What happened in the news today should make all lawyers pause and look at the manufacturers of the hardware and software they’re using in their offices. Listen to this video for the info. Also, the post below has a bit more detail.
For years, the United States has been concerned that the Russians were using technology purchased by average consumers to steal secrets from the NSA. United States officials have been concerned that a popular anti-virus software product commonly sold in the US that’s developed by a a Moscow-based company called “Kapersky” is being used by the Russians to steal NSA technology. These past few months a series of newspaper reports made the concerns far more real. And today additional information was released that makes the matter even more concerning.
“The Wall Street Journal reported on Oct. 5 that hackers working for the Russian government appeared to have targeted an NSA worker by using Kaspersky software to identify classified files. The New York Times reported on Oct. 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.”1
The US is concerned that Russians Intelligence deliberately used the Kapersky software in it’s spying activities. These articles revealed that on October 25th Kapersky admitted that it’s software took the source code for an American hacking tool from someone’s personal computer. But they deny that it was part of a larger spying scheme. “Kaspersky said in the statement that it had stumbled on the code in 2014, a year earlier than the newspaper reports had stated…The company said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious…While reviewing the file’s contents, an analyst discovered it contained the source code for a hacking tool later attributed to what Kaspersky calls the Equation Group. The analyst reported the matter to Chief Executive Eugene Kaspersky, who ordered that the company’s copy of the code be destroyed, the company said…It said no third parties saw the code, though the media reports said the spy tool had ended up in the hands of the Russian government.”2
In today’s Fortune magazine (November 13, 2017), we learn that UK officials are worried as well. The first line of that article reads, “The British spy agency GCHQ is concerned about Kaspersky Lab’s antivirus software being used to spy on people in the UK…”3 The magazine explains why UK officials are concerned: “Barclays has given millions of its banking customers free Kaspersky subscriptions. If those customers happen to work for the British military or government, the spooks fear, Kaspersky’s software might help the Russian intelligence services gain access to their information.”
Today there was another article that made me concerned for similar reasons. It appears that the U.S. intelligence services are worried that certain security cameras could be used by the Chinese government to spy on U.S. targets. The concern is about cameras made by Hangzhou Hikvision Digital Technology, a company owned in large part by the Chinese government. Their product, called, “Hikvision (pronounced “hike-vision”) was nurtured by Beijing to help keep watch on its 1.4 billion citizens, part of a vast expansion of its domestic-surveillance apparatus. In the process, the little-known company has become the world’s largest maker of surveillance cameras. It has sold equipment used to track French airports, an Irish port and sites in Brazil and Iran.” They were also used by the Memphis police and the U.S. military. Furthermore, “Consumer models hang in homes and businesses across the country. At one point, the cameras kept watch on the U.S. embassy in Kabul…Hikvision’s rapid rise, its ties to the Chinese government and a cybersecurity lapse flagged by the Department of Homeland Security have fanned concerns among officials in the U.S. and Italy about the security of Hikvision’s devices.”4
The report also notes that, “Some security vendors in the U.S. refuse to carry Hikvision cameras or place restrictions on their purchase, concerned they could be used by Beijing to spy on Americans. The General Services Administration, which oversees $66 billion of procurement for the U.S. government, has removed Hikvision from a list of automatically approved suppliers. In May, the Department of Homeland Security issued a cybersecurity warning saying some of Hikvision’s cameras contained a loophole making them easily exploitable by hackers. The department assigned its worst security rating to that vulnerability.”5
Hikvision, of course, denies that they are involved in any sort of inappropriate activity. “Hikvision says its equipment is safe and secure, that it follows the law wherever it does business and that it worked with Homeland Security to patch the flaws the agency cited.”6
The concern is that “Last year, hackers took control of hundreds of thousands of cameras, including many made by a Chinese rival of Hikvision, to launch a huge “denial of service” attack that security experts said made sites run by Amazon.com Inc., PayPal Inc. and Twitter Inc. unavailable for hours.”7
If I’ve said it before, I’l say it again. If they are worrying about it, you need to be worrying about it. If the government is worried that products like Kapersky and Hikvision can cause security risks, then you need to be conecnered as well. Why? The government secrets are targeted by the bad guys and lawyers’ secrets are also targeted nay the bad guys.
The government is worried that the Russians and the Chinese will use these technologies to steal secrets from the US. You need to worry that the Russians and the Chinese will steal secrets about your clients. Lawyers are targets That’s because the bad guys know that you are the gatekeeper for a lot of your client’s valuable information.
I believe that we have a three-part duty when it comes to these cyber concerns like this. We must Understand, Anticipate, and Act.
Modern ethics concepts require that you understand these dangers. My reading of recent opinions reveals that we have an ethical duty to understand obvious, well known cyber traps. What’s obvious and well known? You need to stay up to date on the latest concerns to know that. We have an ethical duty to maintain our competence and opinions have acknowledged that that duty evolves as technology changes.
The issues with these cameras and software products may not be considered to be “obvious” today but what about in a month from now when people have read all of these articles? The concern that these software and hardware developers could be using their products to steal information from valuable targets, including our clients, will soon be common knowledge.
You need to consider how these concerns can manifest in your particular practice. Do you use Kapersky as your anti-virus software? Are the security cameras in your office Hikvision products? Are the security cameras installed by your landlord Hikvision products? Did you even know that your landlord has cameras installed in your office? If they are not Hikvison or Kapersky, then what are you using? Who makes those products? I believe that the concept of Diligence (Rule 1.3) demands that you ask those kinds of questions so you could properly anticipate any potential traps.
Third, and Finally- Act
Here is where it gets dicey. What, if anything must you do? Listen, I don’t know if it’s time to stop using Kapersky or Hikvision. What I do know is that now is the time to start asking questions. Sit down with your IT people and discuss these issues with your cybersecurity consultants. Scrutinize the developers of the software and hardware that you’re using in your office and come to a decision.
But just as important as assessing the risk and determining if there is any action to take— document your decision. Set forth the research you did and memorialize your diligence. Make it clear that you gave this careful consideration and that you actually made an informed decision, rather than ignoring the problem.
Understand, Anticipate, and Act.
Now go look at your systems and talk to your people.