Todd Hinnen is the Chair of the Privacy and Security Group at Perkins Coie. He teaches national security courses at Stanford Law School and University of Washington Law School. Hinnen has previously served as the head of the Department of Justice’s National Security Division, Chief Counsel to then-Senator Joe Biden, Director for Combating Terrorism at the National Security Council, and a computer crime prosecutor at the Department of Justice.
Christopher P. Skroupa: Several news outlets recently reported on the release of a suite of hacking tools apparently stolen from the NSA. Should we be concerned?
Todd M. Hinnen: We should be concerned on three levels. First, although the stolen tools are somewhat dated, they are sophisticated and could pose a real threat to companies that have not patched vulnerable firewalls and servers. Second, if reports are accurate, the theft suggests that hackers—potentially sponsored by another government—have compromised NSA security at some level. Finally, taken together with other recent activity, it appears to suggest that adversarial foreign governments are more frequently and more aggressively targeting the U.S. and U.S. companies for cyber espionage.
Skroupa: A recent sharp uptick in hacking incidents has been attributed to national state actors. What does that mean for private companies?
Hinnen: It underscores that companies with sensitive data need to develop holistic data security programs designed to prevent, respond effectively to, and mitigate the harm resulting from sophisticated network attacks. As the cyber capabilities of nation state adversaries improve, they have the resources and expertise to test companies’ data security at a whole new level.
Skroupa: Do private companies also have a role to play in securing against and responding to such attacks?
Hinnen: They have a critical role to play. Private companies own and operate 85 percent of the critical infrastructures in the United States. Those companies can expect to be on the receiving end of nation state attacks in coming years. Private companies are also developing some of the most innovative and powerful security products and services for protecting against such attacks. The government, on the other hand, may have critical threat intelligence and has an important role to play in setting standards for network infrastructure security and resiliency. Effective network defense today relies on a public-private partnership.
Skroupa: Are there steps you think every company should be taking to protect themselves against hacking and other cyber attacks, as well as the reputational and legal risk that can arise?
Hinnen: Companies need to develop and implement comprehensive cyber security programs, with Board or C-Suite oversight, written policies and procedures, and effective training, auditing, and enforcement. When they permit third-party vendors to access their sensitive data, they need to conduct diligence to ensure those vendors have sound security and structure contacts with them to appropriately allocate risk and responsibilities. And they need to purchase cyber insurance that will protect them in the event of a major breach.
Skroupa: When the General Data Protection Regulation goes into effect in May 2018, companies that process data about EU citizens will be required to notify authorities and affected individuals of data breaches. What can these companies learn from U.S. companies who have lived for years with state breach notification laws?
Hinnen: Breach notification requirements in the United States have played an important role in incentivizing companies to develop, implement and test incident response plans, and the security and preparedness of many U.S. companies have improved as a result. Some EU countries already have breach notification requirements, but those that don’t will need to develop an effective incident response culture.
Christopher P. Skroupa is the founder and CEO of Skytop Strategies, a global organizer of conferences.