.

Caleb Barlow: Yeah. But I think it's healthy. Right? Like if you're building a company and you're developing like a software product, like a common thing is you separate the product managers from the developers in terms of where people report because you want a natural tension. I think I want a natural tension. I want to hear from a set of people that are solely focused on what is important to maintain my brand and my relationship with my clients and partners. And then I also want to hear from another voice that says, "Here's where you could go sideways with this," because I think that there's a lot of gray space between those two extremes. And that's where you operate and that's where you communicate with your clients and with the field. You want to make sure that you're talking, but you want to make sure you're not hitting any trip wires. And I think only through that tension do you get that. Which is-

Dave Bittner: What do you mean by going sideways?

Caleb Barlow: Well, which means why I like-

Dave Bittner: Give me an example.

Caleb Barlow: Them being two separate groups.

Dave Bittner: Well, give me an example of what would constitute going sideways as you describe it?

Caleb Barlow: Oh, a very common scenario would be, okay, let's say you've had an outage, it's cybersecurity related. You've got a CEO that, you know, is, "Hey, I'm going to be transparent" and steps up to the microphone and says to people, "Hey, we had an outage. It was a cybersecurity incident. It's totally contained. No data was lost. You've got nothing to worry about," because they're at the day one of their investigation. And that's what it- that's what they think it is right now.

Dave Bittner: Okay.

Caleb Barlow: Day three, it doesn't look like that. Day three, they realize they're owned by a foreign government, everything has been exfiltrated and it isn't going to end well. Like the lawyer and the crisis communicator are going to help you navigate that in a very different way. Like a more reasonable approach to that would be that we've seen the news reports, we recognize that we have an issue, we have spun up our crisis communications team, our lawyers, our incident response team. More information will be coming. Here's what we know right now. More to come.

Ben Yelin: I kind of think of it like how I've been instructed throughout my life by my parents of what to say if you've gotten in a car accident, because I think our natural instinct as human beings- and maybe this is getting a little too meta for this conversation, but our natural-

Caleb Barlow: I'm kind of curious what your parents told you on this one, by the way. Let's go.

Ben Yelin: Not to say anything. I mean, don't say anything that- what they told me is don't say anything that could indicate that you're at fault, right, because anything that you say can and will be used against you in a court of law or in an insurance proceeding. You know, if they ask you if you're okay, that might seem like a very nice low-key question, but simply by saying "yes," that could cut against you if, you know, three days later, you have a back injury and you want the other driver's insurance company to pay for it. So, I do think there is that good tension there because as human beings I think our natural instinct is to want to inform other people, especially when there have been victims. I think that's how crisis communicators and public information officers have been trained. So, you have to have the pesky lawyers in the room saying, "I understand that, but in order to protect us against unwanted liability that could further cripple our organization, you have to be very careful about what you say lest it used- be used against you in a negligence proceeding at some point."

Caleb Barlow: Well, you know, you also have to be very conscious of what do you know as fact, what do you suspect is fact, but you can't prove and- because that changes over the course of an incident. Right? So, let me pivot the conversation a bit here. You know, a lot of kind of cybersecurity companies listen to this podcast. And, you know, a lot of them are in the business of collecting intelligence information, collecting data. One of the other new cases we see a lot is a situation where there is no case law. So, let me give you an example. And I'm curious like how a modern cyber lawyer approaches this. So, let's say you've found some amazing intelligence because the bad guys have maybe infiltrated your infrastructure. Do you turn it off or do you let it keep going and watch it? And, you know, there are companies that are doing very interesting work here where they're allowing bad guys to maybe use their infrastructure or stay inside of a company so they can learn more about what they're doing and where they're going and trying to stop the next attack. And these are really tough situations because there's not a lot of case law for this, there's all kinds of things that could go dramatically wrong, but there's also all kinds of information that can make things go dramatically right. How does a modern cyber lawyer navigate those risks and how do you train them to really think outside the box in a place where there is no runbook?

Ben Yelin: Yeah, I mean, I really think you have to balance some important competing values there. And I don't think there is a singular right answer. I mean, I know this feels like a cop out, but it depends on the size of the- or the degree of the infiltration, the size of the company.

Caleb Barlow: I think that's a total cop out. Dave, what do you think?

Dave Bittner: That's what Ben does best.

Caleb Barlow: Yeah. No, that's what lawyers do best. Right? Let's try and narrow the focus to an area-

Ben Yelin: But let's put you in that situation. Right? So, let's say you're the lawyer for a- you know, one of these cybersecurity companies like, "Hey, Ben, we have got the best data we are getting out of this. Like we are passing that off to the FBI. They are making an amazing impact with that." Like there's a bunch of trip wires. So, you're passing information to government, you're running infrastructure for bad guys. Like- now, there's no good answer to that. Right? But how do you, as an educator of lawyers train people? What information do you need to make that decision? How do you train people to think outside the box in different ways in that kind of situation versus, you know, it doesn't matter what the answer is, I'm curious like what's the lawyer we need to walk in the room that has the cape to figure that out? I mean, even though there's no precedent in this particular area, I think you look at other similar negligence cases where they're analyzing what a reasonable person would have done in that situation. So, any action that a cyber lawyer takes that's judged against what a reasonable person would have done in similar circumstances that might jeopardize that comparison, I think that's going to be what's dangerous. It ends up being kind of circular because you're judged against your peers. Right? I mean, we're all going through this together. So, in order to figure out, you know, what a similarly situated person would have done in a case like this, you're going to have to go through the discovery and figure out what everybody else in the industry is doing. So, somebody has to determine first like what the best practice is here. And that's where I think federal guidelines could be very useful. And it could be great evidence in a future proceeding that you were going by the book, that you were following CISA guidelines on network monitoring and point detection, that sort of thing, you were using multi-factor authentication. And when somebody infiltrated your network, you were complying with protocols in terms of reporting to the FBI during this time period. I mean, the greater you can rely on written federal guidelines, that's going to be the best evidence you have in a future proceeding. So, that's how I would look at it. I don't think there is any right answer per se to this question. But-

Dave Bittner: I mean, Caleb, don't you think that this is a situation where this- let's say this is an in-house attorney, right, that they're communicating with their leadership and measuring their appetite for risk. Isn't this ultimately a risk assessment?

Caleb Barlow: I think it's a combination of risk assessment, but I think the best cyber lawyers, and I've seen some people do this, also look at this and say, "Okay, let's start with what is the outcome you're after." So, let's say the outcome we're after in this case might be that we come up with a way to continue to watch the bad guys and what they're doing because that can help stop future attacks against our company or our peers. Right? Let's just say that's our objective. Then I think you start to wind into how do I do that. Right? So, what does that mean I need? Well, first of all, I need a relationship with government. I need more than just like what's in the statute, but like do I know anybody, do I know FBI agents, do I know U.S. attorneys where I can explain to them what we're up to and, frankly, bring them into the fold on this. I think- and the good news is like where those relationships occur, you know, when you see these massive government takedowns, like you always notice at the bottom that there's always like the last line, you know, "this was processed by," you know, "Europol, FBI, U.S. Attorney's Office and our partners."

Dave Bittner: Right.

Caleb Barlow: "And our partners" is a tip off to really good, amazing lawyers doing really hard work because it's always data that came from some company or some cybersecurity company that leaned in to do the things that nobody else dared to do and obviously didn't want to talk about them. Right? So, I think the other aspect of this, and I think this becomes more and more often the case in- with cybersecurity companies, is how do you move this information around in a way that it doesn't track back to your company in a defendant's subpoena when the government finally does do this and finally arrests somebody and gets the indictment. Like the worst-case scenario is somebody figures out what you're doing. Not that you're doing anything bad, but that no company wants to be seen as passing information off to the feds. Right? So, how do you do this? And I think that's where we really see some amazing legal work going on in this industry that doesn't often get talked about is figuring out how to process through that.

Dave Bittner: Before we wrap up here, I want to swing back around to what we were talking about with the whole notion of crisis communications and the intersection of the legal team and the communications team. A couple years ago, I was asked to be part of a- kind of like a round table group of folks who were- we were talking to a bunch of CISOs. It was kind of one of these, you know, small gatherings of folks who where you can get together and talk and nobody's recording anything, nobody's writing anything down. It's just, you know, we're going to talk to each other and this is going to be the real conversation. So, it was one of those kinds of things. And me and a couple of other journalists were brought in to provide our perspective on exactly the kind of thing we're talking about here today. And I tried to make the point, and I'm guessing that the two of you are going to roll your eyes and say "this is quaint," that telling the truth is the best thing to do, that ultimately the truth is going to come out. So- and the truth might be that we don't have an answer right now. Right? You're getting up in front of- telling- talking to the press, sharing, you know, the information that you have that is true, including that this is a developing situation, this is what we know so far, it's surely going to change over time, but I'm sharing with you what I know. As long as you're doing that in good faith and not lying, I think you're much more likely to have better outcomes than if you come at it from a different point of view. And where I have trouble is the notion of that your legal team is there to minimize your exposure and sometimes that involves blurring the truth. Maybe you were liable, but it's your lawyers team to make you seem to minimize that liability, whether or not that's true. Am I being quaint and adorable here or is there anything to what I'm saying?

Caleb Barlow: Well, I think you might be adorable for other reasons, Dave. But I don't think you are on this topic.

Dave Bittner: Fair enough.

Caleb Barlow: No, but I think you're hitting a very serious point. Now, here's the one nuance I would add to that. Right? So, you know, is the truth going to come out? Yes. And let's also not forget that we are starting to see more and more cybersecurity legislation that includes various whistleblower provisions. Right? And there's a bunch already on the books. So, flat out lying or hiding the truth is very likely going to end up- you up in a very bad position. And we've- you know, we've even seen CISOs recently brought up on criminal charges. Right?

Dave Bittner: Right.

Caleb Barlow: So- because that's fraud, because that's exactly right. Now, I want to get into one of the nuances that you said that I think is so unbelievably important. There's a difference between telling the truth and telling what you know is fact versus what you know from your bias. And I think that's where people go wrong. Right? And I think this is where lawyers can really provide an incredible help. So, what inevitably happens in an incident, you get to the point where you're like, "Oh, well, we think A happened." "Well, how do you know A happened?" "Oh, well, we know A happened because it's in the logs and there's clear evidence that A happened." "Okay, great. Talk about it. How do you know A happened?" "Well, because that was what this looks like." "Okay. So, you don't know squat." Right? And I think this is something we have to train leaders and we have to train lawyers to really ask. One of the best tools I have used in an instant response is what I call a dual-factor verification team. So, this fact comes up, like it was these bad guys or it was this that happened. Send out two teams. One team go out and prove this is true. One team go out and prove this is wrong. You give them, you know, X amount of time and they come back. That is an amazing exercise because what has happened to me on more than one occasion is all my own bias has been proven wrong or been proven speculative enough that I don't feel comfortable saying that is a fact. And I think that's the nuance that you just highlighted that is so critical on this, that kind of these really good lawyers get underneath and understand is do you actually know that or you just suspect that.

Dave Bittner: Well, I think part of the point that I was trying to make, you know, I'm thinking back to this conference, was that you're going to have a lot more credibility with the press, with the regulators, with the- all the people who are important in this journey if you're being straight with them. And sometimes being straight with them is saying to them, "Look, I don't know," or "I don't have the answer to that, but I will do my best to find an answer to that," or, you know, "We don't know yet. But this is what we think now. But let me just remind you all that this is a rapidly evolving situation." Because people's BS detectors are finally tuned. Right? And, so, it's just my sense that if you're straight with people from the get go, that's going to lead to a better outcome. They're going to be more forgiving of you as you present to them an evolving narrative.

Caleb Barlow: Well, here's a good example of this. Right? So, prior to Newtown- if we're looking at like school shootings as a- you know, a horrible incident and a lot of crisis communications required. Prior to Newtown, what you had was, you know, federal agents would stand up and, you know, the response and anything that happened, "This is an ongoing investigation. We can't comment on it." Now, you can imagine after a school shooting, that's a pretty tone deaf response. If you remember back to Newtown, and I can't remember who it was, I want to say it was like the local sheriff, there was this law enforcement officer that stood up like literally every four hours and said, "Here's what we know. I will be back to you in another four hours with more information." Now, two amazing things happened out of that. One is set people at ease because they saw that transparency. Two, if you look back at those tapes, every four hours, the guy basically didn't say anything new because they didn't have a whole lot of new information. But what you removed from that was no reporter was going to speculate on this because they knew in four hours this guy was going to stand up and give more information. That incident, what this guy did, and I wish I knew his- remembered his name, it changed how crisis communications works in a large crisis because it changed to "here's what I know, I will be back with you with more information in this period of time,"-

Dave Bittner: It removed the vacuum.

Caleb Barlow: And it sets this [inaudible 00:31:04].

Dave Bittner: Yeah, yeah. Especially in a situation where you have to worry about rumor control and people going off and speaking extemporaneously to the press, it's important to have that unified message and that expectation that he's going to be out there every four hours.

Ben Yelin: Right.

Caleb Barlow: And not that a school shooting is analogous to a cybersecurity incident, but, in this particular case, I think there's a lot to be learned from that, that overcommunicating, even if you have nothing new to say, can resolve those issues of rumors and speculation.

Dave Bittner: All right, well, gentlemen, we are running short on time here. So, I am going to have to wrap it up here for today. A great conversation. Caleb, thank you so much for joining us. Always a pleasure to have you with us again. Our guest today was Caleb Barlow. He is CEO of Cyberbit. [music] A quick thanks to all of you for listening. A reminder that N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at Our executive producer is Jennifer Eiben. The show is mixed by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening. [music]