OPSEC for lawyers 101

After the Snowden-revelations, professionals are increasingly becoming aware that operational security is fundamental to the service they provide. This is a topic lawyers should also be concerned about. Here are some issues to get you thinking, and some tips to get you started.

First off: the title of this blog is somewhat misleading, since operational security for lawyers doesn’t fundamentally differ from operational security for journalists, security researchers, etc. It’s mostly the examples that are tailored to lawyers – the rest is generally applicable. Moreover, we will focus on attacks on information security, not on dealing with issues like covert pursuit, so it’s mostly, INFOSEC, not OPSEC that we will be discussing.

Second, when thinking about operational security, it is important to clearly identify the adversary. In this case, the adversary can differ quite a bit:

  • the intelligence service – say GCHQ, who you are suing over TEMPORA and who want to find out your legal strategy;
  • the police – who regularly intercept privileged communications between criminal defence attorneys and their clients;
  • a competitor of your client – who is intent on tanking the stock price of your client; or
  • the other party in a negotiation – say a bank buying part of your client’s company and wanting to know what the bottom line of your client is.

Obviously, the measures needed to protect against these adversaries differ enormously. For this blog, we assume the semi-worst case: low-level attacks by intelligence services. If you can withstand these attacks, you can probably also withstand attacks from a disgruntled competitor of your client.

If the intelligence services are indeed intent on acquiring information and they are putting their weight behind it, you must assume that your information is compromised. It is at the least very difficult to defend yourself against a state actor with billions of dollars to spend (but it might be done with very particular measures).

Tip 1: offer email encryption

Emails are transmitted from sender to recipient through the networks and servers of various parties, and are stored at least temporarily at external mailservers. You don’t know whether they are being accessed by others. Most lawyers communicate almost exclusively by email. Obviously, confidential information is not safe when communicated through normal email.

The solution is to offer to communicate via encrypted emails. This also has the benefit of making it possible to authenticate communication between you and your clients.

You should be aware that email encryption still leaves open two relevant lines of attack. Firstly, it is still possible to know at what time you communicate with your clients (and the fact that you communicate with your client). This could already give important information away – i.e. a lot of email traffic in one day between the M&A department of Goldman Sachs, Amazon and your firm could indicate that some kind of acquisition by Amazon is on the way. Secondly, the Subject:-line is not encrypted, which obviously can also give a lot away.

Tip 2: think twice about using Google or other US service providers

As we have seen from the Snowden-files, the biggest US emailproviders are under close surveillance by the NSA. If you’re serious about protecting your clients, especially if you handle cases against intelligence services, it wouldn’t be a good idea to use the services of, say, Google. However, this doesn’t mean that using other service providers, for example in other countries, would solve this problem entirely. It is safe to assume that also those providers will be under surveillance when you attract the interest of intelligence services, and even if they’re not, we know that the NSA and GCHQ intercept a lot of sea cable traffic anyway.

Tip 3: store the information of your clients in servers in your office

The move to the cloud is relentless. Various service providers are offering cloud services tailored to lawyers. As already discussed above, it is not a good idea to store information at the servers of third parties. The risk of covert surveillance increases significantly and it is quite likely that constitutional protection is lower than if the information would be stored in your own office. Also, it increases the dependency on third parties, opening up the risk of manipulation and denial of service-attacks. This goes not only for your file server, but also for the shared calendar, the CRM-system and other backoffice tools you might use.

You will have to ask yourself whether you want to connect these servers to the internet, to be accessed via VPN. Obviously, if you do this, you need to take serious security measures to block unauthorised access from outside the office. Otherwise, you will need to work with distributed systems, which allow for regular syncing at the office.

As a sidenote: it is interesting to investigate whether cloud services using client-side encryption are a serious alternative to using your own server. Any serious research on this would be highly appreciated (please send this to ot.vandaalen@digitaldefence.net).

Tip 4: use full-disk encryption on all your computers, turn them off while in transit or unattended

Lawyers will often use a laptop, for example when visiting clients or when working from home. A laptop can be stolen or lost. In order to ensure that the data on the laptop is not compromised, it is essential to use full disk encryption on the laptop and use a good password. But think twice about bringing your laptop when crossing borders: even if the information cannot be accessed, a keylogger can be inserted during investigations at customs, making your computer worthless.

Tip 5: browse and read files in virtual machines

The most serious attack vector to gain access to your computer is by sending legit-looking email with links you have to click or files you have to open. Also, a computer can easily become infected by a botnet when browsing, even when reading general newssites, which have been known to serve infected advertising banners. In order to reduce the risk of infection, you should browse the web and open files in a virtual machine in your computer.

Tip 6: use free and open source software and minimise the amount of software you use

This one is debatable. When using non-free software, you are not the full owner of the tools you use in your day-to-day work. This increases your dependency on third parties. Also, some might argue there is a bigger chance that non-free software contains backdoors, but this argument is open for discussion. It is at any rate advisable to use free software as much as possible, even if not completely, for reasons of independence. Also, to reduce the attack surface of your software, try to minimise the amount of software you have installed on your computer as much as possible.

The most important tip: be paranoid

This is only a selection of measures lawyers can take to improve their operational security. But to be honest, it is merely the tip of the iceberg. For example, we didn’t discuss using the telephone or fax, investigating cases, meeting with your client and billing your client, or even buying your IT infrastructure and good IT security practices in general (such as updating often and using good passwords).

So the last tip is: be paranoid. We live in a world were information is the most valuable asset, attackers are increasing and the attack surface is growing exponentially. Lawyers need to adapt to this changing environment, in order to serve their client’s interests as best as possible. And when you’re a client, especially a high-risk one, inquire what measures your law firm has taken to protect you. It could save you unpleasant surprises in the future.