Seminars and Events

Cybersecurity Seminar Series

How Operationally Impactful Malware Fundamentally Alters the Cyber Risk Paradigm: A Legal View

Event Details


This talk covers the relationship between legal, regulatory, business and technology interests and the rise of operationally impactful malware, such as NotPetya and ransomware. This rise has fundamentally altered the response framework for cyber incidents. In the data theft investigations of personal information or credit card data, that formed the core of corporate cybersecurity risk until approximately 2015, investigations to scope an incident were the norm. Companies engaged investigators to understand what happened and assessed the risk in a methodical manner. This approach worked because generally such events were not publicly known. Operationally impactful malware incidents are different. They frequently are immediately known to employees, consumers, business partners and the government because of the direct and obvious impact on operations.

This timing difference alters the interplay between all the parties involved. Take for example the federal securities laws. When public companies experience a material cyber incident, they must make filings with the Securities and Exchange Commission (SEC) disclosing the event. In the past when most cyber incidents involved data theft, such filings could be made with a relatively deep understanding of what transpired during an incident. Many weeks could be spent determining whether an event was, in fact, material. But now the public nature of the NotPetya like events reduces these decision cycles from weeks to hours.

Further, these events have revealed how legal requirements to protect data resulted in a dramatic underinvestment in both mission critical operations and business continuity and data recovery planning. While organizations have secured their databases, they are nevertheless faced with the unpalatable decision to pay a ransom and purchase keys to restore operations because of the failure to harden critical network infrastructure that is materially underinvested in recovery strategies.

An open challenge for us as we operationalize research work is that corporate networks grow organically and emerge chaotically. Over time, different divisions implement different solutions; companies buy other companies and acquire their IT infrastructure, and legacy systems operate past end of life support. In large organizations one may have multiple different security organizations, operating by division or geography locations. Quite frankly, because company infrastructures are an agglomeration of multiple systems over multiple generations, most organizations cannot begin to answer questions such as “what is an operationally critical asset” because many do not even have a comprehensive understanding of the assets on their network. From an attacker’s perspective, anything with an IP address and a vulnerable port is open to exploit, and all too frequently a defender may not even recognize the system under attack is a system of critical importance to an operational function.

From having represented clients and led investigation into over a dozen operationally impactful events and served as counsel to some very large public and private organizations seeking to enhance cyber resilience, I will discuss three areas where we need help: greater precision in asset inventory, including defining what an asset is; tools to identify mission critical systems that operate at scale (> 5 million nodes, > 1 trillion network interactions per day); and incident reconstruction and postmortems – the legal and policy community have advocated for an NTSB like cyber response unit, but we need technical insight into what to look for and how to structure these analyses.

Seminar Talk Host: Michael Collins, ISI Networking and Cybersecurity Division

Seminar Talk POC: Matt Binkley, ISI Networking and Cybersecurity Division

Note: This talk will not be recorded.

Speaker Bio

John Woods serves as co-head of the Global Cybersecurity practice group and is a partner based in Washington, DC. Over the past decade he has received recognition or ranking in the Legal 500, Chambers Global and USA Guides, Washingtonian Magazine, Corporate Counsel Magazine and BTI Consulting Group. For more information, go to: