The Technical Debt Standard: Impact and Consequences

2024/08/09

Jason Frocht

Standard business decisions in software, outside of the realm of immediate legal liability to law firms, introduce continuous risk into firm operation, necessitating technological cybersecurity standards.  The technical debt standard is a way to conceptualize unseen risks to law firms. Technical debt, in this case, is the development of new program features, such as on a PC operating system, which are prioritized over fixing old issues. 1 Like financial debt, it incurs interest in the form of increased maintenance costs and complexity over time. 2 Furthermore, high amounts of technical debt accrued over time weaken the cybersecurity posture of critical technologies, burdening companies, clients, and creditors in the same way as bankruptcy proceedings might.

In our client analysis of technical debt, the we describe several tranches of how security vulnerabilities accrue in software:

  • 0-1 years: These programs are frequently updated and in active development, making them easy to patch or fix.
  • 1–5-years: When software fall out of routine update over this period, causing lingering errors that have not been fixed due to expense or feature priorirization.
  • 5-10 years: For software that is aging, code refactoring to fix long-term errors may be required at a high cost.
  • 10-20 years: We classify these as ‘End of Life, Long term Support’ when categorizing these programs. These programs contain errors and vulnerabilities that are unable and unlikely to be fixed requiring new software products and accompanying proceses.

A common misconception among people without software expertise is that software and operating systems are updated and are eventually replaced with newer versions; Windows 95 to 98, then 2000, XP, Windows 7, etc. This preconception belies the reality that the architecture of many software platforms from email services, to internet protocols, webpage browsers, and even legal software, are layered on top of old versions that carry over the same security vulnerabilities from generation to generation. 3 These vulnerabilities are not limited to PC software. As of writing, the National Vulnerability Database has detailed an Apple IOS software vulnerability that approximately 33% or around 40 million iPhones are exposed to. 4

Vulnerabilities in the underlying software of multiple platforms represent a threat to the firm required to operate across them.  Client proprietary and privileged digital information cannot be protected by updates to the Rules, nor can the attorney’s work product. Proposals to keep up with regular patching and software updates, in addition to training on best practices, may weed out the 96 to 97% of common attacks that employ simple hacking techniques. 5 This kind of training does not address the underlying technical standards that law firms should use for the final 4% that is primarily the domain of technical subject matter experts and third-party providers of cybersecurity solutions. One of the clear dangers in this lack of standards is the penetration of third-party data aggregators that law firms rely on for research, such as LexisNexis. In 2013, a hack of LexisNexis resulted in a breach that was most likely accomplished through a legacy software failed update. 6 In a similar attack by the same hacking group, the attackers broke into the server using a recently patched weakness in Adobe Cloud Fusion, a piece of legacy software that powered their servers. 7 In basic terms, attacks of this nature are possible because the websites rely on legacy software that can be hacked using unpatched exploits. A report by Enlyft states that 1435 law practices and 768 related legal service providers use LexisNexis for their services. 8 This hack represents an important indicator of the importance of the technical debt standard for one reason above all: LexisNexis is a large technical provider of data aggregation and has a much deeper data security apparatus than a given law firm would have. The fact that such a large third-party provider of legal services indicates an alarming lack of security standards for the legal practitioners who utilize such services. Technical standards for cybersecurity practice are badly needed to alleviate these issues. To learn more about how CLR Technologies utilizes the technical debt standard to ensure your firm’s security posture, please see our options below.

  1. Vangie Beal, Technical Debt, Technopedia, June 13, 2024 ↩︎

  2. Id. ↩︎

  3. See Arthur-Jozsef Molnar & Simona Motogna, Long-Term Evaluation of Technical Debt in Open-Source Software, in Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) 1 (2020), https://doi.org/10.1145/3382494.3410673 (last visited Jul 2, 2024). “Early application versions showed greater fluctuation in the amount of existing technical debt. We found application size to be an unreliable predictor for the quantity of technical debt. Most debt was introduced in applications as part of milestone releases that expanded their feature set; likewise, we identified releases where extensive refactoring significantly reduced the level of debt. We also discovered that technical debt issues persist for a long time in source code, and their removal did not appear to be prioritized according to type or severity.” ↩︎

  4. NIST National Vulnerability Database, CVE-2024-23296 Detail, updated May 29, 2024, https://nvd.nist.gov/vuln/detail/CVE-2024-23296↩︎

  5. VERIZON ET AL., 2012 DATA BREACH INVESTIGATIONS REPORT (2012), http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report2012_en_xg.pdf↩︎

  6. The hack of LexisNexis was accomplished using nbc.exe, which is a botnet program. How the hackers in this case gained access is unreported. However, the same group was responsible for a hack on the National White Collar Crime Center, utilizing the same nbc.exe file. This hack was reported and the hackers were able to gain access through unpatched Adobe cold fusion server software, which we conclude is the most likely avenue of access used in the attack on Lexis. ↩︎

  7. Jonathan Grieg, ‘Federal agency breached through Adobe ColdFusion vulnerability,’ The Record, December 5, 2023. ↩︎

  8. Enlyft, Companies using LexisNexis, accessed July 9, 2024 (https://enlyft.com/tech/products/lexisnexis)↩︎