On March 24, an NYU Law Forum sponsored by Latham & Watkins probed the implications of the 2020 SolarWinds breach—a massive cybersecurity attack that compromised a number of SolarWinds’s clients, including U.S. government agencies and private sector companies, during a software update.
During the virtual event, which was co-sponsored by the Reiss Center on Law and Security and the NYU Center for Cybersecurity, panelists addressed the scope of the attack, legal considerations for the organizations that were affected, and possible responses to the attack.
Selected remarks from the discussion:
Kristen Eichensehr, professor of law, University of Virginia School of Law; director, National Security Law Center
“We need to reserve that top category of ‘act of war’ for things that actually meet that criteria. States have kind of coalesced in the last couple of years around a standard for what counts as a use of force or armed attack in cyberspace, and the standard that's used is ‘scale and effects.’ So cyberwar, cyber armed attacks, should be reserved for things… that [have] the scale and effects similar to a conventional attack. So we’re talking serious injury or death to people, very serious damage to property, something like that. [The Solar Winds attack] is not that. This does appear to have been just espionage.” (video 13:48)
Judith Germano, senior fellow, Reiss Center on Law and Security; distinguished fellow, NYU Center for Cybersecurity; adjunct professor of law, NYU Law
“As a company who downloaded the software, would you really want to get into a big, hot mess of litigation which also would take years and make you very public? Because right now, we also have unclear issues as to disclosure obligations. Because personal information may not have been accessed, it may not trigger all the different state data breach notification laws and international notification laws. If it’s not materially impacting your financial systems, it may not trigger your SEC disclosure obligations. So, then, the question is maybe you just work it out with your own insurance company, put a lot of resources toward detection and remediation, and making sure that they’re out of your systems to the extent possible, but not get into a big, long public litigation with SolarWinds, which is going to wind up costing a lot of money and be a major distraction for the organization.” (video 24:00)
Watch the full discussion on video:
Posted April 20, 2020