Cybersecurity: It Doesn't Come In A Box

Wednesday, December 1, 2004 - 01:00
Stephen M. Arner

Cybersecurity is often viewed as a technical issue, one that may be addressed by ensuring that corporate IT staff purchases, installs and maintains appropriate anti-virus software and a robust firewall. Cybersecurity is far more than that, however. Cybersecurity poses a governance challenge that involves risk management, reporting, and accountability. The risks of failing to adequately provide for cybersecurity are growing, as the number, sources, and complexity of attacks rise contemporaneously with a developing legal climate in which companies that fail to provide reasonable cybersecurity face potentially massive liability exposure on a variety of fronts - with little to no insurance coverage. Companies that fail to recognize cybersecurity as a fundamental, unavoidable aspect of doing business flirt with disaster.

Relative Inattention To Cybersecurity

The view that providing reasonable cybersecurity requires little more than purchasing off-the-shelf security products and downloading patches and updates to operating systems and other software results in part from an undue focus on viruses and worms transmitted by e-mail (along with a more recent focus on spyware) and is reinforced by a widely-held perception that the federal government is not taking cybersecurity seriously. The Department of Homeland Security's most publicized efforts involve announcing virus outbreaks and similar attacks, rather than shoring up the federal government's own networks, as highlighted by a 2003 GAO report citing widespread failures to identify and protect critical portions of the government's cyberspace. DHS recently reported internally that its efforts suffer from a lack of coordination, poor communication, and a failure to set priorities. Even sample forms that the federal government sets forth as models for use by federal agencies suggest the government does not place a high priority upon cybersecurity - the sample "plan of action and milestones" attached to recent OMB instructions for reporting of cybersecurity efforts under the Federal Information Security Management Act (FISMA) lists work "ongoing" six and seven months after the scheduled completion dates. And recently, in October, Amit Yoran, director of the National Cyber Security Division of DHS, abruptly resigned (as did the three previous cybersecurity chiefs) amidst rumors that he was frustrated with the low priority placed upon cybersecurity by the Bush administration. Meanwhile, the cybersecurity division will have a budget next year of $79 million, compared to the $5.3 billion requested for DHS' Transportation Security Administration.

The Growing Threat

Regardless of our willingness to acknowledge it, the threat posed by inadequate cybersecurity is growing, and real. Business computer networks face risks from a wide spectrum of potential attackers, including competitors, terrorists, disgruntled and former employees, activists, criminals, foreign governments, and hackers. Such attackers may attempt to steal intellectual property or credit card information from customers, acquire critical information for purposes of extortion, commandeer computer resources to launch attacks on other networks, deface or shutdown Web sites and e-commerce portals, and even inflict physical damage.

There has been an increase in both the number of attacks and the damages resulting from such attacks over the past several years. Much of the increase has resulted from viruses and worms, but more complex, directed attacks against systems that are found vulnerable are also on the rise. In a recent survey, 56 percent of respondents reported that they experienced unauthorized access to their organization's networks in the preceding year. Some of these incidents are relatively minor, serving as little more than a nuisance with minimal impact to the affected company's bottom line. Others are far more dramatic.

Earlier this year, for example, a competitor attempted to extort $17 million in exchange for sensitive information obtained from a corporate system he hacked through the surreptitious use of wireless networks in two homes and a dentist's office. Last year, a hacker obtained millions of credit card numbers from a company that processes credit card transactions. In a failed extortion scheme, a hacker threatened the South Pole Research Center after demonstrating that he had obtained access to the server that controller the center's life support systems. In 2002, someone hacked the New York Times' network and obtained personal information for contributors to the op-ed page and ran up $300,000 in LexisNexis search charges. Other examples include the theft of approximately $12 million from a bank and the theft of thousands of patient records from a university medical center.

To date, these sorts of attacks have inflicted only economic damage, with limited exceptions, but may grow more severe and inflict physical damage as well. Last year, for example, GAO warned that supervisory control and data acquisition (SCADA) systems - used for years to control power grids, gas and oil distribution pipelines, water treatment and distribution systems, hydroelectric and flood control dams, oil and chemical refineries, and other physical systems - are vulnerable to attack. According to Richard Clarke, former cybersecurity czar at DHS, these systems remain vulnerable to attack today. In the last three years, 90 percent of problems with such systems have come from break-ins by hackers and viruses. A recent article in Forbes warned that such attacks could open the gates of Arizona's Roosevelt Dam or shut down the electrical grids of dozens of cities on the same day. On a smaller scale, such attacks have caused physical damage in the past. A computerized waste management system in Australia, for example, was hacked in 2002, causing millions of liters of raw sewage to spill out into local parks, rivers, and the grounds of a hotel.

Even companies not involved in critical infrastructure like utilities are at risk. Virtually every business is dependent in some measure upon computer networks and would suffer financially from a successful cyber attack, even if it were not directed specifically at the company, whether it compromised customer information, destroyed data, disabled e-mail, or defaced a corporate Web site. Such companies' networks could also be used as bases from which the actual target could be attacked. As technology has advanced, moreover, attacks have become in some respects easier to launch against unprotected systems, with automated processes seeking out weaknesses across the Internet, without regard to the identity of the targeted system. In short, all businesses that utilize computer networks - today, nearly all businesses - must address cybersecurity issues.

Corporate ExposureFor Cybersecurity Failures

Companies that fail to provide reasonable cybersecurity face potential liability on a number of fronts. Companies whose systems have been commandeered for attacks on others may be liable for civil damages under common law negligence claims, for example. Shareholders may seek damages for a company's failure to adequately protect its own assets. State Attorneys General and the Federal Trade Commission (FTC) have pursued companies that allowed confidential information to be compromised through lax cybersecurity. Specific industries such as health care and financial services are governed by regulations specifying cybersecurity requirements. IRS regulations require disclosure of electronic security breaches by taxpayers. California recently passed a law requiring disclosure of security breaches, and Virginia is now considering adopting a similar law which would also provide for recovery of both fines and actual damages.

The potential amount of damages and/or fines in the event of a major cybersecurity failure is staggering, even without considering the effect such an event could have upon market capitalization and good will. Companies may not avoid such liabilities as easily as they may think. CGL policies generally do not cover losses relating to cybersecurity failures, and only a few companies offer cybersecurity policies providing limited coverage. And in determining whether to offer a particular company a cybersecurity policy and at what price, an insurer will typically require a risk assessment to probe the weaknesses of the company's information systems, and will examine the company's policies and procedures. In other words, to qualify for cybersecurity insurance, a company generally must demonstrate that it has adopted reasonable cybersecurity measures.

Many companies remain largely oblivious to the threat. A recent survey of CEOs of small- to mid-sized companies revealed that only 17 percent provided security measures of any kind for their information systems. Industry as a whole, however, led by larger companies, does seem to be slowly recognizing the need to incorporate meaningful cybersecurity. According to some recent estimates, industry will spend about $12 billion on cybersecurity infrastructure this year, and an estimated $14 billion in 2005.

What Is Reasonable?

Reasonable cybersecurity - adequate to withstand claims for fines or damages under the developing variety of bases of corporate liability for cybersecurity failures - encompasses more than purchases of cybersecurity products, however, and cannot be measured by dollars spent. Reasonable cybersecurity demands a comprehensive, never-ending process.

The contours of a reasonable cybersecurity program depend upon the nature of a company's business, its usage of and dependence upon computer networks, and other factors. What is required of a defense contractor is obviously not required of a small retail establishment. A balance must be struck between the likelihood and possible extent of harm and the burdens that would be borne in attempting to prevent attacks.

Read in this context, recent consent decrees entered into by the FTC and State Attorneys General provide guidelines of what "reasonable" cybersecurity entails. The decrees were entered into with companies that were alleged to have had engaged in unfair or deceptive business practices under state and/or federal law by failing to protect the security of information in accordance with representations made in their privacy policies in a variety of contexts. Eli Lilly, for example, came under scrutiny as the result of a single e-mail message that inadvertently listed the private e-mail addresses of hundreds of customers that used Eli Lilly's Prozac in the to: field of the message. Microsoft aroused suspicion that it was collecting information about individuals in violation of its stated privacy policy. Ziff Davis stored credit card information in an unencrypted file, the location of which was publicly available to anyone viewing the source code of one of Ziff Davis' Web pages. Tower Records and Guess! allowed personal information regarding customers to be compromised.

Under the decrees, the companies were required, in addition to cease misrepresenting the extent to which information was collected and protected, to establish and maintain comprehensive, documented cybersecurity programs. The companies were required to designate personnel to coordinate, oversee and be accountable for the programs; identify reasonably foreseeable external and internal risks and address those risks with administrative, technical and physical safeguards; and provide for periodic evaluation of the program with appropriate adjustments thereafter. All but the earliest of the decrees also required periodic assessment by a qualified, objective, independent third-party professional. The process-oriented approach set forth in these decrees echoes guidelines and regulations governing specific industries ( e.g. , the financial services industry under the Gramm-Leach Blilely Act and the health care industry under the Health Insurance Portability and Accountability Act of 1996) and federal agencies (under FISMA), and will likely serve as a benchmark for assessing the reasonableness of a company's cybersecurity efforts in the context of resolving negligence and other tort claims.

By addressing cybersecurity now, businesses can minimize their exposure to potential tort claims and enforcement actions and increase the likelihood that they may purchase cybersecurity insurance to protect against security breaches that result despite the implementation of a reasonable security program. Counsel can and should assist with the development, implementation, and review of cybersecurity policies and procedures; track judicial, legislative, and regulatory developments, including those that govern particular industries; assist businesses in obtaining cybersecurity insurance; and help minimize the impact of cybersecurity failures when they ultimately and inevitably occur.

Stephen M. Arner is an attorney in the Tysons Corner office of Kelley Drye & Warren LLP where his practice focuses on litigation and cybersecurity.

Please email the author at with questions about this article.