China Hacking Report Raises Alarm at Firms

 

The blockbuster report on Chinese hacking released last week by U.S. cybersecurity firm Mandiant has focused attention on the security of data held by governments and big corporations—and by law firms.

 

The report linked hacking of 141 entities, mainly in the United States, to a Chinese military unit based in a suburban Shanghai neighborhood. Four of those entities were law firms. Mandiant general counsel Shane McGee declined to name them, but says law firms, which store all kinds of sensitive information for a wide variety of clients, make ideal targets for hackers.

 

"By targeting large law firms, hackers can obtain information about hundreds or thousands of companies by breaching a single network," says McGee. "To some extent, it’s a one-stop shop for the attackers."

 

The Chinese government has denied the allegations in the Mandiant report as baseless and says China itself has been targeted by hackers apparently based in the United States. Mandiant acknowledges that it does not have absolute proof that the Chinese military is behind what it calls the "Advanced Persistent Threat 1" hacking attacks, but it says the scale and sophistication of the attacks suggest a state actor and that circumstantial evidence overwhelmingly points to Unit 61398 of the Chinese People’s Liberation Army.

 

Though allegations of Chinese government hacking have surfaced before, the detail of the Mandiant report has kicked up the alarm level among lawyers focusing on China.

 

Thomas Shoesmith, the Palo Alto–based China practice leader and former Shanghai office head for Pillsbury Winthrop Shaw Pittman, said the release of the Mandiant report led him to call for a meeting with his information technology team to discuss cybersecurity issues. He says lawyers in general, not just at his firm, should be thinking and talking about the subject.*

 

"We need to talk about the risks, the consequences when you are faced with a data breach," he says. "To what extent can we be held liable if someone hacks our systems for our client’s information, and can our cybersecurity system be negligent?"

Shoesmith says he’s not sure many lawyers are up-to-date on these issues. "To be honest, I have no idea what we are doing with cybersecurity," he says. "I assume we are doing something. We have hundreds of IT people in the firm!"

 

The issue is a sensitive one, of course, and many law firms, including Latham & Watkins, Cleary Gottlieb Steen & Hamilton, and Nixon Peabody declined to comment on the cybersecurity issue. Several others firms did not respond to requests for comment.

 

But some lawyers say they think the risk may be overblown. "How often does this actually occur?" wonders Geoffrey Lin, a Shanghai-based partner with Ropes & Gray.

 

David Blumental, a Shanghai partner with Vinson & Elkins, also says he’s not particularly worried about the findings of the Mandiant report. "I think firms are taking the normal precaution, but there is no compelling evidence showing that this is a common phenomenon," he says. Blumental allowed, however, that there may be many more hacking incidents against law firms that have not been made public.

 

According to the Mandiant report, much of the Chinese hacking activity is aimed at stealing intellectual property. Hackers also appear interested in ferreting out information about companies’ stances in negotiations over commercial contracts or mergers and acquisitions.

 

"We frequently see competitive information being misappropriated by attackers," says McGee. "That information is often later misused to influence or sabotage transactions."

 

While law firms might certainly be in possession of such sensitive information, Lin thinks hackers are more likely to target the relevant companies directly. Law firm data drives, he says, have too much other information that hackers will not want to wade through. "Just reading about fund formations," he says, "their heads would explode."

 

But Shoesmith says his impression as an adviser to information technology companies that focus on data mining is that information processing has become a "piece of cake" for dedicated specialists.

 

"It has become a fantasy to think that hackers these days cannot just pull out the information that they are after," says Shoesmith. "And hackers are way ahead of the defenders. At work, I'm confident I am protected by my firm. But if someone wants to hack into my [personal] computer for information, they are going to get it."

 

He also says law firms cannot be seen to be responding less robustly than their clients to the potential hacking threat. "Clients are going to say, 'We have taken relevant measures to protect our sensitive information. What will you do to protect our information if we give it to you?' "