What do you do?
I help clients anticipate and manage crises. These days most of the crises I handle are criminal and state-sponsored cyber incidents, which have become a pandemic of their own kind over the past year. More broadly, I focus on matters involving tech, national security, and government investigations, drawing on my prior experience as a DOJ national security official.
The field is a natural fit for my background. I grew up in Silicon Valley as the son of two software engineers; I used to tear apart and rebuild computers instead of LEGO. For the better part of the last decade, I worked in the US Department of Justice’s National Security Division, where I focused on issues at the intersection of technology and national security, including the government’s response to state-sponsored hacking, terrorists’ use of the Internet, and post-Snowden leak intelligence reforms. My practice at MoFo allows me to tie those threads together – from counseling clients on responding to cyber incidents to interactions with law enforcement and cybersecurity governance.
What’s keeping you busy?
If the last few months were reduced to a word cloud, the largest words at the centre would be SolarWinds, Hafnium, supply chain risk, the dark web, and ransomware.
What mentors or other influential figures have helped you get where you are today?
I owe a great deal to John Carlin, with whom I worked closely at the DOJ and at MoFo (and with whom I worked, alongside others, to build our global risk + crisis management practice), and Miriam Wugmeister, who chairs our privacy + data security practice. They taught me how to look around corners and think strategically about mitigating business risk. I’m also indebted to Judge Diana Gribbon Motz, whom I clerked for, and who taught me that being concise is an underappreciated virtue in the practice of law.
If you could change one data-related law, how and why would you change it?
I would modernise the Electronic Communications Privacy Act, which hasn’t been meaningfully updated since 1986. At the time the law was enacted, connecting to the Internet meant using a dial-up modem and email was still in its infancy. The law was intended to strike a balance between individuals’ privacy interests and the legitimate needs of law enforcement – but government authorities, service providers, and the courts increasingly strain to apply the law to the cloud, smartphone data, and countless other technological developments from the past 35 years.
How has covid-19 affected what you do?
The pandemic is causing a permanent shift in the way companies organise their workforce and an increasing acceptance of work-from-home and other remote arrangements. That has left security teams to play catch-up and given opportunistic criminals new ways to commit fraud.
What’s the next big thing – what data opportunities are companies now looking at?
Increasing data transfer bandwidths and near-limitless cloud storage and data analysis capabilities have gradually broken down the barriers of traditional on-prem corporate networks. From a security perspective, the shift will require companies to rethink perimetre protection in favor of a “zero trust” network security architecture – a security model that assumes that there are attackers both within and outside the network, and which relies on user attributes, behavioural heuristics and other data points to make authentication and access decisions.
What’s keeping companies worried at the moment – what are some key data risks?
In the wake of the SolarWinds compromise, chief information security officers and in-house lawyers are spending a lot of time thinking about supply chain vulnerabilities and whether they are doing enough to vet vendors and account for the possibility that a trusted third party could be a Trojan horse in their network.
What do you do to relax?
These days, my newborn daughter is an endless source of entertainment (and perspective).