The recent wave of cybersecurity breaches at our nation’s largest law firms makes it clear that the way the legal sector secures our digital assets must change. The White House’s National Cyber Security Strategy (NCS) seeks to address this. In this series of articles, telecom veteran and legal technology CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of the cybersecurity framework, and the emerging threats it hopes to counter mean for law firms, their clients, and the future of law in the digital age .
Part 3 of this series covered supplier management.
In our previous three articles on cybersecurity for law firms and their clients, we’ve taken a closer look at the White House’s National Cybersecurity Strategy and its five pillars, how lawyers and their firms are (or in many cases aren’t) preparing for breaches, and best practices to do it.
However, one of the tenets of the new cyber security strategy is the urgency to prepare existing systems and technology for the threats and challenges we face. One of the goals of this series is to prepare law firms for the changes ahead, especially as more businesses and clients go global and data moves around the world. These are just some of the reasons why several of the five pillars focus on this: For example, pillar 4 calls for investing in a resilient future and pillar 5 involves creating international partnerships to achieve common goals.
Preparing for the future
Among the strategic objectives of Pillar 4 is to prepare for the post-quantum future. So, what does that mean? According to the National Cyber Security Strategy, “Strong encryption is fundamental to cybersecurity and global commerce. It is the primary way we protect our data online, validate end users, authenticate signatures, and certify the accuracy of information.” Law firms, like many other organizations, have relied on encryption to achieve these goals. But the rise of quantum computing means that some of these encryption standards can be broken.
What we talk about when we talk about post quantum computing
Post-quantum computing has emerged as a central frontier in the rapidly changing landscape of information technology. As traditional cryptographic methods face potential vulnerabilities in the advent of powerful quantum computers, the concept of post-quantum computing seeks to develop new encryption techniques that can withstand quantum computing power. At its core, post-quantum computing represents a paradigm shift from classical computing methods. While conventional computers rely on binary bits to process information, quantum computers make use of quantum bits, or qubits, which can exist in multiple states simultaneously, enabling exponential computing speeds. However, this transformative potential poses a significant challenge to current cryptographic systems, as quantum computers can potentially crack encryption algorithms that protect sensitive data.
Post-quantum computing aims to construct encryption methods that are resistant to quantum attacks. These cryptographic systems draw inspiration from various mathematical principles, such as lattice-based cryptography, code-based cryptography, and multivariate polynomial cryptography, among others. These new approaches aim to create encryption techniques that remain secure even in the face of the computing power of quantum computing.
As our digital world becomes increasingly interconnected, data integrity and confidentiality become paramount. Post-quantum computing represents a critical endeavor to ensure that our digital infrastructure remains robust and resilient against emerging threats. By developing encryption methods that are impervious to quantum attacks, post-quantum computing is paving the way to a secure and sustainable digital future. It includes the development of AES, or Advanced Encryption Standard, to replace the outdated DES, or Data Encryption Standard. AES, which offers much greater security, is the brainchild of two Belgian cryptographers, who created it in response to a request from the National Institute of Standards and Technology (NIST) in 1997 for candidates to replace DES.
This also raises new questions about the timeline for post-AES or post-quantum encryption to be created (if it hasn’t already been), whether the US government will similarly create or request this, and whether it will take 20 years to have to a new encryption baseline in pace with current computing horsepower. After all, it appears that the National Security Agency (NSA) is already developing post-quantum cryptography algorithms, with limitations.
Dealing with threats from abroad
While monitoring developments by the US government is important, cyber security threats clearly know no borders, which is why Pillar 5 is focused on international partnerships. And it’s an area that law firms and their clients will also need to focus on in a post-quantum future. As we discussed in the previous article, supplier management will be a critical component of this. One of the strategic objectives of Pillar 5 is to secure global supply chains for information, communication and operational technology products and services.
NIST also offers resources around Cybersecurity Supply Chain Risk Management, or C-SCRM, which is a key aspect of supporting this pillar. According to NIST, C-SCRM should be part of an organization’s overall risk management practices, including identifying and assessing potential risks and determining appropriate response actions. NIST recently updated Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations,” to include two new control families: Personally Identifiable Information Processing and Transparency and Supply Chain Risk Management. SCRM is historically in most major federal contracting opportunities, but NIST recently caught up with supply chain with 800-53 rev.5. This is now deferred federally as the baseline control for most System Security Plans (SSPs).
The emergence of new rules
It is not only the United States that is exploring new rules. The General Data Protection Regulation (GDPR), a milestone in data protection, was adopted by the European Union (EU) in May 2018 to strengthen individuals’ privacy rights and regulate the processing of personal data. The GDPR embodies a comprehensive framework that aims to give individuals control over their personal data and increase transparency in how organizations, such as law firms, handle this data. The primary rationale behind the GDPR lies in addressing the rapid proliferation of data in the digital age, which has raised concerns about potential abuse, breach and unauthorized access. The GDPR applies extraterritorially, which means that all organizations, regardless of where they are located, that process the personal data of EU citizens are bound by its provisions. For US law firms operating abroad, the GDPR has significant implications. In an age of global connectivity, law firms often handle client data that may involve EU citizens.
GDPR requires strict compliance with strict data protection measures, which requires improved security protocols, transparent data processing methods and prompt notification of breaches. By embracing GDPR principles and adapting their practices, law firms can strengthen their commitment to protecting data privacy while seamlessly conducting business across borders. In essence, GDPR heralds an era where the protection of personal data transcends geographical boundaries and becomes a universal hallmark of responsible data management.
The International Association of Privacy Professionals (IAPP) has also developed the Privacy by Design framework, which seeks to infuse privacy considerations into the very fabric of product and service design. By integrating privacy principles from the start, the Privacy by Design framework ensures that data protection becomes an inherent and inseparable part of technological progress. The Organization for Economic Co-operation and Development (OECD) has emerged as a central player in shaping data privacy on a global scale. The OECD has developed guidelines for the protection of personal data, which set out a comprehensive framework for the responsible collection, use and protection of personal information. These guidelines serve to harmonize practices across borders and promote a universal commitment to data protection.
The combined efforts of organizations such as IAPP and the OECD underscore the importance of prioritizing data privacy in a connected world. As technology continues to reshape the boundaries of human interaction, these guidelines drive the development and diffusion of data-driven innovations while protecting the fundamental rights of individuals. By following these best practices, law firms operating globally can embrace data privacy as a cornerstone of their business, promoting trust, accountability and security in a digital age.
Global law firms face their own challenges in dealing with potential cyber threats as well as regulations. Along with the largest companies, however, smaller companies with smaller customers should also work to get ahead of the upcoming regulatory curve by voluntarily meeting or exceeding current requirements.
Over the past four articles, we’ve taken a deep dive into the current and future state of cybersecurity, national and international regulations, what law firms need to know—and why they need to care. While the issues surrounding cybersecurity can seem daunting, there are many resources and guidance available to help law firms navigate this ever-changing landscape. And law firms must start planning now, before these rules are final, so they are not caught unprepared and uninformed, and worse, vulnerable to attack.
David Roberts is CISO for Calloquy, PBC, a legal technology startup with a social mission for access to justice. David is a highly accomplished cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technology organizations spanning two decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance and regulatory components for the companies that win part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds several degrees, including an MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and new programs in Technology Leadership from Cornell University. He currently holds the following industry credentials: CISSP, CCSP, SSCP, CAP, CSM®, CCP and AZ-900.
#Rise #PostQuantum #Computing #Future #Cybersecurity #News #Legaltech