12/31/19
Two decades ago to the day, I sat right here in my home study and thought about how my career as a cyber incident responder was surely about to blast off. Though I had only been licensed to practice law for under two months, I just knew this subject matter was it — my rocket ship to stardom as a baby lawyer!
I had spent the prior two years learning all that I could about the subject, attending client meetings (with licensed attorneys), and accepted an offer to publish a law review article and speak on the subject at a CLE conference the following spring, which sure seemed like a good idea at the time.
The day had come and this was it — the last day of the Millennium and life as we knew it — when the clock struck midnight, the computers running our society would crash, the power grid would fail, planes would be falling from the sky, and there would be mass chaos. And that would lead to lots and lots of people needing legal help. I was ready to spring into action.
Then, the clock struck midnight, the ball dropped, the fireworks went off, and nothing else happened. Nothing. That was it — a dud. Perhaps the worst thing that came from it was that I then had to figure out how I would stand in front of a room of lawyers at Texas Tech and speak for an hour on a topic that didn’t exist — Y2K litigation — and do it on April 1, 2000. Yep, April Fool’s Day … who looked like the fool then?
Thank God this event was a dud and we didn’t have all of the problems that were anticipated. I am also thankful that my work with Y2K helped get me into the area of cyber law in general, which is what led to the career that I now have today. But it also presented another hurdle for several years.
By the time we had reached the late 2000s, along with others, I had begun recognizing and warning people about the business risks of computer hacking. Then, understanding that with many computer hacks, you had an unintended and unauthorized exposure of sensitive information — many times, individual people’s sensitive information — data breaches. But because events such as these had not yet become widely known or widely publicized, we had begun to sound like a bunch of Chicken Little’s warning that the sky was falling and people were not paying attention. I cannot tell you how many times I heard,
“Shawn, we have heard this from you before, we will believe it when it actually happens.”
Friends, as I sit here 20 years later, I can promise you this in no uncertain terms: cyber risk is real, it is already here, it is only going to increase, and it is an existential threat to every single business.
UPDATE:
I changed the title to say this is an “unresolved risk” instead of “it is real” based upon a lot of feedback I received pointing out that Y2K was a very real risk. I appreciate this feedback and agree wholeheartedly.
Y2K was a very real problem and it was through tremendous efforts that it was mitigated. In this article I discuss some of the perspectives of people back in 2000 as to why it didn’t have the impact that was feared.
One very important difference between Y2K and the cybersecurity threats of our day that people must remember is this: Y2K was a problem — a glitch — that could be identified and fixed or at least worked around. The cybersecurity threat is different — it is comprised of attacks from active adversaries who are using cyber as a weapon for war, revolution, espionage, fraud, and extortion. It is not a thing, a problem, or a glitch that can be fixed — it is fundamentally a human nature problem and there are no magic bullets to prevent it.
