Make Yourself Less Attractive To Hackers
An in-house lawyer who leads his company’s cybersecurity program explains how to do that.
Interview: Erez Liebermann / Prudential Financial
“Erez Liebermann is a great fit to lead a legal department’s cybersecurity and privacy program. He had almost a perfect background for it. And now he spends his time trying to convince the world’s hackers that his company is not a good fit for them.
He has a grounding in tech, though not in computer science. His major was aerospace engineering—because that was his father’s field, he says. His passion for advocacy grew from his experience as a debater, which began in high school and continued in college. In law school, he thought there might be a way to combine aerospace and a legal career. But by graduation, he was thinking about the U.S. Attorney’s Office and “going after hackers.” Hacking back then “wasn’t what it is today,” he notes. “But once I started learning about that, boy did it excite me.”
Before he got there, he spent four-and-a-half years at Paul, Weiss, Rifkind, Wharton & Garrison, where he worked on employment, securities, and IP litigation. But also the Napster line of cases, “which was my first introduction to technology and law litigation,” he says. In 2004 he got lucky. Not only did the U.S. Attorney’s Office in New Jersey want to hire him, there was an opening in the cyber section. Somebody was leaving and they needed a replacement, and most people weren’t interested, Liebermann recalls. “There was no post-U.S. Attorney career in cyber at the time.” But he was “delighted at the opportunity.” In addition to cybercrime, he handled a host of other areas that included national security, guns, and drugs. By the time he left, after more than nine years, he was overseeing not only the cyber section but all of the white-collar units as well.
He thought about consulting or returning to a law firm because he liked “putting out fires.” But he wanted to be there after a crisis, to help a company build, so he decided to move in-house. But he did harbor qualms. “There was a fear in me that in-house would be quote-unquote fine,” he confesses. “And I don’t want a job that’s ‘fine.’ ” He worried that it wouldn’t be exciting enough without lots of fires. As it turned out, he needn’t have worried.
CyberInsecurity News: What was Prudential Financial looking for when they hired you in 2014?
Erez Liebermann: They were looking for somebody with some cyber knowledge and some investigative knowledge, with the understanding that maybe the cyber knowledge would be important, but it wasn’t as clear at the time. My original job here was head of the corporate investigation division, which included our high-tech investigations unit. Almost on the side of my desk was: “You’ll be the counsel for the chief information security officer [CISO], if we need that, and if that’s a bunch of work.” And that changed quickly.
CIN: How has it changed over five-and-a-half years?
EL: Pretty early into my time here, our then-general counsel and my boss, who is the chief regulatory officer, realized that cyber is a bigger element, and the law’s role in that is bigger than we all saw originally. And so my role changed, and soon they split me off and took the corporate investigations division and made that separate. But they kept the high-tech investigator with me and added people to be on the legal side to create a true cyber and privacy legal and investigative team. And that’s where we are today. That grew from a few investigators to about 20, and from a couple of lawyers to five. We continue to work both domestically and internationally on privacy and security and related technology issues.
CIN: How much contact do you and your colleagues have with law enforcement? And is most of its information sharing, or are there other benefits?
EL: We have a lot of contact with law enforcement. Anytime you go to hear the Department of Justice or the FBI speak on cybersecurity, they talk about the importance of having a healthy relationship with law enforcement. It’s a little easier for us. We have myself, another former prosecutor, we have a guy who sat with the Secret Service for 10 years doing their cyber cases and supporting their cyber program. So some of that is natural. It’s talking to our friends in the cyber world and keeping up with them. It’s largely for information sharing, but it’s also to talk about threats and incidents. We have referred cyber-enabled fraud cases to law enforcement. They have been prosecuted by the Department of Justice. We have talked, through other companies, of account takeover fraud picked up in the retirement industry in the last three years. Thanks to law enforcement, there’s been a concerted effort to investigate and prosecute individuals responsible for some of that. So it’s not just information sharing. It’s also to refer to cases. But it’s critically important. Law enforcement is really at the forefront of this, and they are looking to be true partners.
In the larger financial services world, we’re lucky that we have the Financial Services Sector Coordinating Council [FSSCC], which brings together the financial services companies, law enforcement, and the intelligence community to get briefings and updates on where we stand. And that’s been very helpful for information sharing. But also just the local FBI and U.S Attorney’s Offices and Secret Service are critical relationships. I highly recommend that other companies have those relationships as well. Once you get to know the agents, you realize that they are happy to have discussions and sit down and talk about matters on an informal basis.
CIN: What about companies that have had some breaches and problems and are concerned that, if they go to the FBI, all of a sudden they may be tipping them off to uncomfortable issues that could quickly spin out of the company’s control? And could adversely affect their business. What would you say to them?
EL: I remember hearing a lot of discussions like that when I joined the U.S. Attorney’s Office back in 2004. And maybe back then, there were some issues. Maybe back then, law enforcement was still learning how to work with victim companies and would go in and do searches that disrupted businesses. But that changed a long time ago. I’m not saying that there aren’t instances in which things happen. But overall, I think law enforcement does much better.
I’ll give you an example. My old office accidentally, in doing a search warrant on a cyber case, shut down a Baby Gap website. Not intentionally, but it went down. So I guess people couldn’t buy some Baby Gap clothing for a while. And that’s not good. You don’t want to disrupt businesses. Now when I was working on a case a few years later, we went into a company that had an issue inside its servers. We asked them, “At what point can we image your servers?” They said, “Can you do this late and not disrupt our operations during business hours?” And so the agents did a search between 2 and 7 a.m. Totally going out of their way in order to work with the business. Law enforcement knows that businesses need to function. They know that if they disrupt businesses as part of investigations, they won’t get calls, they won’t get leads about cybercriminals. And they need that cooperation. So they are working very closely with businesses, and I think the fear of losing control is not as realistic anymore. I’m not suggesting that it can never happen. But that’s not the typical case or even one in the vast majority of cases.
CIN: Cybersecurity is a global program there. What’s the law department’s role?
EL: There’s a view internationally that the U.S. is behind on privacy. And you see that with the European attitude and taking away the Privacy Shield. Hopefully, we’re changing that view. I think it may be a little bit of a misconception. But one thing is clear. In terms of cyber, we were ahead in terms of the regulations, in terms of notifications of data breaches, which now they’ve caught up on with the General Data Protection Regulation [GDPR] in Europe. But also, we were and are ahead in the U.S. in terms of law enforcement relationships. It’s rarer for companies to have relationships with law enforcement there. We have gone abroad to start fostering those relationships, prepping our international partners through tabletop exercises, through training and knowledge, and showing them how to be proactive. We have great businesses overseas. About half of Prudential is overseas, and so we’ve had a great partnership with our team out there, working on how to continue to build their cyber programs and interact with their peers. Which is a growing community. For example, in the U.S. there’s the Financial Services Information Sharing and Analysis Center [FS-ISAC]. They’ve done the same thing in Japan. They have an organization that is starting to bring together businesses for information sharing, just like we are here. It’s a little behind, but catching up very quickly.
CIN: What have been the big issues that you’ve dealt with this year? And what’s taken up most of your time?
EL: We continue to talk about threats. Phishing is certainly a very big threat that we continue to work on. We also see in the news a lot of issues related to data leaks. A number of very well-known companies—I won’t repeat names—have put tens of thousands, even millions of people’s information in the cloud and forgot to properly secure it. We are working on education here so we hopefully won’t repeat those mistakes. We’re also working very closely on continuing to expand our proactive measures, and a lot of those, thanks to the interaction between cybersecurity and privacy law, require careful analysis and balance between those laws. How we conduct employee monitoring and work on insider threats—which is a point of focus for a lot of regulators and companies—while making sure that we don’t ruin the balance of privacy, culture and the company’s ethics in treating its employees is very important. As is the regulatory balance, given some of the regulatory regimes like GDPR, which talks about the monitoring you can do of employees. So we work through issues along those lines, and certainly, the privacy laws have been front and center, between GDPR and the California Consumer Privacy Act [CCPA]. Very important issue for companies.
CIN: Is CCPA one of the big items you’re focused on for 2020? Along with the proposed regulations, a draft of which has just been made public?
EL: Certainly. We expect to continue to hear more. Those are the first draft of the regulations that have come out. We expect that we will hear changes as the industry gives some feedback on those. And we’ve already heard that [Alastair] Mactaggart has come out with some new proposed regulations for next year that would amend or replace CCPA with an updated version. So we’re looking at that. And then we hear news about a potential federal bill, so we keep an eye on that. But all of these bills, along with privacy bills in other states, demonstrate the importance of privacy in the regulatory space and also for consumers. And so we’re tracking that and trying to keep up with all the best practices for companies.
CIN: You mentioned phishing. There’s a lot of data out there that says that’s one of the big vulnerabilities that companies continue to have. You talked about education. What kind of training program do you have, how involved are you and how robust is it?
EL: Phishing really is critical. The No. 1 way of hackers to get into companies is through individuals, and it’s really through individual mistakes—through phishing attacks. The Department of Justice this year indicted the hackers of the Anthem breach—one of the first breaches of its kind for insurance companies. It seems that it was done by state-sponsored hackers in China. And even though it was professional-level hackers, they used phishing to get in. So this is not a tool employed only by simple fraudsters and simple hackers. It’s a top-of-the-line tool. We try to educate on this through public discussions, our yearly training, our town hall meetings, updates to security and to the board and executive leadership. We talk about it and highlight it at every opportunity. And every employee has phishing training. They get phishing tests that they’re not aware of. They get told if they did or didn’t succeed on these. We track that. We follow what other companies do with respect to that. I think it is now very common for large companies to have such phishing programs. And reasonable security really calls for such training. And that practice is what helps companies improve. But even if you get your numbers very low—industry averages are upward of 7 to 10 to 15 percent click rates—let’s suppose you hypothetically got it to 1 percent. That’s one person who let the adversary in. That’s all an adversary’s need. Just one wrong click. Hopefully, that’s an overstatement. Hopefully, you then have other protections that would still catch that malware or that code that came in through the one wrong click. But you never know.
CIN: It seems pretty clear how your work at the U.S. Attorney’s Office helped prepare you for your current job. What parts of your job did it not prepare you for?
EL: I was not familiar with the way a company works, having been at law firms and then government. Companies deal with issues like different styles of management, different management structures and budget questions that I didn’t have to deal with in my previous roles. And then culture. It’s a different culture. I worked as a litigator at Paul Weiss, which is an extrovert-driven, Type-A-personality, in-your-face place. Which I loved. I am not using any of those as negatives. And I would say the same about the U.S. Attorney’s Office. And you come to a company that, for all the right reasons, has a broader spectrum of people. They’re not all extroverts. They’re not all Type A personalities. They’re not all in your face. And so working with different personalities has been a great learning experience for me. It’s certainly opened my eyes to how wonderful that is. Having a culture with all of these different types of people really helps build a better company, better program, better consumer response.
CIN: For law departments that have done all the basics in cybersecurity—they have a plan, they’ve done some tabletop exercises—what are some things they need to do to raise their programs to the next level?
EL: It’s very helpful to have a robust information security risk program. Not every company can have such a huge program and a big risk department as a financial services company has. Then it’s helpful to use outside services. Often the way to do it is to work with an outside law firm, which will then work with you to hire an outside consultant and do a risk assessment. Which helps validate from the outside how a company is doing. You could then combine that, as you mentioned, with tabletop exercises. Combine it with your training. And you really get a sense of where there are areas for improvement, and where you’re already at a relatively mature place. And then this also gives you a great feel for benchmarking, which is extremely important. I think it’s important both for the technology folks themselves, but also for management to understand.
Because it’s very difficult to say that you’re ahead of the risks. They keep changing all the time. And so you need to understand if you’re reasonably as secure as other companies are so that hackers don’t look at you as the weak link to attack. And I do think that hackers are opportunists. If you can have stronger security than other companies, then hackers will attack the other companies. Make yourself less attractive to hackers. And the way to do that is to learn where other companies are, learn your weaknesses and keep improving. Keep evolving. Because if you’re in good shape today, and you sit still for a minute, then you’re behind the curve tomorrow.
CIN: Does that mean that you should bring in consultants periodically to do some sort of audit?
EL: Absolutely. You have to keep testing it. It can be done with internal people, but it’s helpful to bring in consultants periodically, to do risk assessments but also to do red teams, which involve hired good-guy hackers who come to check your systems and try to penetrate them from the outside. Maybe give them access inside and see if they can get out. Always, continuously test the system, because even if you’re good today, a few things could happen. The hackers could find a new way of getting in. Or you might develop a new technology that has a new vulnerability. So even if the hackers are staying still—and they’re not—a new technology that a company develops might expose something that was previously unexposed. That combination of penetration tests, red team, external risk assessments happens here a lot. And we have a program of tabletop exercises. I happened to be in one yesterday where we included a tabletop exercise about ransomware for our technical people who would work on that. But we do tabletop exercises with everyone. We do it with our global communications partners, senior leadership, business leaders, HR. Because at the end of the day, if there is a breach, it’s going to involve all elements, and we need to make sure that all of us are ready and have exercised. Just like everyone exercises for a fire drill.”
On November 15, 2019, Governor Andrew M. Cuomo announced the names of several leading experts in cybersecurity who have joined his Cyber Security Advisory Board, further protecting New York ahead of the critical 2020 elections. In addition, Governor Cuomo directed the Board to assess the threats to the security and integrity of our elections and recommend steps to bolster election security.
Mr. Liebermann is Prudential’s Chief Counsel on Cybersecurity and Privacy. He leads a team on a wide range of cybersecurity and privacy legal, policy and investigative matters. Mr. Liebermann serves as primary counsel to the Chief Information Security Officer and IT Risk on information security matters. In this role, Liebermann also oversees the Hitech Investigations Unit. Erez joined Prudential in 2014 after spending 10 years as an Assistant US Attorney in the District of New Jersey, where he served as Chief of the Computer Hacking and Intellectual Property Section and prosecuted the largest credit and debit card data breach investigations to date.