Data Security for Lawyers Traveling to China
From: Corporate Counsel
By Alan Cohen
For Western lawyers working in China, doing business can require a curious combination of legal skills and 007-like stealth. Leave your laptop in your hotel room? Expect it to be searched. Call up a website to check the weather? You might load code that pulls data off your hard disk. Does your PC weigh more than it did when you left the States? That could be a homing device, implanted on the sly and now transmitting information about the merger your client is planning. It might sound like stuff from a James Bond movie. But the threats are real, say law firm technology chiefs—and worrisome.
The perils of using technology in China isn’t a topic that law firms like to talk about publicly. “This is a very, very sensitive subject in our firm,” says one chief information officer who declined to talk about the topic, even on a confidential basis. Says another: “Public statements might be considered the equivalent of ‘poking the bear.’ On this topic, I believe we are better served staying quietly diligent.”
The U.S. government has been less reticent. On its website, the U.S. Department of State advises travelers to China that Internet and telephone use “may be monitored on-site or remotely, and personal possessions in hotel rooms, including computers, may be searched without your consent or knowledge.” In February 2012 national intelligence director James Clapper told the House intelligence committee that “China and Russia are of particular concern. . . . Entities within these countries are responsible for extensive illicit intrusions into U.S. computer networks and theft of U.S. intellectual property.”
Law firms can be especially at risk, so much so that in November 2011, the Federal Bureau of Investigation briefed the nation’s top 200 firms on hacking and other IT security risks they face. One law firm CIO who attended the session said the FBI’s message was clear: “They figure law firms are a particular target because big companies use them for deals, and [firms] often have weaker security than the companies themselves.” Another CIO says that in the last 18 months he has attended four meetings where “three-letter federal agencies spoke about targeted hacking of law firms.” (This CIO says that participants were asked not to provide details of the briefings.)
Austin Berglas, assistant special agent in charge of the cyber branch at the FBI’s New York office, says the bureau routinely reaches out to law firms, along with financial institutions, universities, and research centers, because “highly skilled cyber-criminals often target these organizations on behalf of foreign nation-states who seek to gain an advantage socially, politically, or economically.”
One law firm CIO, who—like many of the other CIOs quoted in this article—asked not be identified, says that Chinese clients are forthcoming about the risk: “They will say, if you leave your computer on in your hotel room and go to dinner, you can be assured that someone will try to break into it.”
Not that this CIO, who oversees technology for an Am Law 100 firm with an office in China, needs to be convinced. Each day he receives a report on “port scans” experienced by the firm. A port scan is essentially the cyberspace equivalent of a tug at a window—someone on the outside checking, on their own and without permission, for a way onto a network. A firewall—the barrier that keeps unauthorized traffic from entering or leaving a law firm’s data center—typically has thousands of ports. A hacker needs only to find one that is open and vulnerable. On an average day, this CIO’s firm sees more than 3 million port scans: 2.4 million originating from within the United States, 500,000 from China, and 100,000 from every other country on the globe combined. He says he can always tell when there is a holiday inside China: That’s when the number of port scans drop significantly.
Security concerns about China are “very legitimate [and] very high on our radar screen,” says Linn Freedman, a partner at Nixon Peabody who leads the firm’s privacy and data protection group. (Like a growing number of Am Law 100 firms, Nixon has a presence in mainland China, with an office in Shanghai; it has also assembled an internal “privacy council” of attorneys, management, and IT professionals to deal with privacy and security issues.) “There is no privacy in China,” Freedman says. “You have to understand that when you are doing any business in that country. There are no statutory or legal protections. It is a whole different atmosphere than doing business in the European Union or the United States, and it is scary.”
In fact the only protections firms have are the ones they create for themselves. What follows are policies that firm CIOs are instituting to protect lawyers who are doing business in China. They are also, the CIOs say, smart steps to take when lawyers travel in any nation where cyber-espionage poses a heightened risk—and that doesn’t just mean the usual suspects like Russia; two tech chiefs noted that France has been a surprisingly active hotspot for hacking and cyber-theft.
Take a loaner laptop
The most fundamental precaution is to take a “clean” laptop on the trip. Lawyers should never bring their usual machine—the one they use day in and day out for work (and the one filled with work-related data). Firms generally have a cache of loaner laptops that contain no work product. If these are lost or otherwise compromised, the potential damage is contained.
Other devices that may contain work or personal information—such as a tablet—should be left at home whenever possible. “You try to have a serious discussion with folks on what they need to take and have them trim back,” says Matt Kesner, chief information officer at Fenwick & West. “We strongly encourage them not to take their own smartphones and iPads and definitely not their own laptops—not just to China but when they go many places in the world.”
While this advice might seem like a no-brainer, another CIO notes that it is not something partners—who are often used to doing things their own way with their own equipment—like to hear. “We had a document where we said, don’t go [to China] with your standard laptop, but take a loaner, and a lot of attorneys were not thrilled with that,” he says. Making a rule, he adds, was out of the question: The firm just didn’t work like that. Besides, “at the end of the day, partners are going to do what they want, and the Chinese know that, and the hackers know that,” he says.
Embrace desktop virtualization
By itself, a clean laptop can reduce security concerns but not eliminate them entirely. After all, lawyers could create sensitive work product on their loaner machines during their trip, or visit websites that plant harmful code—known as malware—on the laptops, which among other things can intercept keystrokes or compromise any data that is on the machine. So some firms strive to make loaner laptops as bare-bones as possible, stripping them of Web browsers, word processing software, and email programs, and ensuring that no data is ever stored on them. So if prying eyes do come upon the laptop, there is nothing to see. The trick, in short, is to remove most of the things that make a laptop useful without making it useless. As luck would have it, there is a technology that does exactly that—desktop virtualization. Firms are flocking to it.
What desktop virtualization does is turn a laptop into, in effect, a keyboard and screen. All of the actual applications, computer processing, and data storage takes place back in the firm’s data center, where it can be secured. Many firms use platforms developed bya Citrix Systems Inc. or VMware Inc. to accomplish this.
The connection is encrypted, and often, multifactor authentication is used—meaning a password isn’t enough to gain access; there has to be another check, as well, such as a token, a physical device that contains a code or biometric data that helps to prove the bona fides of the user. “Anyone who isn’t using multifactor authentication for remote access is just asking for trouble,” says one CIO.
Fenwick, which uses VMware View to power its virtual desktops, takes things a step further, providing its traveling lawyers with special passwords that provide less than their normal access, but enough to get their job done. “They will click on the VMware View software and get into their email and a segregated section of our network that contains whatever documents they need while they are away,” says Kesner. “It will look like their normal desktop, but everything is really happening on the remote server, not their own machine, and nothing is stored or cached locally. We have been told that this is the current state of the art for law firms and even the diplomatic corps.”
Carry, observe, and report
Laptops should never leave a lawyer’s possession. That means not leaving them in a hotel room—even in the safe—while stepping out. Hotels in China, says an IT security expert at one U.S.–based law firm, often work in concert with the government to install software on an unattended computer. But sometimes it is impossible to keep a laptop in hand. For example, at Chinese airports, it is not uncommon for a customs agent to temporarily take a visitor’s laptop into another room. “You don’t know what is going on there,” says another firm’s IT security chief. “The battery might be replaced with something that tracks keystrokes. There have been cases where the hardware has been tampered with.”
Lawyers should watch out for incidents in which they are separated from their gear, and report them to the firm’s IT department, which may then want to take the equipment out of service. Whatever has been done to that laptop can be hard to detect, notes this expert. “You can take steps in advance, like using tamperproof tape, but that will really raise alarms for whomever is tinkering with the machine,” he says. “So we may just get rid of the machine.”
Wipe on return
Even if there has been no separation from the user or sign of tampering, the safe play is to erase the entire laptop upon a lawyer’s return. That doesn’t mean simply wiping data, but also erasing the system’s BIOS (the software that boots up a computer and controls its basic functions), which is the only way to get rid of some of the more advanced forms of malware. This adds another level of complexity if the laptop in question is a lawyer’s own device, and not a loaner. “Preferably, we erase the machine,” says one IT security officer. “But there have been times where a partner wants to hold on to it, and won’t let us do that unless we can positively identify malicious traffic.”
Take a no-frills cell phone
It is advisable, too, say CIOs and security experts, that lawyers leave their smartphones at home along with their laptops. Instead, a low-frills handset (that is, something that doesn’t surf the Web or run apps), devoid of all contact and calendar information, should be taken. It, too, should be clean when entering China and wiped upon return. Fenwick, for example, issues what Kesner calls “very nonsmart phones.” The firm also cautions traveling lawyers to be careful about what they talk about, since the phones will be running on local wireless networks. “We’ve been told by federal agencies that audio calls are regularly recorded and reviewed, and that the process goes even further with smartphones, as data and email can be intercepted,” says Kesner.
Change passwords when you get home
Even if a lawyer has never opened a Web browser on their laptop, but simply checked their Facebook and Yahoo accounts from a hotel business center or Internet cafe, they’ll want to change their passwords when they return home, in case the machine they used contained a keystroke-logging program.
For firms with offices in China, the challenges—and the solutions—get even more complex. China-based lawyers, after all, won’t be returning in a week or two, handing off their loaned laptops and phones for decontamination. They’ll be using the equipment for the long run. But firms are devising strategies here, too, including the use of desktop virtualization (to keep data off local machines) and network architectures where China-based lawyers can’t access the document management systems back in the United States but use a special China-dedicated DMS (so if there is unauthorized access, damage is minimized).
At least one firm has gone so far as to install a firewall—typically used to keep outsiders from gaining access to a network—between its data center and its own China office. Only certain users, such as a U.S.–based attorney temporarily in China, are allowed through. “We have authentication and access control at the software level through the whole firm, but China is the only place where we have a firewall, another level of protection, to block and monitor traffic, because China is such an obvious threat,” says the firm’s CIO. “You’re almost anticipating an unauthorized person getting in there.”
Finally, there is perhaps the most important strategy of all: Get the word out about the risks and the steps that can mitigate them. Loaner laptops and phones add zero protection if a partner won’t take them. Too many lawyers, says one law firm’s IT security chief, think a laptop with antivirus software will counter any threat. “Getting by antivirus software is a joke for even moderately advanced hackers,” this security chief says. The key is vigilance, and precaution, and at times a little inconvenience. Firms need to explain all this to their lawyers—so their lawyers don’t need to explain to their clients how their data was compromised.