Podcasts
Caveat
Ep 275
Caveat 8.28.25
Ep 275 | 8.28.25

Ransomware readiness at risk.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello, everyone, and welcome to "Caveat," N2K/CyberWire's Privacy, Surveillance, Law, and Policy Podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland's Center for Cyber Health and Hazard Strategies. Hey there, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show, Ben discusses a hack impacting the federal court system. I've got a look at a Michigan Supreme Court ruling on digital device phishing. And later in the show, Ben speaks with John Anthony Smith, founder and CSO at Fenix24. They're discussing law firms falling behind on recovery readiness amid a rise in human-operated attacks. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. All right, Ben, we've got some interesting things to cover here. You want to take it from here for us?

 

Ben Yelin: Sure. So usually, we talk about how courts rule on cybersecurity issues. We're kind of switching things around today, and we're going to talk about cybersecurity issues within our federal judiciary. We got the story from our friends over at Ars Technica, it's by Dan Goodin. And it's about a long time-- not a friend of the pod, but a character in our pod. He's like the non-player character of the "Caveat" podcast, Senator Ron Wyden, who wrote a scathing letter to the Chief Justice of the Supreme Court, but really intended-- the intended audience was the federal judiciary, alleging negligence and incompetence following a recent hack. There was an article in Politico about three weeks ago talking about this major breach of the judiciary's electronic case filing system. The vulnerabilities that were exploited in this hack have been-- or at least some people have been aware of them going back to 2020. And there are allegations that Russia was "at least partially responsible" for these attacks. So I guess we'll get into what exactly they breached, and then what the consequences of this is and what Senator Wyden's complaints are.

 

Dave Bittner: Yeah, let's do it.

 

Ben Yelin: So the breach targeted the judiciary's electronic case filing system. So, there are really two systems. One is called CM/ECF, and the other is PACER.

 

Dave Bittner: I've heard of PACER.

 

Ben Yelin: Yeah. I mean, I have an account for both of these things, even though I'm not in the business of filing pleadings. Basically, this is a way to file pleadings or civil complaints, or responding to an opposing brief, or really any legal filing; you put it up in one of these databases. Most law firms pay for an account. And this is what you use to really upload any information. It compiles a case file, and if you do have an account, most of the information is publicly available. So, most of the information that's in these databases is public, which is good for transparency's sake, but there are some snippets of information that remain classified, that are protected in some way because there's sensitive information contained therein. So anything affecting the modes and methods that law enforcement uses, or when we're talking about like national security cases, that's going to be protected, or crucially, information about criminal informants. So, you don't want to blow anybody's cover through a public electronic case filing system. What Senator Wyden is warning the judiciary in this letter is that the judiciary has an outdated and insecure cybersecurity infrastructure, and that poses a severe threat to national security. That when you get into a case filing system where there is a lot of critical information that needs to be protected from the public, we are all vulnerable because it can affect our national security. It can affect crime-fighting strategies at the federal level. If, you know, we're doing a big operation against a drug cartel, and somebody is unmasked as a criminal informant, like that could blow the whole operation. So, this is a critical, critical issue. So he specifically criticized the judicial branch for not adopting standard cybersecurity practices, refusing to meet cybersecurity requirements as laid out in federal guidance. There is an IT policy committee through the federal judiciary. The members of that committee are secret, so there's not really any accountability. I am not on that committee, maybe one day.

 

Dave Bittner: Or so you say.

 

Ben Yelin: Right, I guess it's secret, so you'll never know.

 

Dave Bittner: Right.

 

Ben Yelin: But, you know, if anybody wants a good nominee for that position. And then he alleges that they are ignoring expert advice on modernizing their systems. So, his remedy here is that there should be an independent public review led by an entity like the National Academy of Sciences to figure out why the breaches are happening, what's going on with the software procurement process, and just a general critique that there's a lack of transparency here. There is no inspector general that's going over this information. There hasn't really been a groundswell of support among members of Congress to do any oversight on this. And even though there hasn't been like a major viewable consequence to this, where somebody was unmasked and was killed, like we are close to a world in which something like that happens, and the judicial branch just needs to take cybersecurity more seriously.

 

Dave Bittner: Is this a case of the, I don't know, the age-old mismatch between the rate at which the federal government does things and the real world?

 

Ben Yelin: I think that's exactly what it is. I think it's stasis. I don't think there's any member of the IT Policy Committee who's like, yeah, let's slow roll this, you know. We don't want to institute new cybersecurity practices. Like, I think it's just, they have other priorities. Lawyers, as I've learned through, you know, a decade of this work, aren't constantly thinking about cybersecurity threats. They have other things to think about. They think about cybersecurity when something impacts them, when there's an attack that gets into their system. The thing is, we have already had this attack. We just didn't have transparency on it. We've known about at least this type of attack for over five years. At least according to Senator Wyden's letter, and I believe that he's done his due diligence on this, the judicial branch hasn't really done anything about it, either to improve transparency or to actually fix the problem. And we're just leaving ourselves vulnerable to it. So, yeah, I don't think it's any purposeful mischief on behalf of the judiciary or their IT Policy Committee. I just think it's stasis and being focused on the content of their work and not these threats that might seem very abstract to them if they're not kind of in this game.

 

Dave Bittner: Well, give me a little, you know, Schoolhouse Rock parts of the government update.

 

Ben Yelin: You're not going to make me sing, are you?

 

Dave Bittner: No, I'm not. I will spare our audience that.

 

Ben Yelin: Thank you.

 

Dave Bittner: But Senator Wyden here is coming out swinging, you know, claiming negligence and incompetence. He's not mincing words. Is this his part to play in terms of oversight of the judiciary?

 

Ben Yelin: Absolutely. I mean, this is a classic role of Congress. Congress has a limited role in oversight of the judiciary. I mean, at least according to the separation of powers, Congress is supposed to defer to judicial interpretations of laws. So, the judicial branch is supposed to be the arbiter of what the law is. That goes back to Marbury versus Madison. But there are other ways in which Congress can do oversight of the judicial branch on financial matters, on the size of various courts. Those are all things that are in the purview of Congress. Congress also does control the purse strings. So you've had a lot of like quixotic proposals to zero out the funding for various courts that people don't like. And actually, like it was done in the past, I think in the early 1800s, Congress like canceled a sitting of various court systems to prevent them from-- I think, it was the Supreme Court-- to prevent them from coming to a decision on a particular matter.

 

Dave Bittner: Wow.

 

Ben Yelin: So, like they do have that within their authority. I don't think that's going to be employed here. I don't think that's even the implication of Senator Wyden's letter. He is just one senator; he's in the minority. So, I don't think this is going to lead to some type of immediate action, but it's certainly the proper role of Congress, especially when it really is in the public interest to improve the cybersecurity posture of these systems.

 

Dave Bittner: Yeah, I mean, it reminds me-- well, I guess my question is, I'm reminded of Voice of America and what we're going through with them right now, where they're congressionally mandated to exist and to spend the money that Congress has given them. And so, Congress and Voice of America is kind of in a struggle with the executive branch, with the White House over that. Is there a similar type of influence that Congress can have to say we are providing the judiciary with funding to do this thing, and it is legislatively required that you do this thing?

 

Ben Yelin: I mean, I think it's the same type of effort you would see with the Voice of America, but probably with the same results, which is that, I don't think Voice of America has gone back out and started doing the same level of broadcasting that they did pre-January 2025.

 

Dave Bittner: Right.

 

Ben Yelin: So, yeah, I mean, I don't-- like Congress could pass a law mandating that the judiciary take cybersecurity more seriously, that they comply with mandatory cybersecurity standards, that there are regular audits, that they purchase cyber insurance. Like, they could do all of that. Enforcement is very difficult when the agency that would compel-- or not the agency, but the branch that would compel enforcement is the one that you're trying to regulate. That just-- it is a kind of bizarre separation of powers issues. You know, I don't think beyond just the judiciary not having sufficient resources and being focused elsewhere, and not having an organized IT group that's transparent. I mean, beyond that, like I don't think they are actively trying to stop proactive cybersecurity measures from being taken-- from being put in place, and that's what makes this different from a Voice of America situation.

 

Dave Bittner: Yeah, yeah,

 

Ben Yelin: Where they are really intending to shut down that entity.

 

Dave Bittner: Right, right. Interesting. Yeah, so is this a case where the judiciary is by its nature reactive to things like this rather than proactive?

 

Ben Yelin: I think they're absolutely reactive. Again, I don't think they're sitting back thinking like how can we get away with letting down our guard on cyber defenses. Like, who cares about these databases? Mostly, information is public anyway. I just think they're not thinking about this at all. So sometimes it takes Senator Ron Wyden writing a letter and getting it printed in Ars Technica to get them to pay attention. And this stuff does work occasionally. It doesn't work all the time, but it's just drawing attention to an issue of public interest that had just gone under the radar. And I think what Senator Wyden was trying to accomplish is just to get the public, at least the people who care about this stuff, to understand what's going on and to understand the risks. And mission accomplished. I mean, Ars Technica picked this up. A lot of other sources picked this up. I know Politico has run articles on it. And that's really the most that he can do at this point.

 

Dave Bittner: Right. When all else fails, shame, shame, shame, shame can cause change. As long as the people you're trying to shame are not shameless.

 

Ben Yelin: So occasionally, you'll get Supreme Court justices who will testify annually in front of Congress during the appropriations process. And they are there not to answer questions about their decisions, although everybody always tries. "Chief Justice Roberts, why did you rule the way that you did in Dobbs?" And he's like, "I'm only here to answer administrative questions about the court." But those hearings, that's where you could really ask about something like this.

 

Dave Bittner: I see.

 

Ben Yelin: You know, in terms of information security, speaking of Dobbs, like that was the most high-profile breach, right? Where a decision of the court was leaked to Politico prior to it being publicly released. And they never figured out how that happened. So, they're not exactly winning any infosec contests already, but this just kind of adds fuel to that fire.

 

Dave Bittner: Yeah, that's-- I mean this-- yeah, that's interesting. Because the question I was going to have for you is, is this one of those situations where something has to happen to them for them to take notice, but Dobbs--

 

Ben Yelin: The video rental store thing, yeah.

 

Dave Bittner: Well, right, the video rental store thing, yeah. But I mean, Dobbs certainly was high profile, that sort of leak. I mean, I guess you can make the argument, obviously, that it was-- the leak was strategic. If you--

 

Ben Yelin: We all have our own theories about it.

 

Dave Bittner: That's right, that's right. That's right. All right. Well, we will have a link to the story in the show notes. We will be right back after this message from our sponsor. [ Music ] My story this week comes from the folks over at the EFF, the Electronic Frontier Foundation. And they are celebrating a Michigan Supreme Court ruling about device searches, it's a Fourth Amendment case. And the background here is the People versus Carson, which evidently involved a search warrant that authorized a broad search of a gentleman named Michael Carson's cell phone in connection with a theft. He was accused of stealing something from one of his neighbors' safes. And the search warrant allowed the police to access any and all data on the device. And so, the EFF, along with the ACLU, filed an amicus brief urging the Michigan Supreme Court to enforce limits on digital search warrants, basically saying that these unbound warrants are too broad, that our cell phones contain too much stuff. Do I have that generally right, Ben?

 

Ben Yelin: Yeah, absolutely. And this is-- this aligns with federal jurisprudence as well. Certainly going back to Riley versus California, which held that even subject to somebody's lawful arrest, you need a separate warrant to get into their cell phone, just because it does contain that wealth of information. And then, of course, Carpenter, which says that just kind of the depth and breadth of what you can figure out tracking somebody's device. That was about cell site location information that rises to a threshold where a proper search warrant is required. But yeah, I mean, here, this is really about particularity. I mean, that's one of the key features of the Fourth Amendment. It's why we have the Fourth Amendment. We've talked about this concept of general warrants and writs of assistance, where back in England, the king and his subjects would just be like, "Let's go into this person's house and see what we can find." We have a warrant to go into his house to see if he's writing about instituting an insurrection. And if we have to-- if we happen to discover some other contraband, then good for us. And that was offensive to our founding fathers. Now, there's always the question of how does that apply in the digital age? And I think if you're trying to analogize the cell phone to things that existed when the Fourth Amendment was enacted, first of all, you're going to have a bad time doing that. But also, like, I do think it's analogous of like all of the things that are in somebody's home, a calendar, somebody's writings, somebody's record collection. Like, you can kind of analogize what's in a cell phone now compared to the sacred space of the 18th century, which was a person's home.

 

Dave Bittner: Right.

 

Ben Yelin: And I actually think that analogy is pretty compelling, which is why, I think, the Michigan Supreme Court decided the case this way, and why that kind of matches where jurisprudence is on this issue.

 

Dave Bittner: Well, help me understand particularity when it comes to a physical search of someone's home. Because you hear these stories about, you know, so they got a warrant, the police came, and they ransacked the place.

 

Ben Yelin: Yeah, now sometimes it'll be like you have a warrant to search to see if somebody has drugs. So they'll go in and open up all the drawers. Or a warrant to see if there's any blood DNA in the vicinity. That meets the particularity requirement because it's describing the things to be seized and the general area to be searched.

 

Dave Bittner: I see.

 

Ben Yelin: Now you go into the person's apartment looking for thumb thumbprints or traces of blood from a crime scene, and you find illicit drugs, like that's fair game. Once you have a legal search, if something is in plain view during that legal search, that can be used against a person at trial. What you cannot do is just say, "We have a warrant to go into this person's home and not to find anything in particular, but just to find whatever we can find. I think this person is up to no good, so I am going to comb through their drawers." And at least in the modern age, that would be the equivalent of, "I'm going to thumb through their entire device." You know, I'll click on the Jimmy John Sandwiches app and look through the history there. I'll move on to Spotify and check out this person's playlist. And then I'll go into their Amazon account and see what they've purchased. Like that is a huge wealth of information, probably beyond what was ever contained in somebody's home in the 18th century.

 

Dave Bittner: So what does this mean for law enforcement making their case with a judge to search the device?

 

Ben Yelin: They are going to have to be very particular about what they are looking for on the device and where they're going to look for it. So if they have probable cause to believe that evidence of this crime is contained in a person's text message, like you could say, we have reason to believe-- we have probable cause to believe that this person was texting their plans to commit this crime. That means some particularity requirement because it's like a single application that they're going to be looking through. It doesn't permit them to go on a fishing expedition. Or if we think there are some financial transactions, we want proof of those transactions, so we're going to look in this person's-- you have a warrant to look in this person's online banking account, right? As long as it's that kind of particularity and not just what is on the device itself, then I think those warrants are going to be held to be constitutionally acceptable. It's when you get to this very general level of whatever is on the device is fair game, that's-- that type of broad search is what is pretty clearly unconstitutional, at least in the state of Michigan. It is now decided that that is unconstitutional.

 

Dave Bittner: Well, so then help me understand the broader context of this. I mean, this is a ruling in Michigan; it applies only to Michigan. What happens-- how does this affect rulings in the rest of the nation?

 

Ben Yelin: So it can be a persuasive authority to other states. I'm not familiar with all 50 states' jurisprudence on this issue. But certainly judges from other states will look to Michigan as persuasive guidance on this issue. And then if you start to see disagreements among state supreme courts, maybe that's the type of thing that would get up to the United States Supreme Court, although it's not always clear that we're on a path to seeing that happen. So as of right now, it is only in place in Michigan, but it aligns with at least the spirit of previous Supreme Court decisions and other state court decisions. So you're starting to kind of build a body of law and a bunch of different jurisdictions that, I think, are going to inform cases across the country. But it's only the binding authority on lower courts in Michigan. So lower courts in Michigan have to abide by this. Lower courts in Wisconsin or Indiana can just look at this as persuasive reasoning. They are not bound by this decision.

 

Dave Bittner: All right. Well, we will have a link to that story in the show notes. We'll take a quick break. We'll be right back after this message. [ Music ] Ben, you recently caught up with John Anthony Smith. He is the founder and CSO at Fenix24, and you were discussing law firms falling behind when it comes to recovery readiness. Here's Ben's conversation with John Anthony Smith. [ Music ]

 

Ben Yelin: Today, we are joined by John Anthony Smith. He is with Fenix24, and they have just produced a cybersecurity research report entitled "Security at Issue, State of Cybersecurity in Law Firms." So I guess I'll start with just a high-level question. Would you summarize the findings of your research report and some takeaways that certainly stood out to you as you were drafting it?

 

John Anthony Smith: High-level summary of the document is really that there is still a slant toward resistance over recovery. And what we know from breach is bluntly that threat actors have millions of ways that they could opportunistically gain access to corporations' environments and then attempt some form of exfiltration coupled with some form of destruction. And what we see from the study is that only roughly half of the organizations surveyed actually have what arguably could be immutable backups. And what we know from working thousands of breaches now is that, unfortunately, if an organization has not orchestrated their recovery and actually slanted their defenses toward recovery, that commonly these things do not hold up in a breach. Actually, there was another study recently performed by a gentleman named Daniel Woods, who works for a cyber insurance carrier called Coalition, where he stated that 58% of organizations that were ransomed discovered either a full or partial failure of the recovery capabilities during the ransomware event. And this is what we see also, of course, echoed in this study. We see that statistically, there is a slant toward resistance and defensive strategies, essentially prevention of breach, and largely still lack of focus on recovery and ensuring that it's going to be possible.

 

Ben Yelin: Is there something unique about the legal profession that stands out to you relative to other sectors?

 

John Anthony Smith: Yeah, there are a few things that are unique about legal. One, I would argue that legal is perfectly suited to truly understand risk. I think when leadership is educated about what risks they have accepted, they do often act. I think that what is true, I think, and is also highlighted by this study, is that leadership is commonly not being informed in terms they can understand in law firms about what risks they have accepted. Because arguably, law firms are in the business of preventing risk, right, and mitigating risk. So I would say that is definitely different for most organizations, is they are in the risk mitigation business themselves. And so, I do see that when leadership is informed, they commonly do act. Though I do also see in the study that I believe that many cyber professionals and IT leaders are commonly shielding their leaders from the truth. And it may be part the politics in law firms. Law firms, of course, have many cultural differences from other types of organizations, right? They have many owners, like law firms have many partners, and unfortunately, partners are commonly very busy, especially litigators, right? They are very busy, they're very stressed, they don't want interruptions to their life. And so, often those interruptions are often translated to IT leaders as an unwillingness to act. I think it's just the messaging isn't commonly correct, and therefore they commonly don't understand it; otherwise, they would act.

 

Ben Yelin: So what's interesting to me about this study is there's a positive aspect to it. If we had looked at this in 2010 or 2015, then we would have seen user behavior issues. So people opening phishing emails, right? It seems like that culture has changed, and now the vulnerabilities are elsewhere. Do you think there was something that we've done in the past 10 years collectively that we could replicate in getting the culture to change as it relates to resilience and incident response?

 

John Anthony Smith: I think, definitely to your point, there is a positive aspect to the study. I think if you look at the callbacks to the original study that was conducted in 2023, you certainly see improvements in many metrics, right? Certainly, the metrics around what law firms are concerned about, obviously, phishing took the top spot, and then secondarily, ransomware. I think it was tertiary, it was exfiltration. And then, I think, it was user behavior and also social engineering were the top five, right? If you really look through that lens, what it says to me is that law firms are very concerned and very aware of what we call double extortion events, right? They are certainly aware that there's a great deal of awareness that they are a common and chosen target of threat actors, largely because of the secrets that they keep. And that those events do commonly involve double extortion, social engineering, phishing, right, and user behavior manipulation, right, to ultimately gain access and then attempt some form of lateral movement. So I would argue that the positives here is that certainly folks in this study are seemingly more aware of what's going on in the real world. Certainly, by all accounts, other metrics have improved as well, right? We do see more law firms that certainly have the capability of immutability. Of course, in the study, we can't determine if it's set up right, but they certainly have the capability. And also, we see that more law firms now consider their backup defenses as a top three security control. I think it was 27% was called out in the study, that's seen as a backup and recovery capabilities as a top three security control. Certainly, it's not where we would like to see it. We would like to see recovery capabilities as being number one.

 

Ben Yelin: Do you think that just the resistance to doing things like tabletop exercises for cyber resilience, do you think that's primarily a monetary thing, or it's just law firms are busy and they're not going to prioritize taking a half day to do a tabletop exercise? Or is there something else that we're missing that maybe we can address to help change that culture?

 

John Anthony Smith: I think what was interesting about the study is if you look back at the 2023 report is that it was very clear that law firms prioritize external influences for security improvements far above internal influences. And so what you saw in the study, and it was echoed this time, but it drastically improved, is that clients, insurance carriers, and now penetration test strongly influence improvements. And so I would say to you that I think that it's very clear that they are now prioritizing penetration tests. Are penetration tests a great indicator of breach context and, therefore better defense? I think, well, it depends on what you mean by the word penetration tests, right? Is it vulnerability scans, or is it truly trying to get around your defenses? And so, I think that certainly more law firms are, to your point, doing tabletop exercises. You ask about that specifically. Are they broadly doing them? No. Are they doing them correctly when they do do them? I would argue also no, because bluntly, in most tabletop exercises that we see from most vendors who sell them, unfortunately, there is an assumption that recovery capabilities survive. And what we know from our own data is recovery capabilities commonly do not survive. A matter of fact, we know 84% of the time across our entire recovery sample, recovery capabilities are destroyed, or at least in part, by threat actor groups. And so I would say even when there is confidence in leveraging the assumption of recovery in a tabletop, you're not really yielding positive results, right? Because you're not doing a real test when you've made that assumption.

 

Ben Yelin: What role do you think cyber insurance plays in how law firms evaluate risk? So, for companies that have approached or purchased cyber insurance, do you think that there can be a kind of effect where it's a security blanket and they think that they don't have to go through the back end and improve their resilience? Have you seen that in your study?

 

John Anthony Smith: We didn't see that in this specific study, but I love your question, bluntly. I do believe that because cyber insurance carriers are largely taking the brunt of these expenses, frankly, for most orgs, it's not just law firms. I mean, virtually everyone who has cyber insurance that funds themselves in one of these events, the cyber carrier is taking the brunt of the financial losses. I would say without a doubt, because that is true, what we see coming out of breach from our own data is that most companies do not make significant changes post-breach that would prevent the same behaviors from occurring again. And so I would say certainly cyber insurance has a negative impact to positive change in that regard, because they're not feeling the pain. And I do believe that companies really aren't going to change very much if they don't feel financial pain. And then secondly, I would also say is that with insurance, as it relates to law firms, law firms, because they are risk mitigators themselves, they do put a high priority on what insurance carriers say.

 

Ben Yelin: Right.

 

John Anthony Smith: If the insurance carriers are pushing down requirements upon them, most law firms are going to comply. So I think insurance carriers causing and requiring more stringent things to be accomplished, especially around resiliency. I think we would see more law firms and, frankly, more corporations in general doing things better if the insurance carriers required it to get coverage.

 

Ben Yelin: Do you think there's a role that, whether it's regulators or bar associations, can play in setting kind of broader macro standards for law firms, or is this something that just needs to happen internally?

 

John Anthony Smith: No, I certainly-- well, yes, I certainly believe that the regulatory bodies, bar associations, insurance carriers, basically all the key influencers of a profession should be requiring their professionals to focus on resiliency. And of course, also provide adequate controls for defense. So certainly, we put a priority on resiliency, and we believe everyone should. And secondarily, you can't ignore prevention, right? Without a doubt, I am not trying to say that prevention is not important. It's secondarily important, though, to resiliency. I do believe that regulatory bodies and professional boards certainly should have standards for these things. And frankly, the standards alone create education, and education is never a bad thing, right? Education is a rising tide; it raises all ships.

 

Ben Yelin: And then can you talk about the role of third-party vendor risk that you found in your study with things like cloud services and the switch to more remote work post-COVID?

 

John Anthony Smith: That is a very good question. And I don't remember the specific study this-- statistic that's called out at the end of the study, but I think it was 18% of responding law firms were allowing users to access VPN from personally owned devices.

 

Ben Yelin: Yeah. The stuff of nightmares, yeah.

 

John Anthony Smith: We don't have to be very technical to know that that is a disaster waiting to happen, right? You should not allow these things. And I would also say that many law firms, and statistically, I don't remember what was in the report called out for this, but I do know a great number of law firms and frankly, larger corporations, most corporations are exposing their SaaS applications for use on personally owned devices. This is incredibly bad. SAS applications, VPNs, remote access platforms like Citrix and Azure Virtual Desktop and Horizon View, these things should not be exposed for use on non-corporately controlled devices because it causes password leakage, it causes data leakage, and frankly, it amplifies the risk to a great level, much greater level that a threat actor is going to find a way to secure persistent access to an environment, ultimately try some form of destructive act.

 

Ben Yelin: And then a couple of just forward-looking questions. So if you were talking to somebody, maybe a partner at a smaller, medium-sized firm, and they were listening to this, and you had the opportunity to give them three pieces of advice, three action items on improving their resilience and their incidence response, what would those three things be?

 

John Anthony Smith: Firstly, it would be know your capability. You should assess your ability to recover, and you should be leveraging an organization that truly understands recovery from a non-product bias, more from an outcome bias, right? The outcome being that your recovery capability will survive, right? So firstly, you should assess it. And secondly, once you have assessed your recovery capability, you should repair it and be regularly testing, right? And certainly, I would say to you that most organizations are commonly going to get their recovery capabilities wrong. Like I said, 84% of organizations that have been breached, they had an impartial or full failure of the backup and recovery capabilities. What we know for across our entire assessment sample, 86% of organizations have not a single survivable copy of backups. And so, the third thing I would just say is beyond recovery and resiliency, you should be aligning all of your preventative controls against breach reality. It is no longer sufficient to trust product companies with your safety, right? What we have in IT is we have a proclivity, a pivot, if you will, to assume that tools will save us. Tools will not save us. You have to unit the tools before they will actually save you. And unfortunately, most orgs and especially law firms are buying tools. However, they're not investing in the people to actually manage and configure these tools with excellence. Therefore, they commonly do not work.

 

Ben Yelin: Yeah, that's the horror story I've heard is like, we bought CrowdStrike, so we're done. We did our due diligence on cybersecurity. And that's never sufficient. I know you've talked about-- in the report, you talked about the biggest threats, phishing and things like ransomware. Are there emerging threats in the coming years that you're looking into that law firms and other organizations should be aware of that aren't as prominent right now, or what's your thinking on how the threat landscape is going to evolve?

 

John Anthony Smith: Yeah, that's a great question. I would say that in the context of emerging risk is certainly a group known as Scattered Spider. I'm sure you've been reading in the media. They love to target the help desk. I would say there are other threat groups, especially North Korean-based threat groups, that love to also get hired in companies. You asked the question in the context of remote work earlier, remote hiring, and therefore remote workers do create new risks, especially in the context of AI with deepfakes. It is highly likely for law firms and corporations now to hire threat actors. And there are a whole new host of controls that have to be thought through in most organizations about how you update your hiring processes to mitigate the risk of hiring a threat actor. I would say a very simple fix for this is just to require drug screening.

 

Ben Yelin: Oh, interesting.

 

John Anthony Smith: Even if they don't require drug screening, you do that. It's very hard for a threat actor to pass a drug screen. But secondarily, I would say on the help desk, many orgs, especially law firms, have not updated their identity verification processes at the help desk. Back to the point about a cultural problem in law firms, partners don't want to waste the seconds to go through an identity verification. Like I'm Mr. Partner Number One Biller, and therefore, you should not waste my time to verify my identity; you should know my voice. But the problem is that voices can now be deepfaked, right? I mean, you only need 30 seconds of audio to simulate someone's voice.

 

Ben Yelin: Deepfakes are better than they've ever been and are more convincing. And you don't have to be a prominent person. As you said, like you could take a partner's 30-second clip from a deposition, and that's all you need. And then you mentioned AI. I feel like every story right now is an AI story, in one way or another. Are there AI tools that you've seen that might play a larger role in breach detection and response in the legal environment? Are you encouraging organizations to make use of those tools? Are they presenting unacceptable levels of risk? What are your thoughts on kind of AI-based tools?

 

John Anthony Smith: I think that AI today is unavoidable, right? I think law firms especially have got to be adopting AI platforms to orchestrate their work and frankly, to make better work product and actually speed them up. I mean, if they do not, they're going to be left behind. However, conversely, right, is that you have to do so cautiously, right? Without a doubt, these tools have the potential to break ethical walls, right, expose data to people data shouldn't have been exposed to, therefore breaking contracts, breaking outside council guidelines, frankly, even breaking the law. So in the context of law firms, they need to proceed cautiously. I would say certainly innovation is happening faster than the security technologies and methodologies around them are being developed. That is also true in cloud and SaaS, right? We see the same resiliency problems in those platforms because they developed faster than the technologies to protect them kept up. Lastly, I would say in law firms in particular, around using AI for security purposes, I don't see any particular advancements there that are frankly of any significance worth mentioning. I do certainly see a lot of security, tooling, claiming to be AI-supported, AI-facilitated. I don't really have any particular call-outs to any of those tools that are applicable specific to law firms, really. [ Music ]

 

Dave Bittner: It's interesting stuff, Ben. I mean, it seems to me that law firms are kind of at the center of a lot of this stuff, just, you know, they can't help having a target on their back, I guess.

 

Ben Yelin: Right, they have unique vulnerabilities. I mean, it actually fits well with our first story this week, just that, like the legal system itself is vulnerable because there's a lot of really valuable information in legal files. And it's pretty easy at this point to exploit in a bunch of circumstances. So I thought it was really an interesting conversation and fits well with what we talked about today.

 

Dave Bittner: Yeah, for sure. Our thanks to John Anthony Smith. He is the founder and CSO at Fenix24. We do appreciate him taking the time for us. [ Music ] And that is "Caveat," brought to you by N2K/CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.