Tracking the Evolution of Cybersecurity in the Legal Sector

In 2004, the then President of the United States of America declared October as the Cybersecurity Awareness Month. It might not have garnered as much traction as Black History month or even Halloween, but as early as 2004 experts were acutely aware of the risks we face in the online realm and vital need for cybersecurity. Almost 20 years on, today, with technological advancements scaling at a pace faster than anyone could have imagined; and with geo-political tensions straining defence frameworks across the globe, threats of cyberattacks, hackers and data breaches have compounded.

With supply-chain threats, Ai-based spear-phishing and hybrid work, the cyber threat landscape keeps one-upping itself. The attack strategies are changing every minute, and cybercrime as a service is becoming the norm. Over the years, the legal fraternity along with their governments have been positioning themselves to combat these threats effectively. Here, we go through a few instances where states, agencies or in some cases circumstances that got the ball rolling in strengthening cybersecurity strategies.

New York, United States of America

The state of New York has set a precedent by mandating that attorneys undergo a basic cybersecurity education. During the pandemic, and later, when hybrid work systems were adopted by law firms and agencies, experts realised the urgent need to help protect attorneys from cyber threats as they worked outside the office. To that end, in August, New York established the training infrastructure required to assist lawyers in safeguarding themselves against online dangers. Under the recently announced mandate, starting July 2023, New York attorneys will be required to take at least one cybersecurity CLE credit. While of course, one hour-long lesson might not be enough to really prepare lawyers against cyber threats that could potentially topple their firms, it is widely acknowledged to be a positive start – one that many believe will be replicated and perhaps even enhanced upon by other states and agencies.

European Union

Targets of cyberattacks have changed in recent years, moving beyond financial institutions and governmental organisations to include common household appliances, smartphones, firewalls, and other digital platforms. The EU has published ground-breaking legislation named ‘The Cyber Resilience Act’ to fix the loopholes in existing laws that do not address contemporary improvements. Taking a ‘security-by-design’ approach, it aims to hold the entire supply chain accountable for the cybersecurity of products and platforms.

Russia’s Invasion of Ukraine

With war and the threat of nuclear Armageddon straining national defence systems, the Russian invasion of Ukraine has highlighted several flaws within the system. From the resulting energy crises to the supply-chain disruption, other countries too have felt the repercussions of the war in Europe. In the cybersecurity front, the most turmoil has been felt by cyber insurance companies. With fewer insurance providers and rising cyber threats, cyber insurance companies have come under scrutiny for their ‘War Exclusion Clause’ – one that exempts them from covering damages from geo-political or state-sponsored cyber threats.

India

During the pandemic, India was among the top 3 nations which experienced perilous server access and ransomware attacks. Despite this, India has been charging the drive for a ‘cyber-secure nation’ at the 10^th position in the Asia-Pacific region in the 2021 Global Cybersecurity Index. Perhaps its most effective weapon has been the CERT-In or the Indian Computer Emergency Response Team (CERT-In) – India’s national agency for cybersecurity. Established in 2004, CERT-In has been steadily tracking global trends in cyberattacks and teaching cybersecurity awareness and anti-phishing to government officials across the country. CERT-In has been playing a crucial role in informing people about the latest cyber vulnerabilities and countermeasures to combat them.

As repositories of sensitive data and as platforms that oversee massive amounts of financial and data transactions, courts, law firms and other public agencies have routinely been targets of phishing, ransomware attacks and data breaches. Multiple instances in recent years have proven time and again that today we are more vulnerable to cyber threats than ever before. But then again, multiple instances have also proven our capacity to learn from attacks and better ourselves for the future.