This week Jon Gelman published "Cybersecurity Must be a Shared Responsibility." We live with the daily threat of phishing, worms, Trojans and worse. We are a threatened society, struggling to accept and appreciate the extent to which miscreants and malcontents will go to trouble us. The recent pipeline hacking was discussed in "Cybersecurity Hits Home" (May 2021) and "Your Cyber-Health is Your Job" (June 2021). That is a recognition that you play a role in your defense, which sentiment is echoed in Mr. Gelman's piece.
We have heard for years that criminals will go to great lengths to steal. In 2018, I noted in "Hardwired Hacking" the imagination that can go into misdirecting information or outright theft. Mr. Gelman describes how the federal government faces moral dilemmas regarding hacking and network security. He describes "zero-day" software and its role in anti-hacking strategies. The term refers to the fallibility of technology. According to TrendMicro, all software is flawed. There are weaknesses and vulnerabilities periodically discovered.
When a problem is discovered, the software producers begin programming to "patch" the software and either eliminate or ameliorate the risk of that flaw. Unfortunately, communication is extremely rapid in our world. Imagine that you discovered a window lock in your home that will not function. You know you need to have it replaced, and until that "patch" is applied your premises are vulnerable. But then imagine that it is possible for every malefactor, villain, and evil-doer to rapidly be informed that your window does not lock. You have a problem, and they are coming to exploit it.
This is an oversimplification of course. However, the challenge with software is that while you are fixing that window lock, the villains are busy striving to find some other weakness in your structure. They may even depend upon your good nature and see if they can trick you into inviting them in. Picture some kind person ringing your doorbell and offering any number of sympathetic pleas or helpful assistance with your problem(s). You might just invite them into your house, the same way you could be tricked into clicking some link in an email, inserting a "found" flash drive into your computer, or allowing someone to wander back into the office with your group following a break.
They call these "zero-day" threats because once the miscreants know that your window lock is not functional you literally have zero days to get that fixed. As long as no one knows of such a problem, you might play the odds. Seriously, of all the houses in your neighborhood, and all the windows, what are the odds that some miscreant will manage to happen upon yours? But once the word is on the street of that particular window being vulnerable, in the words of "Field of Dreams" (1989), "they will come." Oh, "people will come Ray. They'll come to Iowa for reasons they can't even fathom."
Mr. Gelman brings this home. He notes that we are obsessed with technology. And the very hardware that we are bringing into our homes (remember the old Trojan horse?) What if the miscreants and malcontents could avoid having to break into your home by convincing you to bring the Trojan horse in yourself? This is apparently now being recognized as a real threat. Similar to the "Hardwire Hacking" threat with commercial servers, Mr. Gelman cites "the $5 automated lamp switch that may have software embedded in its chip that routes personal and confidential to ill-doers."
You brought that lamp switch into your home. You brought that "smart" device: digital thermostat, front door camera, digital eavesdropper (anything that can listen to your commands can listen to anything), and more into your home. You brought in that Trojan horse for what you perceived as value and in the process you simultaneously admitted whatever else it contains. And, long after you have forgotten your refrigerator is "smart," it will still be gathering data. With whom might it share?
Mr. Gelman points out that these technologies place a burden on law firms. That is not news. The Florida Bar Journal warned in 2016 "Attorneys Must Protect Clients's Sensitive Data." That article pointed out "Attorneys cannot afford to sit idle and assume that their information is secure." The legal firm is often targeted because "Law firms are high-value targets for hackers because they hold highly confidential and sensitive data." And, what leads anyone to believe that doctor's offices, claims centers, and others in the workers' compensation world hold less of that sensitive data? The Bar urged lawyers to "develop() and implement() strong and comprehensive cyber security programs." Isn't that good advice for us all?
That is perhaps the equivalent of the police advising you to lock your doors and windows. Have you paid attention? Are there broken locks or other risks that should be treated as "zero day?" This may be in your physical premises (yes, they can just steal your server), your software, or apparently your light switch or refrigerator. What are you doing to better understand those risks and live up to your professional responsibility? In the age of information, are you tempted to just disconnect from the Internet?
In December, I will host a portion of the WCI cybersecurity program. No, this is not a class just for IT experts and aficionados. This is a program for the rest of us. As we live out our pedestrian lives in the world of information, what are the realistic concerns that workers' compensation professionals face? What role can we play in keeping the villains out our our premises, out of our networks, and out of our data.
The liabilities are extensive. While lawyers tend to engage the "parade of horribles" ("A rhetorical device employing series of progressively more terrible results following from an act."), the fact is that a data breach can mean lost work time and revenue. It can mean loss of client data, lawsuits, and financial loss. It can destroy reputations and close businesses. If you are not keeping up on these imaginative and relentless evil-doers, the time has come. These threats are real and they are perilous. I hope to see you in December to have a broad discussion of your personal "zero day" threats (what you should be working on right now).