Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

January 2019
We brought back the expert we talked to last year to rewind and fast-forward.
JANUARY 1, 2019
Very early last year, in one of our first articles , we invited Daniel Garrie to review cybersecurity predictions that other people had made about 2018, and to come up with a few of his own. This time around, we talked about how he did in the prognostication department, and we took turns scanning the horizon. We're not sure anyone will be shocked by CN's predictions, but we think readers will be at least surprised by some of his. Garrie is co-founder and managing partner of Law & Forensics and the editor-in-chief of the Journal of Law and Cyber Warfare. In addition to his law degree, he earned a bachelor’s and master’s in computer science and has built and sold several tech startups. 

CyberInsecurity News: One of the things that you were talking about early last year was vendor vulnerability—that is, vulnerable to cyberattacks. And that was going to be a big issue.
Daniel Garrie: I think it was a big issue. It continues to be a big issue.

CN: Spear-phishing was a problem then, and it continues to be now. You noted the difficulty that companies were having training employees. Has progress been made there?
DG: You’re talking about changing behavior. You’re really trying to correct human behavior, and it’s extremely challenging to do that, because it’s innate in our behavior to reply to email.
     Until you can get people to stop replying to email, spear-phishing is going to be successful. Companies are training diligently, but it’s going to be hard to use training to replace the reality that people like the ease and convenience. When you’re busy on a Friday and someone sends you something saying, “I need this wire sent,” you want to hit reply. Until you turn that capability off, there’s no way around it. So I think you’ll see companies in some instances turning off people’s ability to reply to email in the common way in order to mitigate the risk. This can be an effective approach. Law & Forensics has seen this strategy deployed successfully on multiple occasions. But it is not a magic bullet, and continued vigilance and training are necessary.

CN: One of the big issues—not a new issue, but one that’s emerged in a big way in 2018—is privacy. The GDPR, the General Data Protection Regulation from the European Union, almost guaranteed that would be the case, since it came into effect in May. But then Facebook and the Cambridge Analytica scandal brought the message home in a way that got the attention of a lot of people here. How do you think the GDPR, the California Consumer Privacy Act and the controversy surrounding Facebook will carry over to 2019?
DG: There’s no question that it will carry over and evolve this year. I think it will become a bigger and bigger issue. Since there is no explicit constitutional right to privacy at the federal level in the United States, the privacy pain is only going to grow for U.S. companies that operate globally. The net-net is that it is going to become a lot more expensive and a lot more complicated for global companies to figure it out. It’s going to be—I hate to say a privacy arms race, but something very close to it. Given the complex global relationships that power commerce and trade, and the underlying data collection involved in this process, it is inevitable that the construct of privacy is going to continue to present a complex challenge for companies, big and small.

Data protection officers were suddenly in demand.

CN: Data protection officers: The GDPR says that certain companies under certain conditions need to hire them. I understand from my interview with the International Association of Privacy Professionals [IAPP] that the hiring of data protection officers has really taken off in this country—beyond what the GDPR requires. You advise companies. What are you seeing?
DG: A huge demand for people who have privacy expertise. You will continue to see that demand grow in the coming months and years. Look at it like this: Companies today, unlike at any time before, have a compelling reason to be laser-focused on privacy. There is a growing societal interest, along with regulatory schemes with huge penalties. In turn, a demand for qualified privacy individuals has arisen, and there is simply a shortage of competent individuals to hire. IAPP is a great organization that provides resources to individuals looking to enter the privacy realm, and its certifications can help companies find qualified privacy professionals.

CN: Are the companies that are making this move to hire data protection officers doing so because they really have to under the GDPR, or is something else motivating them?
DG: It’s not just the GDPR. You’ve got California, you’ve got Asia, you’ve got China, you’ve got Dubai. There is no question that both privacy and cybersecurity are being elevated in status. Data is core to almost every business, and companies are recognizing that these areas represent material risks to an organization. Companies are also pushing out privacy and cybersecurity requirements to their vendors. So it’s not just the GDPR. All of these together motivate companies to hire qualified data protection officers

CN: Let’s talk about big surprises in 2018. I can think of some that got my attention, not all of which affect companies directly. The extent of Russia’s disruption of the 2016 election, and its continuing threat to our electoral process last year, including through its disinformation campaigns, surprised me. And the other development that surprised me was the Equifax breach. The message from that is: “You can’t take any company or any data set for granted.” Maybe I was naive to think that there were security measures in place at certain companies where data is the whole ball of wax.
DG: The reality is that nothing is bulletproof. No matter how secure you make anything, at some point it breaks down. The real measure of your cybersecurity is how well you respond to, mitigate and address a data breach. It is evident that mitigating a breach requires a great deal more than technical skills in today’s 24/7 operating environment.

CN: Did any surprises stand out for you?
DG: Several things surprised me, but one thing that stands out is that the Department of Defense did not split off the National Security Agency. Today, the U.S. Cyber Command and the National Security Agency operate under one overarching structure. The U.S. Cyber Command was created in 2009 with the purpose of defending the United States against cyberattacks and cyberwarfare. That’s different from the NSA’s mission of collecting cyber intelligence globally. It surprises me that in the very complex cyber environment confronting the public and private sectors, the government has not moved to separate these two organizations, which I believe is actually required by the National Defense Authorization Act of 2017 .

CN: Two more developments are noteworthy before we move into the future. They are two “treaties” of sorts. There was the tech accord that Microsoft shepherded through: tech companies saying that they were not going to aid and abet cyberattacks. Instead, they were going to try to help each other to avert or mitigate them. And more recently, the Paris Call for Trust and Security in Cyberspace. More than 50 countries and all kinds of agencies and organizations said that we need to band together and take action to prevent or counter cyberattacks. These were both voluntary measures without any enforcement teeth. What do you think about them?
DG: They sound great in theory. But one bad apple will ruin the bunch. You’ve got to be careful what you wish for. I would point you to an article that we published in the Journal of Law & Cyberwarfare last year titled “Responding to the Call for a Digital Geneva Convention: An Open Letter to Brad Smith and the Technology Community ” [pay wall]. It argues that, in fact, there already exists a robustly developed set of international law norms, although enforcement of these remains problematic. In addition, the article notes that Smith’s call for a Digital Geneva Convention overlooks the need for states to agree to adopt such a treaty. It also explains that to be fully involved and engaged, the tech sector needs to develop an appreciation for international law, and how it applies to cyber operations, before attempting to develop the law applicable to cyber operations.

CN: And while we’re on the subject, some of the biggest countries, like Russia, China and the one we’re sitting in right now, didn’t sign the Paris agreement. Do you think that’s likely to change?
DG: No, and I wouldn’t favor our signing it now, either. How is it in the United States’ interest to develop treaties around cyber operations today?

CN: Well, we have treaties to prevent proliferation of nuclear weapons. Can you imagine at some point having some sort of treaty that would curtail cyberattacks?
DG: Many moons from now, maybe. Not any time in the near future. Because it’s an evolving landscape. And because of many issues, including the integrated nature of public and private infrastructure and associated national frameworks. These vary by country, which makes creating such a treaty a daunting task.

There is a high likelihood that in the next 12 to 24 months, there is going to be a catastrophic event that will impact cyber insurance.

CN: Let’s talk about another subject you care about a lot: cyber insurance. An expert who recently wrote on this subject for us said that last year, if a company did not have cyber insurance, they probably had to explain why not. And two of the bigger issues that they were trying to protect themselves against were the GDPR, and the incredible fines that could result from failing to comply; and business interruption, which cyberattacks can cause. We’ve seen law firms put out of commission for a week or more.
DG: Cyber insurance is also evolving. There are still a lot of unknowns today. But I think there is a high likelihood that in the next 12 to 24 months, there is going to be a catastrophic event that will impact cyber insurance. I’m not sure if it happens in 2019 or 2020, but I’m near certain that at some point in the next couple of years, a catastrophic cyber event will occur. For example, it could be a major cloud player going down for 12 hours or more. This event, in turn, will trigger cyber and other insurance policies, creating losses for insurance companies that will be upward of $100 billion.

CN: How is that likely to affect the insurance industry?
DG: I believe that, after this event, the insurance industry will see massive consolidation. And companies will see a jump in premiums for all types of policies. As someone who leads an organization that is involved in building complex cyber risk models, I do not think that the insurance industry recognizes yet that a cyber event will reach well beyond cyber. The net-net is that this event will drive up the prices of insurance.

CN: Any other predictions?
DG: Yes. With the internet of things (IoT) coming into play, you’re going to also see physical harm as a result of an attack.

CN: I have a few predictions for 2019. We started out talking about vendors. Since the DLA Piper breach, companies have been particularly concerned about their law firms. And there’s been a new focus on their vulnerability.
DG: I think there is a high likelihood that there will be a major cyber incident that will result in the effective dissolution of a global law firm or accounting firm.

CN: I think companies are starting to wake up to this and are going to crack down on their law firms by demanding security changes. And they will audit the firms—with the kind of audits they need to assure themselves that they’re not just being told everything is fine. They will want to see evidence that proper protections are in place.
DG: No question about it.

CN: And I think law firms are getting the drift, and are starting to take this seriously and investing resources and shoring up their cybersecurity.
DG: I agree, to some extent. Law firms are starting to spend real money in cybersecurity. I know firsthand from the work my company is doing that law firms are attempting to develop and implement cybersecurity and privacy programs that are robust and defensible.  

CN: Many companies are already adopting more stringent privacy standards as a result of state laws and GDPR. I think we’ll continue to see that because they’re anticipating the possibility of more legislation from the states and the possibility of federal legislation. And I have to ask you: What do you think the likelihood is of federal privacy legislation in 2019? And if it does happen, do you think it will include language to pre-empt state laws like California’s, which are likely to contain tougher standards than a federal law that can get through Congress would have?
DG: The chance for federal legislation is tricky. There is a need; however, the many different congressional committees acting in this realm make getting a bill passed a challenge. We have started to work with several companies on developing and implementing a program that ensures that they are in compliance with the California framework, which is compelling companies to also start to advocate for a federal standard on these issues.

CN: Do you think that some federal law will get passed? What are the odds?
DG: My best guess is that there’s a 60 percent chance that federal privacy legislation will pass.

CN: While you are peering into your crystal ball of regulation, one last question. Will companies that manufacture IoT devices be pressured to improve the security on them?
DG: It’s possible that IoT device manufacturers will be regulated, but it will be sector-specific. For instance, I do think there’s likely to be regulation of devices in the health care and education industries.