THE TECHNOLOGY BLIND SPOT
What the Pentagon’s Unencrypted Predator Drone Teaches Attorneys About Privilege, Cyber Hygiene, and the Principle of Least Privilege
In December 2008, American soldiers in Iraq searched the laptop of a captured Shiite militant. What they found changed nothing about Pentagon policy for five more years. It should have changed everything overnight.
The laptop contained hours of video footage. Surveillance footage. Footage shot from American MQ-1 Predator drones flying missions over Iraqi territory.
He had not breached a classified network. He had not cracked an encryption key. He had downloaded a $25.95 Russian software program called SkyGrabber, pointed a commercial satellite dish at the sky, and started recording. The Predator’s video downlink broadcast over satellite in the clear. No encryption. No authentication. No access control of any kind. Anyone within the satellite’s broadcast footprint could watch what the world’s most expensive military surveillance platform was watching.
By July 2009, soldiers found intercepted feeds on additional militant laptops, confirming that Iranian-backed groups intercepted feeds routinely and shared them across extremist networks. The Wall Street Journal broke the story publicly in December 2009. Military officials acknowledged the vulnerability had existed since the mid-1990s. A 2005 CIA Special Advisor report concluded that Saddam Hussein’s regime had likely intercepted the same feeds before the 2003 invasion. The Pentagon knew. For over a decade, it chose not to act.
Every failure the Predator saga illustrates has a direct analog in how American law firms handle privileged client data today. Unencrypted communications. Excessive data retention. Trust architectures built on the assumption that adversaries lack sophistication. The question for managing partners is not whether these parallels exist. The question is whether their firms will need their own front-page moment before they act.
What Happened
The drone saga involves two events, two years apart, that together expose the full anatomy of institutional security failure.
General Atomics built the MQ-1 Predator in the early 1990s using commercial technology. Its satellite video downlink carried no encryption. The drones relayed surveillance video to operators via satellite in a broadcast signal open to any receiver in range. The Pentagon fielded over 600 drones and thousands of ground stations on this architecture. Encrypting the fleet required upgrading every transmitter and every receiving station. The process took until approximately 2014, roughly fifteen years after the first confirmed interception.
On December 4, 2011, Iranian forces captured a Lockheed Martin RQ-170 Sentinel largely intact near the city of Kashmar, 140 miles inside Iranian territory. The Sentinel was a classified stealth drone monitoring Iran’s suspected nuclear weapons program. An Iranian engineer told the Christian Science Monitor that Iran’s electronic warfare specialists jammed the drone’s encrypted command link, forced it into GPS autopilot, then fed it spoofed coordinates so it landed in Iran instead of its home base in Afghanistan. American engineers disputed this account, noting the RQ-170 relies primarily on inertial navigation. The exact mechanism remains contested. What is not contested: the drone landed in enemy hands with extractable intelligence aboard.
Five Failures, Five Parallels
Map both incidents against any standard information security framework, and the failures form a pattern. Each one has a direct analog in how law firms handle attorney-client privilege. Each one escalates.
Failure One: Encryption treated as optional. General Atomics designed the Predator when engineers considered encryption a feature to be added later rather than a baseline requirement. The technology existed. The cost was manageable. The Pentagon deferred the decision for fifteen years because retrofitting 600 airframes and thousands of ground stations seemed operationally inconvenient.
The parallel in legal practice is precise. Only 35% of attorneys use email encryption, according to ABA Legal Technology Survey data. Seventy-one percent rely on a confidentiality disclaimer instead. As Bob Ambrogi observed, that is “akin to putting a note inside a box that says ‘Do not open this box.’” ABA Formal Opinion 477R requires attorneys to assess whether the method of communication affords reasonable confidentiality. An unencrypted email containing privileged information is the Predator downlink problem. The content broadcasts across the open internet, and the firm assumes no one is listening. I examined this architecture of false protection in “The Email Disclaimer Delusion” (Morris Legal Technology Blog), where the evidence showed disclaimers provide no legal protection, no technical protection, and no practical protection.
Failure Two: Securing the input while leaving the output exposed. The Pentagon encrypted the Predator’s command uplink from day one. Engineers protected the signal telling the drone where to fly. The signal showing what the drone saw broadcast in the clear. Rigorous authentication on the control channel, zero protection on the intelligence product.
Law firms replicate this architecture routinely. They implement credentialed access on their document management systems, then share privileged documents through unencrypted email, consumer cloud links, and text messages on personal devices. Once a privileged document exits the firm’s systems, its confidentiality depends entirely on every system it touches in transit. I explored this output vulnerability in “The Conversation That Saves Privilege,” where client communication protocols determine whether privilege survives first contact with the real world.
Failure Three: Excessive data retention on vulnerable platforms. The RQ-170 carried accumulated surveillance data rather than streaming and purging in real time. When the airframe landed in hostile territory, the intelligence came with it. The cybersecurity principle of least privilege holds that a system should retain only the minimum information necessary for its current function.
Most law firms violate this principle by default. They retain client data far beyond active representation, often indefinitely, because purging requires effort and storage is cheap. Every retained file is a target. A breach does not expose only current matters. It exposes everything the firm never deleted.
Failure Four: Single-factor trust architecture. When Iranian electronic warfare specialists jammed the RQ-170’s command link, the drone fell back to GPS as its sole navigation reference. GPS signals are broadcast, relatively weak, and well-documented as vulnerable to spoofing. One authentication factor. Fully compromised.
A firm relying on passwords alone has built its access architecture on the same principle: a single point of failure that any moderately capable adversary can defeat. Credential stuffing attacks, phishing campaigns, and brute-force tools are the GPS spoofers of the legal industry. They require opportunity, not sophistication. When Cravath, Swaine & Moore and Weil, Gotshal & Manges suffered breaches in 2016, attackers extracted M&A intelligence that enabled $4 million in illegal insider trades. The clients bore the market exposure. The firms bore the reputational damage. I examined the targeting logic in “Why Hackers Target Law Firms” (Morris Legal Technology Blog), where the Mossack Fonseca breach exposed 11.5 million confidential documents because one firm’s security failed.
Failure Five: Threat modeling based on arrogance. After Iran displayed the captured RQ-170, an American analyst told Defense News the loss was “like dropping a Ferrari into an ox-cart technology culture.” Within three years, Iran displayed derivative aircraft based on the captured airframe. The assessment was catastrophically wrong because it evaluated the adversary’s perceived capability rather than the system’s actual vulnerability.
Law firms ask the same question differently: “Who would target us?” The 2024 IBM Cost of a Data Breach Report answers it: professional services firms face an average breach cost of $5.08 million. A ransomware operator running automated scanning tools does not know or care about the firm’s size. It scans for open ports, unpatched systems, and weak credentials. It finds what the firm left exposed. Twenty-nine percent of firms have already experienced a breach. Nineteen percent cannot say whether they have. A profession that cannot measure its own exposure cannot claim to be managing it.
The Privilege Consequence
These are not abstract cybersecurity concerns. They are privilege concerns. Attorney-client privilege requires a reasonable expectation of confidentiality. Courts have held that transmitting information over insecure channels or failing to take adequate protective measures can destroy that expectation. ABA Model Rule 1.1, as amended by Comment 8 in 2012, requires attorneys to maintain competence in “the benefits and risks associated with relevant technology.” Forty states, the District of Columbia, and Puerto Rico have adopted this requirement. Model Rule 1.6(c) requires “reasonable efforts” to prevent unauthorized disclosure. The definition of “reasonable” is a function of what technology makes possible at the time.
The Guo Wengui case demonstrates the stakes in concrete terms. A Chinese dissident retained Clark Hill PLC for his political asylum application and specifically warned the firm he was a target of state-sponsored cyberattacks. Clark Hill allegedly agreed to special precautions, including not storing his personal information on the firm’s file server. His information was on the server. It circulated by email. When hackers breached the firm and published the asylum application on social media, Guo sued for malpractice, breach of fiduciary duty, and breach of contract. The court denied Clark Hill’s motion to dismiss. The firm retained data it had agreed not to retain. It circulated data it had agreed to restrict. The data sat where it should not have been.
Practice-Specific Implications
Corporate and M&A. Deal documents on unencrypted channels create concentrated exposure. A compromised email account during an active acquisition can expose transaction details, pricing strategy, and board communications across every pending deal. Firms that transmit term sheets, board resolutions, and merger agreements via unencrypted email have adopted the Predator’s downlink architecture for their most sensitive client work.
Litigation. Privileged strategy documents, expert reports, and work product routinely exit firms through email, cloud shares, and personal devices. A breach during active litigation exposes strategy to opposing parties, creating potential grounds for disqualification or sanctions. As I documented in “I Was Inside EMC When Hackers Stole the Keys to 40 Million Doors,” eDiscovery platforms processing millions of privileged documents become targets precisely because they aggregate exposure across every active case.
Criminal Defense. Defense strategy stored in cloud practice management systems traverses vendor infrastructure with every sync. If prosecution gains access through a vendor breach, the Sixth Amendment implications compound the ethical violations. A criminal defense attorney who transmits case strategy through unencrypted channels has given the government a SkyGrabber opportunity.
The Skeptic’s Objection
The strongest version of the counterargument is not “This does not apply to us.” It is this: “The marginal cost of full encryption, rigorous retention policies, and comprehensive multi-factor authentication exceeds the expected loss for a firm of our size and risk profile. Cyber insurance shifts the residual risk. Bar disciplinary enforcement for technology incompetence remains rare. The cost-benefit analysis does not justify the investment.”
This argument has three virtues. It is honest about the calculus. It acknowledges the real constraints small and mid-size firms face: limited budgets, small IT staffs, and competing priorities. And it correctly identifies that bar regulators have been slow to enforce technology competence obligations through formal discipline.
It also fails on its own terms.
First, the cost calculation is wrong. Basic TLS email encryption is a default setting in most modern platforms. Enabling it costs nothing. Full-disk encryption ships with every current operating system. Multi-factor authentication is free on every major cloud platform. The marginal cost of baseline protections has dropped to near zero. What remains expensive is retrofitting after a breach.
Second, cyber insurance does not restore privilege. When Warden Grier, a four-person firm in Missouri handling insurance claims for Hiscox Insurance Company, suffered a breach by the hacker group Dark Overlord in December 2016, the firm paid ransom to keep the stolen data private. It did not tell Hiscox. For over a year. Hiscox discovered the breach in March 2018 and sued for breach of contract, breach of fiduciary duty, and negligence. The court denied the firm’s motion to dismiss on all counts. No insurance policy would have prevented the malpractice claim. No insurance policy can reconstruct destroyed privilege.
Third, the enforcement gap is closing. ABA Formal Opinion 483, issued in 2018, established explicit post-breach obligations. Formal Opinion 512, issued in July 2024, extended competence requirements to AI tools. Courts are leading where bar regulators lag. The remediation window is shrinking.
Where this analysis is weakest: The obligation framework described above rests on Model Rules that are aspirational in many jurisdictions and enforced unevenly. A practicing attorney could reasonably argue that the gap between what the rules require and what regulators enforce creates a zone of practical immunity. That gap is real. It is also narrowing, and attorneys who calibrate their security to the current enforcement floor rather than the approaching regulatory ceiling are betting on the regulator’s delay continuing indefinitely. The Pentagon made the same bet for fifteen years. The bet paid off until it did not.
The Remediation Question
The most damning parallel between the Pentagon and the legal industry is not the vulnerability. It is the timeline. The Pentagon identified the Predator’s unencrypted downlink in the mid-1990s. Intelligence agencies documented confirmed exploitation by 2008. Full fleet encryption did not arrive until 2014. That is not a technology failure. Encryption existed the entire time. It is a governance failure. The same failure that produces law firms where partners know their email lacks encryption, know their retention policies exist only on paper, and take no action because the breach has not happened yet.
Rule 1.6(c) does not require perfection. It requires reasonable efforts. But reasonableness has a floor, and that floor rises with available technology. When encryption is free, multi-factor authentication is a default feature, and data minimization has clear implementation paths, the argument that these measures are too burdensome collapses under its own weight. A fifteen-year remediation window was indefensible for the Pentagon. It is indefensible for a law firm.
Five Priorities for Monday Morning
Encrypt everything in transit and at rest (Failure One). Enable TLS encryption on every email account. Require full-disk encryption on every device that leaves the office. Encrypt cloud storage with keys the firm controls. ABA Formal Opinion 477R requires attorneys to assess whether the communication method affords a “reasonable expectation of privacy.” Unencrypted email does not meet that standard.
Secure the outputs, not just the inputs (Failure Two). Audit how privileged documents actually leave the firm: email, cloud shares, messaging platforms, personal devices. Access controls on the document management system mean nothing if the documents exit through unprotected channels. Run the audit this quarter. Identify every pathway through which privileged material exits firm-controlled infrastructure.
Apply least privilege to data retention (Failure Three). Implement and enforce retention schedules. Purge data from closed matters past any applicable retention period. Every document retained beyond its operational need is another hard drive in contested airspace. ABA Formal Opinion 483 addresses post-breach obligations that multiply with data volume.
Implement multi-factor authentication on every system that touches client data (Failure Four). Single-factor authentication is the GPS-only navigation of information security. It functions until someone decides to spoof it. Every major platform offers MFA at no additional cost. Enable it.
Threat model based on vulnerability, not perceived adversary capability (Failure Five). The Pentagon assumed militants lacked sophistication. The assessment was wrong. Assume your weakest system will be tested. If the answer is ten years of unreviewed client files, your vulnerability is not theoretical.
When the Wall Street Journal reported that Iraqi militants watched Predator feeds with a $26 Russian program, a Pentagon spokesman called it “an old issue that’s been addressed and fixed.” Military officials declined to confirm that all feeds had actually been encrypted. Five more years passed before the Pentagon finished the job.
The same conversation happens at law firms every week. A managing partner reads about a breach. An IT director raises the encryption question. A committee forms. A budget request follows. The request is deferred. The unencrypted laptop sits in a partner’s briefcase. The privileged email traverses the open internet. The retention server holds ten years of closed matters no one has reviewed.
Fifteen years the Predator broadcast its secrets before anyone encrypted the signal. Your firm’s privileged data is broadcasting right now. The only question is how long you intend to leave the channel open.
This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations.
Connect: LinkedIn: http://www.linkedin.com/in/jdavidmorris | X: @JDMorris_LTech | Bluesky: @JDMorris-ltech.bsky.social
References
ABA Model Rule 1.1, Comment 8 (Am. Bar Ass’n 2012). Technological competence requirement.
ABA Model Rule 1.6(c) (Am. Bar Ass’n 2012). Confidentiality; reasonable efforts to prevent unauthorized disclosure.
ABA Formal Opinion 477R (2017). Securing communication of protected client information.
ABA Formal Opinion 483 (2018). Lawyers’ obligations after an electronic data breach or cyberattack.
ABA Formal Opinion 512 (2024). Generative artificial intelligence tools.
ABA Legal Technology Survey Report (2023). 29% of firms reported a security breach; 35% of attorneys use email encryption.
Ambrogi, Robert J. LawSites. Analysis of ABA survey data on email encryption and disclaimer usage.
Duelfer, Charles. CIA Special Advisor Report, 2005. Interception of unencrypted UAV feeds by Iraqi regime.
Gorman, Siobhan, Yochi J. Dreazen, and August Cole. “Insurgents Hack U.S. Drones.” Wall Street Journal, December 17, 2009.
CNN. “Iraqi insurgents hacked Predator drone feeds, U.S. official indicates.” December 17, 2009.
Guo Wengui v. Clark Hill PLC. Malpractice, breach of fiduciary duty, breach of contract. Motion to dismiss denied.
Hiscox Insurance Co. v. Warden Grier, Dkt. No. 4:20-cv-00237-NKL (E.D. Missouri 2020). Motion to dismiss denied.
IBM Security. Cost of a Data Breach Report 2024. Professional services average: $5.08 million.
LawNext / Ambrogi, Robert J. “Tech Competence” tracker: 40 states, D.C., and Puerto Rico have adopted technology competence requirements.
Morris, JD. “The Email Disclaimer Delusion.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “I Was Inside EMC When Hackers Stole the Keys to 40 Million Doors.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “Why Hackers Target Law Firms.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “The Conversation That Saves Privilege.” Morris Legal Technology Blog, The Technology Blind Spot.
Morris, JD. “The Backdoor to Your Client’s Privilege.” Morris Legal Technology Blog, The Technology Blind Spot.
Peterson, Scott. “Exclusive: Iran hijacked US drone, says Iranian engineer.” Christian Science Monitor, December 15, 2011.
Redgrave LLP. “Litigation, Technology, and Ethics: The Importance of Technological Competence.” 2025 Update.
Singer, Peter W. Brookings Institution. Commentary on UAV feed vulnerability, December 2009.
