Cybersecurity keep you up at night? For Laura Jehl, it's become focal to her career. From her time in-house with companies like AOL and Anthem Insurance Cos. Inc. to her years in private practice with the likes of Sheppard, Mullin, Richter & Hampton, Jehl has handled cybersecurity from both sides of the isle. Now, she has recently moved to Baker & Hostetler, where she is a partner and privacy and data practice lead.
Looking back on her years counseling major corporations, managing a major health care breach response effort and working with the government on cybersecurity issues, Jehl chatted with ALM about the threat landscape of today and tomorrow and how major corporations are addressing cybersecurity under the Trump administration.
ALM: Tell us about your new role and how it draws on your cybersecurity expertise.
LJ: The areas of privacy and cybersecurity are very busy. There's a lot going on, and particularly recently, it's been hard to get away from it. So it's exciting for me to be part of a practice that's recognized and sophisticated. Baker was out ahead of a number of firms in recognizing that this cybersecurity was going to grow and be important.
My role is to strengthen that team and lead the Washington piece of it, because so many of the issues around cyber and privacy have, at least until January of this year, involved the federal government. Whether it's the FTC regulating privacy, or working with the national security folks on state-sponsored issues, or the FCC.
ALM: From the inside, do you see a noticeable shift in how the federal government addresses cybersecurity?
LJ: No one really knows. I spent the last year going around talking to businesses, and I told everybody enforcement is ramping up all over the place. At that point, the FTC had these privacy and cyber rules, the FCC was getting active; everyone was sort of turning up the heat to see who could be the roughest regulator on both privacy and cyber issues. And then it got really quiet after November.
There's a big question mark, in my mind and I think in the mind of others, around what this administration thinks about these issues. I feel like I still don't know. We've seen them pull back from the FCC rules, but that's really about it.
ALM: How has this impacted the private sector's handling of cybersecurity?
LJ: The other question about this administration is what their view is. There was at least one high-profile indictment coming out of [the] DOJ with state-sponsored activity around Yahoo. But beyond that, there's some directives about getting Homeland Security a more active role, but still a lot of it is in the 'yet to be seen' category. We're still sort of trying to read tea leaves still.
That makes it an interesting time to talk to clients because everyone is feeling the threat level, between things like these giant ransomware attacks to the distributed denial of service (DDoS) attack last fall that harnessed all the internet of things devices. People are sort of realizing there are a bazillion ways that being connected to the internet can be risky, that it's not just credit card data or personally identifiable data being breached. But then they sort of say, 'Well what are our obligations, what do we have to do and what will we get in trouble with the government for?' And it's hard to answer that question.
ALM: So are corporations just waiting to see what happens?
LJ: I think recognizing the variety of threats and the seriousness of those threats is on the uptick, though you still see a fairly broad diversity in views about that in corporations. But I think that the technological piece is, 'Should we be shoring up our IT systems, should we be taking more precautions?' And that's important, but what matters on the legal side is it's hard to say will the government think that what you've done is enough. Do you have legal exposure in addition to the almost inevitable incidental exposure?
ALM: What's the biggest technology issue facing large corporations today?
LJ: It's kind of embarrassingly simple: It's being connected to the internet. Anything that's connected pretty much can be compromised. This is so cliché that it's kind of embarrassing to say, but the big risk is the fact that human beings are using it. And people fall for phishing attacks, which is where the vast majority of these things come from. A lot of them are not really sophisticated state-sponsored threat attacks. They're on the rise, I wouldn't want to rule those out, but a lot of it is people being fooled and social engineering. It's been going on for years, it's getting increasingly sophisticated. That's what makes it so hard. A technological fix might be expensive, but you can do things like encryption and firewalls and multifactor authentication.
This industry has evolved so quickly. I was at AOL early enough on that the big threat was spammers—it wasn't the cybersecurity stuff—and we were pretty secure given the amount of data we held, but the issues were nowhere near as sophisticated and the internet was a more innocent place. There was bad stuff out there, but it's become just so full of this kind of risk.
ALM: What's on the threat horizon that no one sees coming?
LJ: I hope people are keeping an eye out for it, but the stuff that really concerns me, without being a total alarmist, is the state-sponsored attacks like on the power grid in the Ukraine, and the consistent but fairly low-level of concern registered about attacks on critical infrastructure like nuclear power plants and the power grid.
So whether bad actors, state-sponsored or not, decide to create more mayhem, my biggest next generation fear is sort of the mayhem of taking down the power grid, taking down airports, taking down critical infrastructure. Some of the ransomware attacks have been more about mayhem than getting the 300 bucks they charge for ransom. So my fear is that's the next wave.