The CIA Helps You Protect Your Data

 TL;DR- wait, what?! The CIA helps me protect my data? Uhhhhh...

To start off, I'm an attorney. This is relevant because we have to do continuing legal education classes (CLEs) to stay current. I'm partially working on this because I hope to present it someday as a CLE at my local bar. They actually take cyberlaw and cybersecurity very seriously. For the cybersecurity professionals reading this, this is going to be Cybersecurity 101 and insultingly simple. For everyone else, let's get to why you need to actually take cybersecurity seriously, ESPECIALLY if you don't know anything about it.

First, I want to start with the most basic definition. What the heck is this cyber stuff anyway? I get what the Internet is (sort of) but what's cyber?! Great question. First, cyber is an adjective. I remember constantly yelling at my TV every time Senator John McCain came on because he'd talk about "we need to improve cyber." I would always yell back, "CYBER WHAT?!? Cybersecurity? Cyberspace? Shall we improve cybercrime, you freakin' idiot?!" So think of cyber as meaning technology and we'll call it good enough. But that's only an adjective. We need to figure out what particular realm we're talking about. Because I promise you, we don't want to improve cybercrime, even though we might want to improve our defenses against it. For purposes of this discussion, we're talking about cybersecurity. Given the definition I've provided, that means the security of technology.

For those new to this, you're probably thinking, "I just figured out what cyber means and that it's an adjective, and now I have to take on security issues. I can't do that! I don't know enough." That's great, because now we have a starting point for the discussion, definitions, and hopefully a willingness to figure it out. 

I would argue that we need to know the goals of cybersecurity before we can apply any fixes. So what are the goals of cybersecurity? That's where we get to the title... Many people would raise an eyebrow that the CIA is going to help protect your data. But we're not talking about that Central Intelligence Agency. Here, the CIA triad stands for: 

• Confidentiality- C
• Integrity- I
• Accessibility- A

Have these three things in place, and you can trust your data. So what do these actually mean?

Confidentiality means that other people who aren't supposed to look at your information aren't looking at your information. Think of it like this- when you go to the doctor, do you want some other patient in the waiting room to pick up your chart and start reading about and discussing all of the various illnesses you have? Do you want your bank teller to take your credit card to lookup your account and then announce to all the other customers what your credit card number and PIN are? Probably not. Confidentiality means keeping certain things secret. For lawyers, rule 1.6 says we have to keep information about representation confidential 1) unless we have informed consent or 2) it's reasonably necessary for certain reasons, AND we have to take reasonable steps to keep information confidential. That's because not many people go visit an attorney because it's the best day of their lives. The way the rule is written, 1 or 2 can apply, but 3 always applies. That means lawyers have an ethical duty to take steps to keep cyberinformation private, so if you do anything on a computer or phone, you must pay attention to cybersecurity.

Integrity: we talk about integrity in the legal profession a lot, but this isn't that kind of integrity. Here, it means keeping the information whole and accurate. Someone might look at that and think it sounds smart, but why would it be necessary. Here's why- what good is information if it's incomplete? If I call another attorney to talk about a case and they say, "I can confirm I represent that person but I cannot provide you with discovery responses because my client shredded the documents." What??? You already know we're going to have a problem in court. Frankly, I don't care if you confirm you represent them at that point because I'm going to do everything I can to make your representation meaningless. Further, I'd argue you aren't really representing them because you haven't done anything on their behalf. How does that look in technology? You go to your computer and open a contract draft to find that the last changes weren't saved, and there went four hours worth of work down the drain. Now you need to explain to your client why you are trying to bill for another four hours for the same task, or you need to write off the time as a loss. Neither is particularly good.

Accessibility- this means your data can be accessed. This can take many different forms. Let's say that your building has a fire and you cannot physically get to your computer. It's not accessible. Let's say that you open your computer one morning and find that the operating system will not load. What that looks like is that you turn on your computer and there is power, but nothing happens. It never loads the screen you use to login. Your information might be fine, but you cannot access it. If you cannot access it, how much good is that information doing?

Let's say there's a blizzard of the century and you cannot physically get to your office to get the files off your computer, but there is a Zoom hearing in three hours. Your information is complete and whole. It's saved on your computer and remains confidential. So what? You lost one of the legs of the table and now it is useless to you. Let's say alternatively that your computer is hacked. You can still access it- that's not the issue. All of the data is whole and integral. That's a problem here because confidentiality has been breached. Finally, let's say your data is confidential. You've used good passwords and you can access it. But the changes in that contract didn't save, so it doesn't have integrity. You're working with pieces of it. This is why you need all three. 

----------------------------------------------------------------------------------------------------

So great- you're convinced. You need the CIA triad. What can you do if you don't know much about cybersecurity? 

For confidentiality, use strong passwords. Yes, they are annoying. No argument. Use one very strong password with upper and lower case letters, numbers, symbols, and at least 8 characters long. Memorize the heck out of that password and get yourself a password manager. Don't rely on your browser- get a password manager. If you remember that one password, it unlocks all the other passwords and can help you generate strong ones. Some of them will work across devices, so for example, I have one that helps me on any of my computers or my phone.

For integrity, do regular backups. Admittedly, you may still not get the last draft of that contract, but you won't have to recreate every contract you're working on. Backup your information. Set this to automatically do it regularly and do it to a flash drive, a DVD, an external drive, or a cloud service such as Google Drive. Somewhere that isn't on your computer.

For accessibility, there's a lot of tie-ins with integrity. If your computer is inaccessible and you have that external drive with you, you can access it from home via that. It's even easier with the cloud services because Google Drive can be accessed from anywhere. 

But again, think about how these work in relation to each other. If you're backing things up to an external drive but you leave that in the same place as your computer, it might be destroyed in the same event that takes out your computer. If you backup and take the external drive with you, you shouldn't leave it in your car for someone to steal, because this will destroy the confidentiality. 

This is the crash course in how the CIA helps you protect your data. This is not meant to be an exhaustive discussion on the nuances of cybersecurity. This is meant to get you thinking and asking questions about how to protect your data, why it's important to do so, and demystify the whole thing.