How Attorneys Are Harming Cybersecurity Incident Response

New paper: “Lessons Lost: Incident Response in the Age of Cyber Insurance and Breach Attorneys“:

Abstract: Incident Response (IR) allows victim firms to detect, contain, and recover from security incidents. It should also help the wider community avoid similar attacks in the future. In pursuit of these goals, technical practitioners are increasingly influenced by stakeholders like cyber insurers and lawyers. This paper explores these impacts via a multi-stage, mixed methods research design that involved 69 expert interviews, data on commercial relationships, and an online validation workshop. The first stage of our study established 11 stylized facts that describe how cyber insurance sends work to a small numbers of IR firms, drives down the fee paid, and appoints lawyers to direct technical investigators. The second stage showed that lawyers when directing incident response often: introduce legalistic contractual and communication steps that slow-down incident response; advise IR practitioners not to write down remediation steps or to produce formal reports; and restrict access to any documents produced.

So, we’re not able to learn from these breaches because the attorneys are limiting what information becomes public. This is where we think about shielding companies from liability in exchange for making breach data public. It’s the sort of thing we do for airplane disasters.

EDITED TO ADD (6/13): A podcast interview with two of the authors.

Posted on June 7, 2023 at 7:06 AM24 Comments


Brian Focht June 7, 2023 9:50 AM

As one of those lawyers, while I don’t entirely disagree with the conclusions of your analysis, there are some missing pieces as well. One of my key roles as an advisor during breach remediation is to ensure that the evidence related to the breach isn’t lost in the response/recovery. Think of a fire investigation – 90% of fires have undetermined causes because the act of putting out the fire and cleaning up after the fire suppression destroys all the evidence. The same happens when IR teams handle the response in a way most likely to achieve the fastest recovery. The vast majority of the evidence is lost, limiting the ability to establish attribution, as well as to prove or disprove the culpability of the company that was breached vis-a-vis their security obligations.

There are certainly problems, but the comparison to the airline industry is of extremely limited applicability: airlines are required to report by law, they don’t do it voluntarily. If the system were voluntary, even a total shield from legal liability wouldn’t be enough to compel airlines to report accidents.

Clive Robinson June 7, 2023 11:13 AM

@ Bruce, ALL,

“So, we’re not able to learn from these breaches because the attorneys are limiting what information becomes public.”

Actually they are limiting a lot more[1]. Because they know from experience,

“Denying any adversary or friend information is paramount in survival not just in war, but in life and evolution.”

As has been previously noted[2],

“Information is toxic”

But for some daft reason ever since the end of the 1980’s with what became “Data Warehousing” there is a not incorrect view that,

“Any and all data has value”

But few ever ask the two important questions,

1, To Who[2]?
2, What is the risk[3]?

The potential gain is almost always very short term or illusary, but the risk can follow you to not just your grave but well beyond that of others.

Thus a lawyer will see no upside in revealing any information, especially that which others will use for harm, to them or their clients.

Because what every one tends to forget in a “rose tinted” view is that there are people who will take any and every bit of information no matter how anonymous and use it for their benifit in what is at the end of the day,

“A Zero Sum Game.”

So for every “benifit” there has to be a coresponding loss, and actually that hits all players in the game one way or another, as it does even where there is a “liability shield”, “Strict anonymity” or both…

So eventually with time they all loose. So the only way to win at that game as was noted at the end of the 1983 movie “Wargames”,

“A strange game. The only winning move is not to play.”

Which is advice I’ve been paid for, even though some chose to ignore it, over and over.

[1] I’m known for saying,

“PAPER Paper, NEVER data.”

Also advising clear unambiguous archive and destruction policies that limit the amount of time any form of information be kept to a bare minimum. As I note if you have a policy and stick to it, you are “cleaning” not “destroying evidence”. Which is an important distinction, as almost the first thing those attacking for benificial gain go for, because it makes you look guilty in other peoples eyes, as well as opening a door on criminal intent and criminal conspiracy, both of which can be used not just for leverage but to in effect “put you in the ground” legaly.

[2] We hear about two types of “Electronic Discovery” that various attackers go after. The first is “Loose Threads” the second is “Picture Setting/Framing”. People need to understand that all information is toxic[3] as our host @Bruce has noted on more than one occasion. So the storing of information without due regard is the equivalent of,

“Rabidly and incohearently talking to the police and answering every question the way they want you to, then wondering why you are being fitted out with a noose and wooden overcoat the next day.”

A legal representative will almost always recomend “no comment” at all times. The Government Agency version where they have in effect no liability is “We can neither confirm or deny” as liability is just a tiny part of “harm”…

[3] Information of any form has been known to be “toxic” for a very very long time. As the,

“If you give me six lines from the most honest of men”

alleged Cardinal Richelieu quote from four centuries ago indicates. But there are other warnings going back thousands of years, the very least of which gives us,

“Don’t shoot the messenger.”

But most importantly Cardinal Richelieu’s,

“Secrecy is the first essential in affairs of state.”

Should be the first guiding principle of “self defence” as the Law Enforcment statment of “anything you say” caution should warn… Because as the Cardinal also noted,

“To mislead a rival, deception is permissible; one may use all means against his enemies.”

Of which the most powerfull is actually “silence” as it robs any potential opponent. In the UK army there is an apt saying which also applies to stored information,

“Never leave ammunition for the enemy, be they friend or foe.[4]”

All of which are varients of the much earlier Sun Tzu,

“The whole secret lies in confusing the enemy, so that he cannot fathom our real intent.”

From two and a half thousand years ago, it is a sword that you can cut with in both directions or as some prefere “a door that swings both ways”.

[4] It’s important to remember in all things that no two people, no matter how close, have the same intent ever. Thus even if two gain from some joint venture, one always sees they have lost to the other in some way. That view first corrodes, then becomes toxic, untill as all poisons eventually do it kills. As history shows over and over.

Bcs June 7, 2023 12:00 PM

One possible variation on the concept is to get people to operate on a worldview that liability for past actions is unavailable, where as future actions that conceal thing of public value can create new liability.

If people can be convinced that secrecy won’t avoid them getting in trouble then they will have less reason to conceal what went wrong.

That said, I don’t know how practicable that is.

Bob June 7, 2023 12:10 PM

The lawyers didn’t get involved in a vacuum. Lack of understanding to the point of wet-streets-cause-rain amongst the general public abounds when it comes to infosec. Just look at how many god-awful tech bills elected representatives pass, to say nothing of those they float with not-insignificant support.

A lot of what we see boils down to symptoms of people meddling in things they have no understanding of. Joe Six-Pack and his wife, Karen, going with their gut, screeching, and demanding the wrong things be done because they mistake their lack of knowledge for completeness of knowledge.

C-level is responding rationally by bringing in legal. Legal is responding rationally by clamping down on information. The root cause is that rational people are responding rationally to an irrational environment.

Jon June 7, 2023 2:50 PM

drives DOWN the fee paid

emphasis added?? Somehow I doubt that, in the larger scope of things.


Ak2iFLRc June 7, 2023 5:42 PM


“chief provocateur” is what Stewart Baker calls himself, but its more accurate to say he was a soldier fighting for the NSA in 90s crypto wars. You can find old think pieces of his where he shills for the clipper chip.

And he’s not changed much since then, from what I can tell. His recent defenses of sec 702 of FISA have been just infuriating.

His podcast can be smart and engaging but there are lots of smart and engaging podcasts out there. Its only really worth listening to his if you want insight into how big brother thinks.

Ted June 7, 2023 10:53 PM


On the latest episode of the Cyberlaw Podcast one of the panel guests references one of Bruce’s posts on AI within the first three minutes.

Just to say, I think the show has a pulse on current events and invites some well-informed folks in for discussions.

All this aside, the earlier podcast I posted does have a great conversation about how cyber insurers (and breach lawyers and IR firms) are clamping down on exposing the details of incidents.

Something that caught my attention from the paper though, was the following line:

After all, empirical studies have shown that few cyber incidents result in litigation [53]

For some reason, this is not what I would have thought.

ResearcherZero June 8, 2023 2:49 AM

I’m not sure it’s quite as bad as this article makes out, as long as you are willing to learn how to use it…

“…Somewhere along the way, the idea that the internet existed to be useful to us has morphed into an understanding that we exist to be useful to it, mostly so we can be sold to or manipulated in some way.

“…We’re being data-mined and provoked and trolled, and for what? So we can keep getting data-mined and provoked and trolled, in the futile hope that at the end of it all there might be someone who can explain what “vacant possession” means in language that doesn’t sound like it came from a legal textbook.”


There are some issues to consider.

Tech companies will continue to gobble up your data…

Licences, as Stability AI chief executive Emad Mostaque puts it, “are a kinda moat”.


A moat is jargon for a way to secure your business against competitors.


“What’s unclear is how much AI work will really move from the cloud to PCs.”

Language models and generative AI demand high-end, power-hungry machinery.


“If artificial intelligence systems like DLSS can scale up a video game, it stands to reason the same techniques could be applied to other forms of content.”

Connectivity is the linchpin of this vision.


“Computer chips could dynamically rewire themselves to take in new data like the brain does, helping AI to keep learning over time.”


ResearcherZero June 8, 2023 3:09 AM


This raises interesting questions.

Will AI help to secure data from malware/bad actors?

Will AI pass PII to the cloud?

Will corporate lawyers blow smoke up our a***?

@Clive Robinson

A recent example…

“It’s very simple. You have to join the union between Belarus and Russia, and that’s it: There will be nuclear weapons for everyone,” Lukashenko said in a comment aired Sunday night on Russian state TV.


ResearcherZero June 8, 2023 5:27 AM

Not everyone engages with probity and compliance. Some think movies like Fight Club are a life guide.

‘Dave Durden’

“Between 2014 and 2022, the U.S. Customs and Border Protection caught 180 shipments of counterfeit Cisco devices sent to Pro Network Entities…
Customers of Aksoy’s fraudulent and counterfeit devices included hospitals, schools, government agencies, and the military.”

“Often, they would simply fail or otherwise malfunction, causing significant damage to their users’ networks and operations”


vas pup June 8, 2023 5:50 PM

@ALL on funny note:
“Two guys in the bar. One asking other “Have you heard that story – 300 lawyers are at the bottom of Hudson Bay? No, but I love the beginning.”

Few real lawyers left like Alan Dershowitz who put Law above his political views or sympathies.

lurker June 8, 2023 7:02 PM

“engaging with probity and compliance”

Not everybody has the time or expertise to go to China, vet the factories, establish guanxi, grease palms with silver where required (they can be horribly offended if you attempt this where it is not required). Selling through Amazon shopfronts? Yeah, that figures these days, but has anyone asked Mr Bezos lately where his morals are?

ResearcherZero June 9, 2023 4:03 PM

Aksoy is a crook without any morals who knowingly set out to rip people off.

Wire fraud gives it away, along with the rest of the details. Aksoy received 7 warnings to cease and desist his illegal activities.

Probity and compliance is there to prevent people getting themselves in trouble. Individuals that avoid probity and compliance often wind up in jail because they knowingly engaged in corrupt and criminal behaviour.

You don’t actually have to be a crook to run a successful business and it is not cool either.

Exposing a threat creates a record of the activity and assists in mapping and identifying other incidents of malicious behaviour.

When scouting for a target, an adversary looks for a ‘mark’ who is more concerned with reputation management than good security practice. Submitting to, or ignoring the threat, does not mitigate it, or alert others. Rather it leaves others at risk of becoming victim to similar attack, perhaps by the same attacker.

ResearcherZero June 9, 2023 4:18 PM

Developing a security policy should be the first order of the day.

Security is a shared responsibility.

“Traditional reactive approaches, in which resources were put toward protecting systems against the biggest known threats, while lesser known threats were undefended, is no longer a sufficient tactic. …the growing attack surface increase the need to secure networks and devices.”

With more data being collected, the likelihood of a cybercriminal who wants to steal personally identifiable information (PII) is another concern.

Organizations can do their best to maintain security, but if the partners, suppliers and third-party vendors that access their networks don’t act securely, all that effort is for naught.

Preparedness’ refers to idea of identifying, preventing and responding to threats. …despite awareness concerning attacks, nearly 80% of organizations believe that they would not withstand a serious cyber incursion.

“From targeted incidents, such as ransomware attacks, to unintentional acts, such as failure to properly install security updates, poor cybersecurity practices can cause severe operational problems and the needless expenditure of funds. Many cybersecurity incidents can be prevented with a few simple, low cost protective measures.

“offer the most benefit for mitigating risk by deterring threats, limiting vulnerabilities, and minimizing the consequences of attacks and other incidents, and encourages a similar risk-based allocation of resource”

lurker June 9, 2023 6:13 PM


From another angle I see Aksoy stepping into a void created by Cisco. They presumably have done the math and decided the loss of reputation by fakes in the market is less than the cost of litigation. So they leave it to the feds via CBP to play whackamole, because when Aksoy is taken down another will rise with the sun tomorrow.

I can remember a time when a company of Cisco’s stature had sales reps who would deliver the boxes to a customer and make sure everything was working. Of course they have been offshored now with everything else except the collectors of the profits. Which unfortunately leaves “hospitals, schools, government agencies, and the military” to buy from gypsies at fleamarkets. Did the 45th POTUS intend to fix this problem?

Security Sam June 9, 2023 6:57 PM

@vas pup

There was a priest, a lawyer and an engineer
And all three faced death by the guillotine
The priest was saved praying to the divine
The lawyer was spared by double jeopardy
The engineer saw a glitch and found a remedy.

Clive Robinson June 9, 2023 7:47 PM

@ lurker, ResearcherZero

Re : Onur Aksoy is a crook without any morals?

“From another angle I see Aksoy stepping into a void created by Cisco.”

Yup, in more ways than perhaps you realise (and the reason I don’t buy Cisco kit any more, because as I and others discovered they were “crooks without any morals”)

Rmember he was selling functional product…

“According to the DOJ, Pro Network Entities imported old, used, or low-grade network equipment from China and Hong Kong, having the exporters modify the equipment so it appears as genuine, brand-new Cisco devices.”

From what I understand from various comments that,

“old, used, or low-grade”

network equipment was actually,

“old, second hand, or end of run Cisco devices”

being passed-off as “brand-new Cisco devices”.

Further, Cisco actually brought this on themselves, because they had sold the “low-grade” equipment originally from designs of competitors they had taken over to expand into the home consumet and low end commercial market.

You can see various discussions on the internet in the past about Cisco selling “badge-labled” equipment. Discovered by Open Source “Router Projects” to be functionally identical thus running the same software…


“They [Cisco] presumably have done the math and decided the loss of reputation by fakes in the market is less than the cost of litigation.”

Yup, which is why they started doing it and ruining their own reputation…

So yeh there’s quite a bit more to this story that Cisco don’t want comming out which it would in a civil case, so,

“So they leave it to the feds via CBP to play whackamole”

The fact Onur Aksoy has,

“pleaded guilty to importing and selling counterfeit Cisco networking equipment”

Tells you that a deal has been cut that will spare Cisco Corporate “embarrassment” about what would come out in court.

As for the alledged victims the shear volume of sales made kind of tells you they were in quite a few cases knowingly “buying on the cheap” thus are they realy victims or conspiritors?

I suspect if Aksoy had not imported directly from “the China Grey Market” but through another country to “whiten it” he would have got away with it for a lot longer, as others are doing with other well over priced “named brands” like Apple and similar products.


“because when Aksoy is taken down another will rise with the sun tomorrow.”

They arose years ago, and were doing very nicely one way or another, untill the recent “chip shortage” put a lot,of preasure on the “grey market” component supply.

Clive Robinson June 9, 2023 10:16 PM

@ lurker, ResearcherZero, ALL,

Re : Chinese Grey Market products.

This is just the latest in YouTude videos on the perils of “China Knock-offs”[1]

Fast forward to 10:15 for the limited explanation of what went on.

Howrver I can tell you more that you can see from the begining off the video.

Note the power output drop with increasing frequency. The cut-off curve tells me that the FETs used in that amplifier are “grey-market” parts…

Why? Because this circuit was designed by me and a friend[2] back a long long time ago, and it still haunts me to this day for reasons the video shows…

The history started with the release of the Siliconix VN66AF “V-FETs”[3] that were increadibly cheap compard to VHF RF power transistors (about 1% of the price). He designed a number of “Band II” amplifiers for the VHF “Pirate Radio” market. Shortly there after “International Rectifier” came out with their own range of high voltage FETs that got unoficially called “IRF-FETs” which included the IRF510, IRF610, IRF630 parts for pennies, and were easily available in the UK from a company called “Radio Spares” that later became “RS”. This was at a time when CB radio had just started getting “realy hot” in the UK and people were prepared to pay a lot of money for “boots” that were RF Amplifiers that would give one heck of a lot more RF power than the UK limit of 4watts. So I designed an RF amplifier around the IRF-FETs that was switchable from Class-C for UK FM CB to Class-AB for US AM CB that though unlicensed in the UK was still highly popular.

Unsurprisingly the design got reverse engineered by not just small CB Radio companies but Ham Radio operators who then published the circuit widely “as their own”. However in nearly all cases they did not bother with either the “input or output” VSWR protection circuits or thermal safety circuits. Worse they also replaced the gate bias/protection circuit with a cheap shody low component count circuit. All of which reduced not just the cost of manufacture but the reliability… as you can see.

[1] The expression “China Knock-Off” goes back a long way. In the 1970’s the “China” it referd to was not the “Chinese Mainland” as it does today but the island we now call Taiwan. Who took “reverse-engineer” & “re-manufacture” to hights most still can not imagine today.

[2] Roger Howe and I had gone to school together and shared an interest in broadcast systems via AM Pirate Radio, that we helped move into VHF Band II (something else that brought me to the attention of the “Mad Maggies” government). Roger had his own manufacturing company Broadcast Warehouse that I had done design work for off and on over the years including stuff for bomb disposal, Formular 1 racing, radio navigation, DSP audio processors and some more commercial surveillance equipment for Government Agencies. Sadly as I’ve mentioned before he died in a freek accident at the begining of C19. It was when we were designing a low cost genuine anti-viral respirator mask system to protect medical staff in ordinary wards etc. It was designed to be very light weight and no more difficult to breath with than standard full face mask respirators. In that it used filters to reduce moisture and dust AND UV-C leds to ensure all biological pathogens bacteria sized or below got their RNA/DNA “fried” to unviable, in a similar way to the way UV water filters work).

[3] Siliconix developed the “V-Channel” FET and it had some realy nice characteristics,

Although only a 15watt part, that was “disipation” with Vds of 60V and in the right circuit configuration you could get around 100watts RF from a pair of them, in what is now call “Class F” operation. But for various reasons Class F is normarly quite narrow band in operation. However with some “original thought” you could get a better circuit which Roger designed from scratch and a lot of experimentation. Not only giving high efficiency it gave an 80-130Mhz bandwidth. The circuit was sometime later analysed and “borrowed without acknowledgment” by Prof Steve C. Cripps and published in a book on RF power amplifiers and in IEEE letters…

name.withheld.for.obvious.reasons June 10, 2023 2:51 AM

We are seeing a number of parallel issues with respect to the practice of law. To me, lawyers should have had enough practice by now to make it a mature profession, sadly it is not. As I have advocated all along, formalism in law should be a good thing. Not dogmatic nor stricture-based, but evidenced with reasoned methods and the commensurate and measurable results. For example, a law that causes measurable harm is not a good law if that harm outweighs any expected benefit. Simple, right. No. Why?

Couple of guesses here:
1. Laws are mostly culture and experiential (local, tribal, bounded).
2. Laws are interpreted respecting both expected outcomes and any measured results (subjective).
3. The ability to understand law beyond the guild model has not changed sufficiently to be structural (development).
4. Professionals are highly motivated to be insular with respect to their own standards (quality/integrity)
5.. Law has become internally regulated to the point where law serves other purposes and in some cases affects public interests (mission).
6. Not unlike religion, law is often used as cudgel to manipulate and control people or situations (tool use).

With the number of attorneys violating their ethical and professional standards, the ability to retain one’s license is rarely at risk due to the self-regulatory nature of the profession (are you listening ABA).

ResearcherZero June 10, 2023 7:41 AM

Incident Response is about the incident. Responding to it – and hence securing information and sharing information on the incident. Security is a shared responsibility.

Blackmail relies on your silence. Failing to share information with an investigation only assists the blackmailer in increasing their leverage over you. The blackmailer understands you are more concerned with reputation. They manipulate this vulnerability to exploit you further.

“You say words like Pinochet and ‘oh my god that is bad news’, but I don’t accept that. There are two sides to every story and you have to handle it so your side is prevalent. I don’t know why they are [considered] risky clients. They are only risky if what you are trying to promote an idea that isn’t sound.”

“Do you think this is curtains for Bell Pottinger?”

“Almost certainly. But that’s nothing to do with me.”

  • Lord Tim Bell (Bell Pottinger)

A niche industry has sprung up around what is referred to as “reputation laundering.” A growing number of PR firms, ad agencies, lobbyists, and lawyers have begun to cater to corporate and private clients who aren’t happy with the way the public sees them.

Reputation launderers, particularly public relations and law firms, and their role in promulgating disinformation increasingly are hindering sanctions and financial-crime compliance teams’ ability to conduct enhanced due diligence and make accurate judgments about the risks that certain customers pose.”

“It is this rebranding of an unsavory past that is the essence of reputation laundering.”

Legal professionals are the single-most important enabler sector to regulate.

Givon June 20, 2023 10:26 AM

Lawyers are hired by firms to protect the firms from lawsuits. What do you expect lawyers to do? They make everything confidential and admit no guilt. The lawyers are not interested in the consumers welfare, just the company’s welfare.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.