By Justin Wiser and Michael Daniells, IndyBar E-Discovery, Cybersecurity and Information Governance Section Executive Committee
“Over the past decade, cloud and internet-based software and service delivery models have fundamentally changed the way organizations manage and update applications and network infrastructure.”i Technology makes delivering legal services more efficient. As recognized by the ABA Commission on Ethics 20/20 back in 2011, this is not news to the legal community.ii However, this fundamental transformation, adapting technology, software and services, is not without risks. Technology provides numerous benefits, including mobility, accessibility and convenience, but these benefits are accompanied by ethical obligations, the need for security and the risks of inadvertent disclosure and unauthorized interception of data. In fact, approximately thirty (30) state bar associations have issued formal or informal ethics opinions on attorney use of cloud technology.iii
It is with this background that we highlight the SolarWinds cyberattack, which has been described as the “largest and most sophisticated attack the world has ever seen.”iv On December 13, 2020, a cybersecurity firm, FireEye, “published research that a malicious actor was exploiting supply chain vulnerabilityv” in a product called SolarWinds. SolarWinds makes products that automate activities “such as managing internet protocol (IP) addresses, monitoring devices, and deploying updates.vi” Bad actors, also referred to as “Cyber Soldiers,”vii “discovered a way to compromise SolarWinds’ software update service for the Orion IT management platform (a SolarWinds suite of products)” and these actors were able to compromise the update and install and distribute malware. SolarWinds announced that the update affected approximately 18,000 networks, which reports have identified to span numerous government agencies, including the Department of Energy, the Department of Justice and the Department of Treasury, along with big-name technology companies like Microsoft and NVIDIA.
The SolarWinds cyberattack appears to have occurred as early as March 2020 and it was not discovered until December 2020. During this time, the bad actors had undetected access to the networks. Further, the breach was not discovered until an IT employee at FireEye, whose mission is to expel cyber intruders for its clients, observed that a FireEye employee had two phones registered with the network system. FireEye dug deeper and discovered the malware and connected it to SolarWinds software.
This widespread and far-reaching breach had local implications, as well. The United States District Court, Southern District of Indiana issued General Order/Administrative Policy 2021-01, implementing “new security procedures to protect highly sensitive documents . . . filed with the courts.”viii
The television show “60 Minutes” recently broadcast a segment on the SolarWinds attack and its reporting indicates that it is almost certain that additional back doors were created and that new targets/victims of the attack will continue to be discovered. During the next few weeks, we will continue to explore the SolarWinds attack and consider the implications for lawyers and their clients, along with policies and practices to decrease vulnerability from the ever-present, and possibly lingering, risks.
About the Authors
Michael Daniells currently serves at the Marion County Public Defender Agency. He first joined the Executive Committee as a student member in 2016. Justin Wiser is an attorney with Katz Korin Cunningham P.C. He is in the business litigation practice group and serves as the 2021 Chair for the IndyBar E-Discovery, Cybersecurity and Information Governance Section.
i Jacob Ingerslev, Global Cyber Risks Uncovered, Global Cyber Risks Uncovered Newsletter (Feb. 25, 2021), https://www.linkedin.com/pulse/supply-chain-attacks-why-theyre-so-dangerous-jacob-ingerslev/.
ii American Bar Association, ABA COMMISSION ON ETHICS 20/20 REVISED PROPOSAL—TECHNOLOGY AND CONFIDENTIALITY (Sep. 19, 2011).
iii Jason Seashore & Patrick Hughes, State bar associations address cloud computing rules for lawyers, WESTLAW 2015 IPDBRF 3698, WESTLAW INTELLECTUAL PROPERTY DAILY BRIEFING (Dec. 10, 2015); Joshua Lenon, A list of All the Ethics Opinions on Cloud Computing for Lawyers (May 12, 2020) https://www.clio.com/blog/cloud-computing-lawyers-ethics-opinions/.
iv 60 Minutes, Unprecedented Russian SolarWinds hack that infiltrated federal government likely still happening (Feb. 14, 2021), https://www.cbs.com/shows/60_minutes/video/BJMDBl_P14QPGckrQzu9n3yMRUEzNZMc/unprecedented-russian-solarwinds-hack-that-infiltrated-federal-government-likely-still-happening/ (“60 Minutes”).
v Supply chain compromise occurs when adversaries “ manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.” The MITRE Corp., Supply Chain Compromise, https://attack.mitre.org/techniques/T1195/.
vi Congressional Research Service, SolarWinds Attack—No Easy Fix (Jan. 6, 2021), https://crsreports.congress.gov/product/pdf/IN/IN11559.
vii 60 Minutes.
viii Federal District Court for the Southern District of Indiana, General Order/Administrative Policy 2021-01, No. 21-mc-00001 (Jan. 11, 2021) https://www.insd.uscourts.gov/sites/insd/files/2021.01.08%20GO-Policy%202021-01%20Highly%20Sensitive%20Document%20Filing%20SIGNED.pdf. See also, United States Courts, Highly Sensitive Document Procedures and Court Orders (Jan. 25, 2021) https://www.uscourts.gov/about-federal-courts/federal-courts-public/court-website-links/highly-sensitive-document-procedures.