Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

July 2019
The FBI wants companies to understand that there’s no downside to working with them—before or after a cyberattack.
Douglas Hemminghaus got into cybersecurity from the other side—“from the how-do-you-compromise-it side, not so much the how-do-you-secure-it side,” he explains. But he was no black hat hacker. He worked for the Federal Bureau of Investigation, and in 2003 he was promoted and sent to the National Counterterrorism Center, where he worked in the group that “identified and exploited terrorist communications.” These days he’s the Assistant Special Agent in Charge of National Security and Cyber [DH1] in Columbia, South Carolina. He functions as a strategic manager overseeing cybersecurity, which is one of several areas he’s responsible for. He also does a lot of public speaking on the subject. He tries to work in two or three talks a month. “We could do cyber presentations every day,” he says. “That is the No. 1 request from the public.” But they don’t have the resources to meet the demand. He wishes they did. The public appearances help them “lift the veil on the FBI,” recruit talent and gather intelligence from companies on the threats they’re seeing. And there’s another payoff. Spending 45 minutes giving a talk beats paying a call on a company three weeks later “because somebody hacked into their systems and stole some of their intellectual property.” After 23 years with the FBI, he’s sure of this much: “I’d rather educate than investigate.”

CyberInsecurity News: What are some of the misconceptions in the business world about the FBI in connection with cybersecurity and data breaches?
Douglas Hemminghaus: Probably the biggest one that I’ve run into here in South Carolina is that people think we’ll come in and scan their systems, find the problems and fix them for them. But we do not offer remediation. We’re strictly there for investigation.

CIN: And what response do you get when they learn the bad news?
DH: It’s a lot better nowadays, because more people understand and have become aware through education. Most of the companies that we’ve dealt with either have cyber insurance and will work with the insurer to provide information to whatever [remediation] company they have a contract with, or they already have a contract IT company that will fix it for them and clean up their systems.   

CIN: Do you ever have companies that are afraid you’re going to need to take their equipment for your investigation?
DH: Yes, we have. I can’t say that that won’t happen. We’ve been able to do everything onsite and conduct our investigations from there. We will work with the companies and make sure that they stay up and running. We can usually come up with a solution to the problem—a workaround. Another question we run into a lot of times is that companies are afraid we’re going to go through the content—read the emails. And that’s not what we’re looking for. The majority of the time we’re looking for specific code. I’m not looking at what’s in your email attachment, or what you’re talking about in instant messages going back and forth.

CIN: Are people concerned that you’re going to report what you find to regulators? To the Securities and Exchange Commission or the Federal Trade Commission?
DH: We do not. That’s up to the company and their counsel on whatever applicable laws they have in whatever state they’re in. We do not share that information. We have the Privacy Act in the federal system—unlike the state system, where you can do a FOIA [Freedom of Information Act] request and ask for any information on any investigation. You can’t do that in the federal system. 

CIN: Do you think that’s pretty well-known in the business world today?
DH: For most attorneys, yes. They are aware of that, if they’ve ever had any dealings in the federal system. It’s still a concern, though. Let’s say we’re working on a ransomware case. Well, that’s going to be a criminal investigation. Or we may have just a plain intrusion, where you had some of your intellectual property stolen. In all likelihood we’re going to handle that as a national security investigation, especially if you can trace it back to one of our threat countries—let’s say we trace it back to China. Well, that whole investigation will be classified, because we will be using tools and methods that are classified, unlike a criminal investigation, where it’s generally done through search warrants and court orders that you would find in a criminal court.

CIN: What causes you to get involved in an investigation?
DH: There are three categories of cyber incidents that we have here. First is ransomware, which everyone reads about in newspapers these days. Second is the business email compromise. And the third is what I would call a state-sponsored intrusion. This would be like a foreign intelligence service or a foreign intelligence organization. It has broken in, to conduct an act of sabotage and/or to steal some type of intellectual property or classified information.
I also spend a lot of my time looking down the road. What are the next emerging threats? What type of resources are we going to need? How are we going to allocate what we have toward those threats, and make sure that we stay within the lines?

CIN: Do you have much contact with in-house lawyers?
DH: It varies from case to case. Sometimes we’ll have a lot. Other times we may have a case of ransomware with a company where the attorneys don’t get involved at all. It’s wide-ranging.

CIN: What’s an example of a lot of involvement?
DH: Usually publicly traded companies, where there’s a significant exposure and there’s significant damage that’s been done. So we have to worry about not only the damage that was done and who took it or destroyed it, but also how and when the company is first going to tell its employees. Second, did they have state disclosure regulations that they have to send out to all of their stockholders—all those that were affected by the breach? Third, the general message to the public. That’s when you will see general counsel get involved a lot. If it’s a small issue—say, a single hack from a business email compromise, where someone wire-transferred money to a fictitious company, thinking that they were just paying an invoice that was due—not so much on those.

CIN: And how much help do you offer? Let’s say that this is not a company that has a great deal of experience with this sort of situation. And you do. Would that be a fairly common scenario?
DH: Yes. We will help them. We will give them suggestions. Like: “Here’s what we’ve seen in the past. Here’s what we’ve seen that’s worked well. Here are things that haven’t worked so well. Obviously I cannot recommend companies, but are you considering hiring a public relations firm to come in and put the message out for you in the way you want it put out?”

CIN: Have you had bad experiences when you were dealing with companies?
DH: The bad experiences we’ve had are with those companies that have no written plan in place for what they’re going to do if they have a cyber intrusion. And when you compound that by having counsel who are not even somewhat familiar with the basics—what is a business email compromise? What is ransomware? If they don’t even know that, it’s very hard for us to be effective and efficient, and to get that company back up and running, as well as further the investigation and figure out what the problem is and who did this. The companies that we’ve dealt with that had a written plan, that had general counsel—whether it was in-house or contract—who had a basic cyber understanding, and the companies that have actually walked through their plan—they usually do very well. It’s like here in South Carolina, you have to have a hurricane evacuation plan. But nowadays you also have to have a cyber intrusion response plan.

CIN: What advice can you offer general counsel that would help them face the challenges that you see on the horizon?
DH: Try and stay current on the latest cyber issues. Not that you have to be a programmer. But understand what’s going on in the world of ransomware, business email compromise, intrusions. I highly encourage cybersecurity training. Train, train, train. You have to change people’s mindsets when they come to work about cybersecurity. It’s there all day, every day. Don’t click on that link on that email that came from someone you don’t know. The attorneys who handle cybersecurity matters need to keep up with the threats out there. That’s another reason we started the Cybersecurity Legal Task Force at the University of South Carolina School of Law. It’s specifically designed to help educate attorneys on what’s going on out there, and how you remedy it. And you’re seeing the market explode with cyber insurance. That’s an option that attorneys may want to look into. But just to stick your head in the sand and ignore it could be very detrimental to the company. In today’s world, if you haven’t had an intrusion, it’s just a matter of time.

CIN: Who should be included in this training?
DH: Everyone, from the CEO all the way down to the receptionist at the front desk. Anybody who touches a computer can be targeted by a socially engineered email that’s designed to penetrate someone’s system. In-house lawyers should be trained. And law firms themselves are targets of hackers. Imagine if you got into the servers of some of the big law firms in the United States. And we’ve seen it already in the news. Think of all the notes that attorneys keep, and all the privileged documents—and what you could do with all of that information. Anything from blackmail to stock market manipulation. It’s endless. I always ask the attorneys around here in the law firms, “Who manages your IT systems?” And if it’s an outside contractor, “OK, has anyone ever done a background check on them?” Because some of the information that they keep is extremely sensitive and can be downright embarrassing for certain people, depending on what the topic is that they’re handling at the time. If you call that 800 number and it’s answered by a call center that’s overseas, and now you’re turning over your desktop so that they can fix something, it’s got to make you wonder. I’ve seen it happen where the weak link was a vendor overseas that managed the company’s IT.         

CIN: Do you find that the CEOs are unanimously fine with the idea of going through the same training as the receptionists?
DH: Like I said before, if you have access to a computer, they don’t discriminate in who they target. I’ll give you an example of a South Carolina case where they actually targeted the son of a CEO of a midsize company. A socially engineered email was sent to the young teenager, who was really into online gaming. And the reason they knew that was because he was always talking about it on social media. So these individuals drafted an email with a link where they wanted his son to beta-test an online game for them. And he did it from home—from the desktop in his dad’s office. But when he clicked on the link, he downloaded a virus. Later that evening, Dad comes home to do work. Logs in from his desktop at home, using a VPN back into the company, thinking he was secure, but the problem was that the virus was already on his laptop, because his son had been gaming on it. And they were then able to get into the system. So yes, it’s everyone. If they are after something in your company, they will study it up and down, front and back, to discover who the weak link is and where they can get in. And they will go at it from multiple angles.     

CIN: It sounds like it’s important, as part of the training, to go over all the reasons why employees must secure their equipment, wherever it’s located, and secure it from even members of their own household.
DH: Yes. Depending on your level of comfort of where your IT settings are at. We have had incidents here, even within the FBI, where family members of employees were targeted through apps on their smartphones. There are certain apps—the ones that are coming out of China nowadays—where if you click on the “agree” when you download a free app, especially on a lot of these games, hidden in there is wording that says in order to make your phone work more efficiently, you are allowing them to suck all the data out of it and make it nice and neat so the game will run faster. And once they return your data, there’s a virus in there, so when that family member contacts the employee on the employee’s smartphone, that virus is passed from one product to the next.

CIN: You talked about how you can advise companies, even if you can’t remediate their problems. Can you talk about some of the challenges that can impede cooperation between the public and private sectors?
DH: In working with the private sector, I always have to earn their trust. Especially if they’ve never had any interaction with the FBI or the U.S. Attorney’s Office on matters such as these. People are frightened. They don’t understand. And this all goes back to having competent counsel who are familiar with cyber and how these investigations are done. If you don’t have any of that, I can understand how it could be intimidating. Earning their trust and letting them know that any and all information that’s provided will be kept confidential, and will not be out there for the public to see, is a huge hurdle to get over, and you have to earn that inch by inch. And eventually we get there. And we can get the information and intelligence that we need, as well as help them resolve their problem.
     A lot of times I get asked by both counsel and the victim of these intrusions: “Is anybody ever going to go to jail for this?” Well, we’re getting better. A lot of this has to do with diplomatic relations with other countries. If we can trace it back, are they willing to honor our legal process? We have several ongoing cases now in Columbia in which we’ve had significant success. And we’ve had foreign countries where, if they would not allow us to arrest the individuals and have them extradited back to the United States, they have agreed to prosecute them in their court over there.

CIN: You talked about earning the victim’s trust. When they’re facing a crisis and they’re feeling under enormous pressure, that’s a tricky time to start developing a trusting relationship, isn’t it?
DH: Yes. And that’s why we encourage people to come out anytime we’re giving presentations and get to know us. Talk to us. We do this all the time in the law enforcement community. That’s why we practice active shooter exercises at the different schools and businesses. We do interagency SWAT training all the time. So when we have one of these things, and we’re talking at 2 in the morning in a crisis, it’s not the first time we’ve talked. And it makes things flow so much easier. But when you meet someone for the first time, and they’re under pressure in a crisis mode, trying to earn their trust or even to just get to know them can be very challenging.

CIN: There are other programs that work to facilitate cooperation between the public and private sectors. To take a few, the FBI has your InfraGard program. And there’s the nonprofit National Cyber-Forensics & Training Alliance [NCFTA], in which the FBI is a major player. And there’s also the Cybersecurity and Infrastructure Security Agency [CISA], which is part of the Department of Homeland Security. Compare what you do with what they do. 
DH: I believe we complement each other. We all have the same goals: trying to protect the free-market society here in the United States. The InfraGard here is probably our largest outreach program, just by the sheer number we have. I believe in South Carolina we’re pushing over 600 members alone. The next largest would be our Domestic Security Alliance Council and our private-sector partners that we do presentations for. Cyber is just a part of it. We also do presentations and briefings on insider threat. But the ultimate goal for all of these is to provide good-quality information intelligence to help people protect their companies, and then listen to them and hear what they’re seeing out there, so that we can come up with new tools and strategies to mitigate those threats.

CIN: Do you ever communicate with those other organizations?
DH: Yes. I have one person, and that is his sole responsibility. He’s an agent, and I call him my private-sector outreach coordinator. He coordinates the activities of all those organizations you just mentioned in South Carolina. For example, InfraGard is actually run by a board of people from private industry. We foster it and assist. But the board determines the path that they want to take. So my coordinator helps shepherd it along. Any topics that they want to hear about, we will go out and find speakers and give presentations for them. That’s his primary role. And when new information from those private industries becomes available, he’s their point of contact. If they have any problem, this is the guy you call.

CIN: What are the most important takeaways for general counsel from this interview?
DH: Make sure the company has a written cyber intrusion response plan. Talk it over. Make sure you review the contract, if you have outside IT support, so that in the event of an intrusion, you can get access quickly to all the information you’re going to need. And know how detailed their logs are, where they’re kept, how they’re kept, how long they’re kept, and how they will provide them to us here at the FBI.
     I’m not sure how many continuing legal education credits that attorneys need every year, but I would highly recommend that some of those be in cybersecurity. Once again, it’s not that you have to learn how to program, but at least know what’s going on in the cyber world so you understand the basic terms: What’s a DDoS attack, a ransomware attack, a business email compromise? Those are the ones you’re probably going to get calls on. This is not a subject you just pick up overnight. Spend a little time with it, and it will save you a lot of headaches down the road.