Podcast: Cybersecurity lessons for today's C-suite – from Cambridge Analytica to cyber criminals

James Moss

Literally we were all sat in the office one day working on our computers. All of a sudden every single screen went black and a message came up in very 80s looking red font. Your system's been hacked. It's been locked down. If you don't pay it, you won't get any of your data back.

Carly Gulliver

What are people talking to their lawyers about when it comes to tech? Welcome to Inside Tech Minds from Addleshaw Goddard. In this podcast, we're sitting down with technologists, investors, business leaders who are at the heart of the biggest tech deals, innovations and disputes. 

I'm Carly Gulliver. And today I'm welcoming to the podcast, James Moss. James, nice to speak with you. How are you doing? 

James Moss

Good thanks, hi Carly.

Carly Gulliver 

James, so I've been waiting for this conversation. We're always bumping into each other talking about what's going on. What's new in cyber? What's new in your world? And it's always super interesting. So for our listeners, tell us a bit about yourself and what you do.

James Moss

Sure. So I have the grand sounding title of Director of Cyber Investigations at Addleshaw’s inaugural position, but I think it gives a fairly accurate description of what I do and what the wider team does. Essentially, I handle anything that relates to cybersecurity, but more specifically and more often the sharp end of that when things go wrong and people suffer cyber attacks.

Carly Gulliver 

That's all very topical at the moment, isn't it? So the sorts of things that you're talking about going wrong and in cyber security, there's been a lot of that in the media at the moment. What sort of things might our listeners relate to in terms of the headlines that we're seeing?

James Moss

I'm sure people will be aware that there's been a number of high-profile incidents relatively recently. Big companies such as Jaguar Land Rover, Marks and Spencers, Co-op, others in the public domain. There seems to be a headline every week at this point that a major company has suffered an attack. From my perspective, this is nothing new. I've been dealing with these types of issues for many years now. But I think it's becoming much more prevalent in the public consciousness. So people are really beginning to see the impact of this on day-to-day lives and businesses that they interact with every day and the wider impact on the economy. So I think what's changing is public, not perception, but public awareness of this issue.

Carly Gulliver 

Definitely. I mean, as a consumer, it definitely puts it at the front of my mind when I hear about big brands, big names who are being affected by this. And obviously I suppose that will make it more to the forefront of the people that are listening to this and our clients who will be affected in their smaller businesses. Because am I right in thinking that these cyber security attacks don't discriminate and it can affect a business of any size? Is that right?

James Moss

Absolutely, yes. And whilst certain big names are in the public consciousness and across the front of the newspapers, that's really just the of the iceberg. We're dealing with incidents all the time, which are just as serious, but the organizations involved, but which don't make the headlines or maybe aren't necessarily public at all. So it's very common. as you say, attackers in this type of scenario really don't discriminate. It's sector agnostic, it's industry agnostic. Public or private sector both have vulnerabilities.

Carly Gulliver 

And so some of the areas that you just mentioned, cyber attacks, know, ransomware, hacking, and the fact that you're definitely the person that we should call when things go wrong, which is always good to have someone like that in your black book. But all of that feels quite far removed from some of what the rest of us lawyers do on our day to day. How did you get into this, James?

James Moss

So I've been a lawyer for the best part of 25 years now and I've always to some extent been dealing with aspects of criminal law and regulatory law. When I very first started and was qualifying, did why I would summarize drugs, guns and murder cases. And from that developed a practice doing white collar crime. So large multinational frauds, money laundering cases, bribery, breach of sanctions, breach of trade controls. So those type of multinational cases for big corporate entities, but still involving aspects of criminal law. And what I've seen over those 25 odd years is that just as technology develops, the way businesses work, the way that the internet has become a fundamental part of how everyone does business, just as that environment evolves. So does crime evolve. So the crimes that I used to deal with when I first started out, many of them have fallen by the wayside, become more difficult and things have developed to prevent those or deter those. Criminals are very inventive and they have developed new ways to make money. And cyber attacks are the current flavor of the month is probably the wrong phrase because we've been struggling with these problems for a number of years now and no immediate sign of them getting any better. Unfortunately, I have to say, but that's kind of my route into it from the start.

Carly Gulliver 

Really does sound like you were in the cut and thrust of it. So some of those things that you just casually said about drugs, guns, other cases at the start of your career. I mean, that looks very different to the start of my career, James. So I think we've got some parallels there with James Bond, let alone James Moss. Should I be calling you 007 from now on?

James Moss

Well, I have had some discussions with parts of... No, I'm not and nor have I ever been a spy. But no, mean, a number of cases I've had to deal with have dealt with those types of organizations, both in the UK and overseas. And I won't say any more than that. But yeah, there are sometimes national security implications in some of the cases I've had to deal with in the past. I spent five years at Information Commissioner's office and I did on occasion have to go into the secret room and use a secret telephone. Because they had a secure line. have to say without giving away anything confidential and they may have changed it since, I was very disappointed that it wasn't red and it wasn't a dial phone as it is in the films. It was a quite boring standard black office phone. But yes, those aspects do come up and it's interesting you mentioned in the context of cybersecurity because historically type of sophisticated cyber attacks that you're worrying about, say five, seven, 10 years ago, perhaps would almost invariably be in some way state sponsored or involved with a major state actor. And I don't think it's controversial for me to say that places such as Russia, North Korea, China, other nation states, not to say that Western powers don't have these capabilities as well because they do. But the major attacks were based upon sophisticated software developed by nation state actors. there was often an element of saying, okay, well, is this a purely criminal thing or does this have political implications?

Carly Gulliver 

Some of that just sounds almost out of this world really in terms of some of the things you've come across in particularly in the early stages of your career. But on that, tell us some interesting things, James, that you have come across in cases to the extent that you can share, of course.

James Moss

Probably an interesting example is fairly early on, my exposure to cyber attacks was quite theoretical. And then I was actually part of an organization that was subject to one, working for a big law firm, not Addleshaws. This is all in the press, it's all in public domain. And literally we were all sat in the office one day, working away, doing whatever we were doing on our computers. And all of a sudden, every single screen went black and a message came up in very 80s looking red font, which says your system has been hacked. It's been locked down. Here is the address to pay the ransom to. If you don't pay it, you won't get any of your data back. And everyone instantly was just thrust into that space of what on earth am I going to do? How am going to function? All my email communications down. My phone systems down because phones run through the computers. I mean, all, businesses, most law firms are the same. There's nothing exceptional about this. I can't access my files unless they're on hard copy. A lot of it wasn't. I can't contact the court. I can't contact the other side in this matter. And literally it's, you are thrown into this situation of how can I function? And having been through that and having been through the sort of the aftermath, working out how to deal with that in practical terms, working out how to function and then working with the IT team to sort of understand, well, how long is it going to take us to get back up and running? And what are we going to do about this? And that ties in to what I was saying earlier, that as it turned was absolutely nothing to do with where I was working. It was purely collateral damage. It was a Russian targeted attack on the Ukrainians. And, know, this is back, I think in 2017, so a long time ago, but we all can see from the current news and what's going on in the world that that issue hasn't gone away. So this was digital warfare and we were collateral damage as we're a number of other major companies. So that gave me a really, in hindsight, valuable at the time painful insight into what it's like to live through something like this. And that really coincided with me having an increasing focus on those types of incidents.

Carly Gulliver 

Yeah, it sounds very stressful and very worrying to say the least. mean, I think if I can picture the situation, I think that that must have been, you know, an incredible question mark over people sitting in their desk wondering what to do on the ground. I think that most of us lawyers struggle when the printer breaks down. And I know as a tech lawyer, I'm a bit ashamed to say this, that sometimes the extent of my damage control is control, delete, or turn it off, turn it back on again. But James... putting yourself in the shoes of clients, which it sounds as if you had very real and personal example there, which gave you great position to be able to do that. If clients are facing this or people listening to the podcasts are facing this type of situation where they find themselves at the pointy end of an attack or a cyber security incident like this, what would be the steps that they should be thinking about taking?

James Moss

So I think the number one thing to say is that you don't want to be in a position where the first time you ask yourself that question is when something happens. Preparation really is key in this type of situation. And it's not the type of thing where I'm, as other areas of law, sometimes other areas of regulatory law, you're saying to people, need to worry about this risk and your clients say, how likely is this to actually happen? And you have to say, realistically, it's pretty unlikely. If it did happen, it would be extremely bad, but it's rare. Cyber attacks are the worst possible combination when you're doing a risk assessment of really quite likely, and also when they happen really very serious. So they should be at the top of everyone's risk register for preparation and planning. And that's a big part of the work we do with clients, which is looking at their policies and procedures and planning, their disaster recovery plans, their crisis management, instant response plans, and helping them to stress test and develop those. So you should already know when this happens, what you're planning to do. And that will have key elements of who you're going to contact and who's the key team that's going to work on this. So you will have a triage process, you'll have an escalation process, and you'll have trusted partners who you'll reach out to, to help you manage this. That will include lawyers, not only because we bring the sort of expertise and are able to throw the cloak of privilege over all of this, which is very important for a number of reasons, to protect the business and to keep a lot of what's going on confidential. But also there'll be other people who come in. You'll always be probably relying on cyber forensic experts, whether those are internal or external, but often external, because those are the technical computer experts who will come in and say, okay, well, who's got into our system, what's gone on, how do we get them out again and how do we get it back up and running?

Carly Gulliver 

And I'm not a contentious lawyer. So I understand something about privilege, but just for our listeners, is it right to say that that means keeping something private between the lawyers and the business or whoever the client is in that case? And so that it's out of the public domain.

James Moss

Precisely, yes. Essentially the way privilege operates is that you are entitled to have a confidential discussion with your lawyers about what you're instructing them to advise you on. And you are entitled to not have to disclose the content of those discussions and the advice that you receive to anyone except in very limited circumstances or if you choose to waive that privilege. That's a very high level summary of how privilege works. And there's a number of key reasons why it's important. I think one of the key things is that you are likely to be under regulatory scrutiny. This is the other side of what I've done in this area. So I dealt with when I was at the ICO, Information Commissioner's Office, a number of cases which were data breaches, significant data breaches, because that's their remit, caused by cyber attacks. And whilst not all cyber attacks cause a data breach and not all data breaches are caused by cyber attacks. The overlap is very significant. So you're often dealing with situations where information has been exfiltrated, i.e. taken off your system, i.e. stolen, either for purposes of selling it for profit or blackmail or a bit of both. In addition to locking your systems down, that's very common now. That's the usual method of hackers. They won't just lock your system so you can't use it before they lock it down. They'll steal as much information as they can and then lock it down as well.

Circling back around to the privilege question, regulators such as the ICO, but also sectoral regulators. if you're in the financial services area, the FCA, if you're pensioners business, the pensioners regulator, other relevant regulatory bodies will be looking to see whether you have in place appropriate technical and organisational measures, appropriate security measures to keep the information and the data safe. So you have a double concern, you have the actual main concern of getting your business back up and running and dealing with a cyber attack. And then also you have the concern of protecting yourself from potentially regulatory action as well. If it's deemed by the regulators that you, what you did to prevent this type of thing happening was less than it should have been. So when you're conducting a cyber forensic investigation, when you're saying to people, tell me what happened, how did these people get into our systems? What have they done? What have they taken? You really want to make sure that that investigation and those reports that come back are privileged. So you have control over how much that's shared and what it says. The other big risk with a lot of these matters alongside reputational risk, which is significant, is litigation risk because there's a major industry that's grown up bringing claims for data breaches. And you'll see this in any major publicly familiar data breach. There will be law firms coming up, advertising on social media, all those types of things saying, has your data been compromised by this incident? Would you like some free money? And protecting our clients from that type of issue is a significant thing. Not to say that many of those claims are successful because the majority of them frankly aren't, but defending against them is time consuming. So again, you want to ensure that you're able to have the safe space carved out, have a frank assessment of what's gone wrong and what's happened under that privilege to protect yourselves if you're facing major litigation.

Carly Gulliver 

Super interesting. Thanks, James. I think there's definitely some things there which I'm learning and that I'll be speaking to my clients about. you know, particularly around having the policies and the protocols in place to begin with, because prevention is definitely better than cure, it sounds like. Then understanding if you have those policies and you have those protocols in place, then it will help you to triage that through the business and also through your advisors in terms of what steps you should take and when, I think are super helpful to know about. And, but really interested to hear more about something you touched upon there and your experience in the ICO and along the lines of data. So what were you, what were you primarily doing when you worked at the ICO?

James Moss

The very first call I had was from colleague of mine who phoned me out to the blue one afternoon and said, have you heard of the ICO? Then literally two train stops away from my house. I said, have you heard of Cambridge Analytica? I was like, yes, because at the time that was front page news. We need somebody with your expertise to pull it all together because this is a major investigation. You've never done anything on this scale before. But for anyone who doesn't. remember it now, because it's a few years back at this point. They were a, suppose you would call it a political consultancy slash marketing type organization business who were saying that they could help influence the course of elections. You know, they said lawful way by obtaining vast amounts of personal data and profiling types and groups of individuals that you could then target messages at. And the concern was partly where were they getting all this data and where they're gathering it lawfully and also what were they doing with it. I think a large amount of it was scraped from social media, which ended up bringing in the investigation, looking at how Facebook data is being used and what the implications of that were legally. We did bring legal action against Facebook, as it was called at the time, they were fined £500,000, which doesn't seem a lot of money. Probably isn't in the scheme of things, but was the maximum possible penalty in law at the time. So that was the underlying genesis of it. the more we looked into it, the wider it got and the more aspects came into it. Working with the insolvency service, going after directors for the director's duty. The main body of the investigation. So I arrived the day after they'd executed the warrants and seized the servers from Cambridge Analytica's offices in London, driven them back up to Winslow in a transit van. And I remember sort of saying to me, okay, well, we've got about 700 terabytes of data in here. Should we start reading it or should we print it out? I was like, no, that's... that's quite a lot of information. You're going to need something a bit more sophisticated than that, or you'll be here till the end of time. We're going to need a document review platform for that. So that's how it first started. And was apparent that there were systems and processes that need to be built from scratch to run an investigation of that size and complexity. And then a lot of work engaging with all sorts of other regulators internationally, because everyone wanted to know what's on those servers and what's in there and what's in there that relates to our citizens. So we were fielding calls from all over the globe constantly and then having to deal with the complexities of, well, what can we tell these people? What's the legality about sharing information with these jurisdictions about this? So that was a good portion of it. And then there was also parallel investigations into political parties as well. It was absolutely a full-time job. I say I did that and then they tapped me on the shoulder and said, well, we quite like what you've been doing with this. So I became their inaugural director of enforcement from the legal team and ended up doing that job for five years. And then for a period of time was acting as general counsel as well to Elizabeth Denham, then commissioner over the Brexit transition period. Doing a lot of sort of structural work and policy work and working out how we were going to continue to exercise our powers and do what we needed to do as the ground shifted under our feet and GDPR hived off into UK GDPR and all that interesting stuff.

Carly Gulliver 

That sounds like a really interesting matter to have worked on, but a brilliant career opportunity, high profile, cutting edge, exactly the sort of thing you want to get the call on. I've got a picture of you, James, just in your transit van with the servers driving to Wimslow with the 007 theme tune on down the motorway. But on a serious note.

James Moss

I miss that by of day unfortunately, but you'll have seen the famous pictures probably of the ICO jackets. This is what everyone wants to know about. They got some FBI style dark blue bomber jackets made with ICO printed on the back. And that was one of the key questions at the time, which is where do I get a jacket? I actually think they missed a trick. Or a version of them. Yeah, it sounds like No, I didn't get one. I knew where the one was hanging in someone's office, but people always wanted a photo with one on. Let me have a quick selfie with the jacket on.

Carly Gulliver 

That's a note to you, James, to make sure next time you get the merch. I've been really interested to learn more from you and your team and the team that you're building in that cybersecurity unit because speaking as a corporate transactions lawyer, we've definitely seen a huge increase in transactions which relate to cybersecurity, either companies which work directly in that ecosystem or around. And it continues to be a really interesting area for high growth scalers and private equity interests. And ultimately some of the big players as well who were looking to buy it rather than build it when these cybersecurity digital agencies become of a certain size and expertise and have clearances of certain levels. It's a hugely exciting investment area as well as obviously an area for you on the regulatory investigation and enforcement side.

James Moss

Yeah, no, absolutely. you know, a good part of what we do is building relationships with people who work in this space. And a lot of the value we can bring to working with clients, whether that's in preparatory work or crisis management, actually, instant response work, is give recommendations and make connections with people who we know are good and know what they're doing in this space. Because inevitably, I think there's been a rush of people wanting to get involved in this area because it's perceived to be new and sexy and valuable. But it's important to have a good understanding. You want to be working with people who have the right expertise and also with the right fit for a particular job. There's massive international big organizations who do cybersecurity work who are excellent, but then there's much more niche specific, more local businesses who do similar things or certain subsets of similar things. And part of it's about saying, okay, well, who are the best people to work with this client on this incident? Who's going to give them the service they need? And there's always issues as well about, know, not just expertise, ability to jump into things quickly and also price point to many things like that. So yeah, you can see it's absolutely an expanding business, but understandably so.

Carly Gulliver 

Definitely, and not just of direct interest to cybersecurity businesses who are in that space firmly, but to businesses around the edges because of all the issues you've identified around reputational risk and damage to the value in businesses that aren't protected. We've definitely seen over the last 18 months, this become more on the radar of investors who are looking at main, you know, who are looking at investing in businesses that they are wanting to know what cyber security steps you have in place. And also the increase of specialist DD providers to do particular due diligence from a cyber security perspective. That's all become hugely important, I think for all the reasons you've just described. But I think if for companies who are looking to go into processes, it's definitely a reminder to make sure that you have that box ticked from a value creation, but also preservation perspective. It's not something which is going to go, you know, it's not a stone that's going to go unturned in this current day and age.

James Moss

So yeah, I think all that's absolutely right. Interesting trend that we've observed fairly recently is certain businesses saying to certain other businesses, we won't deal with you unless we're sure that you have certain levels of cybersecurity preparedness and protection. And we also don't want to deal with you if you don't have effective cyber insurance in place. Insurance is a whole other topic which circles around. It's increasingly common for businesses to have cyber insurance. But I think that's really interesting that that does that sort of level of awareness that having that type of sophistication is sufficiently standard, that it's a precursor of dealing with people and doing business with people. And I think what that's telling us is that you have to have certain levels of cybersecurity in place in order to get insurance effectively. There'll be a tick list and they will say, we'll write insurance cover for you if you have a certain level of protection in place. So it's been taken as shorthand by businesses to say, if you don't have a reputable insurance provider, then how can we be sure that you have appropriate security in place? And therefore, how can we be confident we can do business with you? Firstly, because you have the situation of, know, if you're, if you're relying on someone to provide you with goods or services in some way, and that's business critical for you, and they get hit by a cyber attack and go down and all of a sudden can't function, that's a problem for you. But also if you're letting them connect into your systems, you need to worry about how secure they are as well. So that's definitely a trend that people are really placing this front and center of their criteria for whether they can safely do business with people.

Carly Gulliver 

That's great to know and I know that that'll be interesting to a lot of my clients, James, particularly when they start to think about processes and making sure they've got the things in place that they need to have. So we've covered and we've spoken a lot about your start and how you got into this and naturally touched upon the evolution, if you like, in terms of what has evolved within your space and things becoming a lot more sophisticated digital due to the nature of of how this area has evolved and some of the interesting highlights, if you like, in your career. So bring us up to current date and you looking out now in terms of what's coming up on the horizon in cybersecurity.

James Moss

So I think the threat landscape, as I mentioned earlier, has definitely evolved to the stage where it really is quite chaotic. And there's a large number of groups of wide-ranging levels of sophistication, some of which are sophisticated and very targeted, some of which are, frankly, young people, children, act in quite a chaotic manner but still able to cause very significant damage because of the tools which are now easily accessible to them. That threat whilst it's evolving is not in my experience, in my view, diminishing. I don't see that happening anytime soon. This is not a problem which has a sort of simple or fundamental solution. There's a number of things that people are talking about about what can be done. And governments are trying to legislate to help in this area or to, you clamp down in this area. But I think this is going to continue to be a significant risk. And therefore, if it's not possible to cut it off and stop it happening at this other front end, then preparation, preparedness and resilience are the key things for businesses to understand and to be working on. 

In terms of what governments are doing and what legislation is happening, certainly it's becoming a key focus for government because they understand what negative impact this has on the wider economy. That's obvious. You've got changes coming through now in legislation, which are updating the NIS regulations, which are essentially the key cyber regulations in the UK, which dictate that certain businesses who are within the remit of those regulations have to have a certain level of cyber security and also a reporting regime, when incidents happen, have to report out to the appropriate regulators. That's been in place for quite a while now. It was brought in pre-Brexit and was a European wide regulation. We've got a slightly confusing situation now where UK's diverged from Europe. Europe has updated the regulations to something called NIS2. The UK are updating the same regulations, in a slightly different way. So you've got regulatory divergence between the UK and the rest of the EU. That's going to continue to play out for months and years to come. But the key focus there, I think, is that across Europe, including in the UK, governments are realizing that regulations requiring businesses and particularly public infrastructure and critical national infrastructure, so things which the public absolutely need to work properly in order to live and to function. water, power, internet, those types of things. And needs to be strengthened. So does that push from a regulatory perspective to tighten things up and to expand the powers of the regulators and expand the remit? So for example, data centers are being brought within the UK regulations where they haven't necessarily been before. Managed service providers are being brought in because it's long been recognized that that's a potential vulnerability for lots of businesses. Even if your security is good, if you're using a managed service provider who has less good security, then that might be a way for hackers to get in.

So those things are happening. There is also a push to limit and regulate ransomware. And this is sort of a pivotal pinch point for the whole thing, because this is a criminal business, as I was saying earlier, it's a multimillion pound criminal business globally. So the way it works and the way that criminals make money from these types of things is to lock down systems, steal data and demand payment of a ransom to reverse that and to give the decryption key into release or delete any data, not release or other, but not do anything bad with it.

Historically, in most jurisdictions, and certainly in the UK, it's not been unlawful to pay a ransom per se, and quite a lot of them are paid. It's difficult to know precisely, but anecdotally I'd say somewhere between 20 and 30 % would be my guesstimate on that, that businesses pay ransoms. So if nobody paid them, understandably, the business model, criminal business model would collapse. But, Government has been reluctant to ban them. the proposals that are coming through now, coming down the tracks are banning public sector organisations from paying ransoms. But that won't, in my view, make a substantial change because effectively the public accounts rules prevent that happening already. So that's not going to make a massive difference. And it just trusts organisations like the British Library whenever permitted to pay ransoms anyway, but it didn't stop them being attacked. There's an element of that where you might think, if hackers are still hitting organizations and demanding ransom from organizations in the public sector, they know, won't and can't pay them, then how would panning it make much difference? But that's a sort of policy question to ponder over. And then there's going to be a reporting regime which requires organizations who aren't caught by the ban to ask for permission before they pay a ransom to a government body, similar in my view to the suspicious activity reporting obligations under the money laundry rules. So you say, well, we propose to make this payment, tell us if you want to block it or whether we're permitted to, which is going to put a break on the timing, but not necessarily prevent ransoms from being paid. And then a regime which requires notification of ransoms being paid so government can have more visibility. So all that stuff is floating around. But I don't think any of that is going to fundamentally take away the threat. It's going to give a better regulatory handle on managing it, but it's not cutting to the heart of what's causing this.

Carly Gulliver 

So I think that to wrap everything up, James, what we can see and what I've learned from speaking with you is that we've really got a very specialist area here in cybersecurity. And we all know a little bit about it, but perhaps this is the instance where knowing a little bit can be a dangerous thing because it's clear to me that it's expanding, it's evolving, changing all the time and that we really need to speak to experts to be prepared because prevention is better than cure. You don't want to find yourself in, in the midst of this with not knowing where you need to go. 

It's been brilliant to speak to you, James. And I learned a lot. really enjoyed that conversation. Very topical at the moment. Thanks very much for your time.

James Moss

My pleasure. Thanks very much. Always interesting to talk about these issues and delve back into how I ended up doing what I'm doing now.

Carly Gulliver 

Thanks for joining us on today's episode of Inside Tech Minds. If you enjoyed the conversation, don't forget to follow and subscribe on Apple or Spotify or even leave us a review. Thanks for listening and we'll see you next time.