Lobbyists on edge about hackers

For once, Washington lobby firms are aspiring to see “access denied.”

Fearing a disastrous data breach, public policy shops across the city are scrambling to lock down their networks against intrusions by hackers, cyber criminals and foreign governments. 

{mosads}Some firms have begun to encrypt their emails and undergo annual security audits in hopes of avoiding an attack that could tarnish their reputations and send clients fleeing to competitors.

“If your emails are hacked, there is a risk of embarrassment. For a lobbying firm, that risk is acute,” said Harvey Rishikof, co-chairman of the American Bar Association Cybersecurity Legal Taskforce.

But while some firms are focused on strengthening their cyber defenses, progress across the industry is uneven, experts say.

“Though the situation is improving day by day, we do still see major firms with glaring inadequacies,” said Sharon Nelson, president of Sensei Enterprises, an information security firm based in Fairfax, Va.

The pursuit of better data security is intensifying at a time when Chinese and Russian hackers are targeting Washington with increasingly sophisticated online attacks.

Law, lobby and consulting firms are often privy to sensitive information from their corporate clients, making them appealing targets.

The threat has managers on edge, particularly in light of the Sony hack, which exposed emails from film executives that disparaged President Obama and a number of Hollywood stars.

“What a lobbyist might call blowing off steam could harm their business if it offends a client. For them, the risk is less about revealing state secrets or bribery than it is about humiliation, about damage to their firm’s reputation,” Rishikof said.

Though they are rarely discussed outside of top management, data breaches take place regularly at the “downtown” firms that power Washington’s legal industry.

King & Spalding, which specializes in corporate espionage, was revealed in 2010 to have been the target of an attack campaign that hit Google, Intel and Adobe.

Wiley Rein was breached in 2011. Security experts believe China was responsible and seeking information about one of the firm’s solar panel clients.

And McKenna Long & Aldridge alerted employees last year that hackers gained access to employee information, including Social Security numbers, though a vendor company.

The opportunities for hackers to target firms are legion, given that there are more than 100,000 lawyers and lobbyists working in Washington.

One insufficiently complex password or false click on a “phishing” email could give intruders a foothold. Indeed, a 2011 report by security firm Mandiant found that 80 of the largest 100 law firms had been hacked.

This reality, coupled with pressure from financial clients, is prompting firms to reconsider even their most basic precautions.

“This is what we’re seeing replicated over and over again,” said Nelson, whose security firm works with law and lobby shops.

“Clients are asking: Do you have encryption implemented? Is it email encryption or whole disk encryption? Do you have an incident response plan? How do you regulate devices brought from home? How often are your passwords changed?”

At many firms, paying for new cybersecurity measures can introduce tension between partners, who often supply funds for them out of their own pockets.  

Individual attorneys are also caught in a squeeze between market pressure to provide fast service and good security, which takes time to employ.

“Security controls can make your ability to provide legal services more inefficient,” said David Gaulin, the co-chair for PricewaterhouseCoopers Law Firm Services.

“Even steps like logging into email become more complicated. … At the same time, the whole business is going through an ongoing transformation because the clients are demanding more work on a faster, cheaper basis.”

D.C. firms shelling out for more sophisticated security require two-factor authentication for their systems, hiring chief information security officers, and becoming certified for compliance with ISO 27001, an international data protection standard.

Some practices are increasingly using the investments as marketing tools with potential clients, though they are loath to publicly discuss the steps they have taken.

Only a handful of the 40 top law and lobby firms contacted by The Hill responded to a request for comment about their online security, and just three agreed to issue general statements on the record about their cyber practices.

Hogan Lovells, one of the largest law firms in the United States, said it is ISO 27001-certified, employs a chief information security officer and invests in a “wide range of risk-based cybersecurity measures to protect data.” The firm’s lobbying practice represents a variety of aerospace, financial and technology clients.

Van Scoyoc Associates, which represents cities from Baltimore to Palo Alto, said it uses a number of tools to protect client data with “attention to industry-based certifications,” including “encryption technologies on a number of device types and services” and “regular risk assessments.”

The Podesta Group, a top earner, said it takes cyber threats “very seriously” and keeps “abreast of new developments to prevent hacking and other breaches.” The firm lobbies for BAE Systems, BP America, Google and Lockheed Martin.

Other D.C. firms said they would not comment out of fear of educating hackers about their systems.

“We’re sorry, but we can’t run that risk,” one firm spokesman said on background.