By: Leetal Weiss

On October 31st, the DC Bar hosted an event on Managing Corporate Cyber Security in a Global Market. A panel of public and private sector professionals discussed the growing cyber security concerns companies face when nation-states, such as Russia, North Korea, and China, hack into companies and steal their sensitive information. The panelists discussed (1) what action plans companies need to take in order to protect their sensitive information, (2) when companies should report hacks, and (3) whether self-help measures are available to companies.

1. Action Plans

In order to address growing cyber security concerns, companies must implement action plans. Action plans are companies’ responses when nation-states steal their sensitive information. The panelists recommend that before companies institute action plans, officials know what sensitive information companies have and how that sensitive information is protected against other nation-states.

Once officials are aware of companies’ sensitive information, officials can then institute action plans. Officials need to work with IT departments to determine whether companies’ systems should be taken down or left up when there are cyber security concerns. Also, companies can hire outside law firms to ensure there is attorney-client privilege when employees report cyber security concerns.

If companies do not want to implement action plans, they can prevent their employees from using the Internet. However, that is an impracticable solution.

2. Reporting

The panelists discussed the reasonableness reporting standard companies should use when determining whether to report nation-states’ hacks. One panelist suggested that when a small amount of data is stolen and the nation-state wants $500, the hack does not need to be reported. But when a small amount of data is stolen and leads to employees being placed on a kill list, the hack needs to be reported.

The reasonableness reporting standard extends to when rogue nuclear nation-states hack into companies. A recent example was when North Korea hacked into Sony Pictures. In twenty-eight days the government discovered what nation-state instituted the hack and announced sanctions. The sanctions could be implemented because President Barack Obama signed an executive order that allowed the government to sanction North Korea for stealing sensitive information from the United States.

3. Self-Help Measures

Given the growing cyber security concerns companies face, companies want to implement self-help measures, such as hack-backs. Hack-backs occur when companies hack nation-states that have previously hacked them. In the United States, companies cannot use hack-backs because they are illegal.

Instead of hack-backs, companies actively monitor their cyber security and create “crown jewel” folders that have fake sensitive information to prevent real sensitive information from being stolen. “Crown jewel” folders are designed to trigger alerts when they are stolen and can be used to identify nation-states that are behind hacks. Usually “crown jewel” folders are found on the dark web, which causes companies to hire third parties that work with law enforcement agencies to verify the existence of “crown jewel” folders by purchasing them. It is challenging to purchase “crown jewel” folders because they are often sold by sanctioned states or terrorist organizations.

Therefore, managing corporate cyber security is crucial because nation-states are attempting to steal companies’ sensitive information.