Currently, I’m of counsel with DLA Piper based in their Washington, DC office. My foray into the world of cyber really started from my baby steps as a litigator, where I always had a heavy interest in emergent technology into eDiscovery and then evolved into full scale cybersecurity and cyber defense while I was at Lockheed Martin, in the early days of when the defense industrial base group was being formed to combat the advanced persistent threat.”

Bodo Meseke

“I’m a partner at EY, responsible for forensic technologies within GSA. But today is all about cyber response. And how did I come to this? So I started my career in the IT area within the German Federal Criminal Police Office, where I was part of the cybercrime unit. And as I always have been very interested in computer technology, for sure this was the right place for me to be. So, in the criminal police office, we did several investigations, and so IT security always was part of it. And I left the Federal Criminal Police Office after some years, did some work as a general IT security consultant, but then came back to the roots because I’m an IT forensics guy. It’s about analyzing digital evidence and finding out what happened, what crime was committed by using an IT device. Then I founded my own company, was different expert witnesses, a lot of work we did for law enforcement. But then I joined EY, as the whole team. And now as I said, I’m responsible for the forensic technologies, which means eDiscovery, forensic data analytics and cyber response. And for cyber response, I’m globally heading this for EY, coordinating the teams across the world helping our clients in case of a cyber breach.”

The root cause might be different, but the problem always is the same: sensitive data is suddenly somewhere else where you don’t want to have it. And data breaches are distinguished in physical, electronic, and skimming. So this means with the cyber breach, we refer to the electronic data breach types. This is, beside attacks that lead to breaches, phishing, password cracking, and others that can create huge damage. So there are some attacks that lead to breaches immediately, like phishing or password cracking. But there are some more cyber attacks that are also very prominent and can create huge damage, but not necessarily lead to a breach like ransomware. Their data is encrypted. We will hear more about this later. Or distributed denial of service when you just want to stop computers from working. This is not necessarily a breach but a cyber attack. So in a nutshell, cyber breach means loss of data by electronic means. And I’m pretty sure that there are a lot of legal aspects.”

But it’s a great point to make that small businesses certainly don’t see their ability to conduct business on an ongoing basis as any less critical to their well-being and profitability than large businesses.  And in fact, cyber breaches can in many instances completely wipe out a small business, which by definition has fewer resources and less margin for accommodating disruption.  So I think the key for small and even midsize businesses, frankly, is to prioritize smartly.  You still have to plan and prepare, at least have a plan of what you’re going to do.  And if you can’t afford or may not feel you need to hire an external consultant to help advise you, say, on creating that incident response plan or even where to start, there are frankly a lot of free resources that are geared not just to creating cyber breach response plans on a general term, but specifically focused on small businesses.  As an example, the U.S. Small Business Administration has a significant amount of resources on cybersecurity that are geared towards helping small businesses understand and prepare for cybersecurity issues and incidents.  The Chamber of Commerce also has a lot of materials, some of which are publicly accessible, to help guide small and midsize businesses as well.  Partnering with other businesses and service providers that also carry a mindset of cybersecurity and smart cyber hygiene also helps and making sure that you have a workforce, particularly if it’s a smaller workforce, where they are at least cognizant of basics of cyber hygiene and discipline and why it’s so important.  And making them feel that they have a vested interest in the company being successful on this front and this is a core part of their responsibility.”

Bodo Meseke

“From my point of view, I can only say, prepare for a breach.  That should be the takeaway.  You have heard how important preparation is.  Don’t think you won’t be a target.  Don’t think your company’s not important enough or the business you do, whatever.  Prepare for a breach.  Train your team.  That is the most important thing that I can mention.”

So if you really want to get really deep into this business, if you want to get in the area that I’m representing today, you really need to ramp up technical skills because digital forensics and deep understanding of what is going on in cyber tech is far beyond user level IT knowledge. You need to know what is a registry in Windows, how does it work? What do I find there? How is the file system working? How can the files be hidden into this file system? How is my web working? Do I need to reverse engineer, software code, or whatever? So you really need to do a deep dive into the technical part. This can be done, and it’s not too difficult if you have quite good technical understanding and technical interest, but it needs some time to come there, to have this really deep understanding that you can bring all the aspects together that you need for a cyber investigation from a technical perspective. But you can look for dedicated studies, trainings, join a team maybe on a basis of participation for some months or whatever, and find out if this is the right way for you. I would very much appreciate it because, as I said, meanwhile, there are very, very good lawyers with good technical understanding, but we are still lacking very, very good technical people with the right legal understanding.

Angeline Chen

“You should do what you’re interested in. If you’re interested in cybersecurity, and you’re a lawyer, as an example, what you need to do is, one, get through law school, learn your trade. Going to law school itself does not tell you how to practice law. But if you’re interested in cybersecurity, or in things from a technological standpoint, you can pull the thread through some of the conversations that we had earlier, in that you need to learn how to at least talk to people who are IT experts, who are doing this as their trade and their profession. You need to know some of the basics. You need to know when someone says, know your information systems architecture, what that means. When someone talks about a hot backup, you need to know what that means. When someone starts talking about areas and issues that are specific to cybersecurity or cyber defense, you need to understand what ransomware is, you need to know what a business email compromise attack might be, you need to know what phishing and spear phishing and social engineering is. You also need to be technologically savvy. That doesn’t mean you have to be the first to adopt gadgets in the latest effort and stuff like that. But you need to be following what’s happening in this area as it pertains to data management, data protection, and cyber. I have had a very, very odd career path. And so I kind of would like to think that I fell into this area by accident, but it really wasn’t because looking back over time, my interest in emergent technology as an example, was there from the very beginning when I started in litigation. So figure out what is your actual passion, or your areas of interest, and then go and talk to people. If not mentors, find people that are willing to sit down and talk to you about their career paths and try to get a sense of whether or not what they’re doing really is something that would be something you’d be willing and happy to wake up every day and actually practice by way of a legal career or profession.”

Some of my go-to resources include Krebs on Security. I would also add Schneier on Security. National security. And one of my personal favorites CSO Perspectives and CyberWire, which is run by the former CSO of Palo Alto Networks, who used to run the circuit a lot and is incredibly insightful and warm. And another resource that I’d like to add as well, a little bit of self-promotion, I apologize for that. But the ABA has put out a cybersecurity handbook. And I am proud and privileged to have been the author of one of the chapters that specifically focuses on in-house counsel, and what in-house counsel should think about and should consider with respect to cybersecurity in this moving field. And we’re actually going into our second edition. So I would keep an eye out for that. And that could possibly be a good resource for folks as well, if they’re interested.”

Bodo Meseke

“Yeah, as my book, unfortunately, is only available in German, there’s not much to add from my side. For sure you have these governmental agencies and varied resources in other geographies as well. A quick Google search should help tell you which are the most prominent ones that you can use and you will find a lot of very good information about all these topics that we discussed today.”

I responded to Bodo that:

“I’m sure we have some German speakers listening, so they can definitely check out your book.”