Tue, 11/10/2020
This post is a summary of the second Cybersecurity Law & Policy Scholars Conference session, “Cybersecurity Law Policy Pedagogy.” Menard Director of the Nebraska Governance and Technology Center (NGTC) Gus Hurwitz partnered with Jeff Kosseff (United States Naval Academy) and Alan Rozenshtein (Minnesota Law) to launch the Cybersecurity Law and Policy Scholars Conference in 2020. This summary was prepared by NGTC Research Assistant Alan Dugger.
In its second panel discussion, the Cybersecurity Law and Policy Scholars Conference (CLPSC) tackled cybersecurity legal education: what instructors should teach in cybersecurity law and policy courses, and how instructors should approach in a classroom setting. The panelists were:
- Sharon Sandeen, Director of Mitchell-Hamline Law School’s IP Institute
- Bobby Chesney, Director of the Strauss Center for International Security and Law at the University of Texas
- Lauren Scholz, a law professor at FSU who helped found their cybersecurity law program, and
- Asaf Lubin, law professor at Indiana-Bloomington’s Maurer School of Law and – among other accomplishments – Nebraska Governance and Technology Center faculty fellow.
Exemplified by their conversation in the panel, each brings a wealth of experience to the field of cybersecurity law and policy and proffered special insight on how to teach very 21st-century policy and regulation issues to students of a very old profession.
One theme of the discussion was that there is not yet much uniformity on what exactly a cybersecurity law and policy curriculum should contain. Lubin pointed to his current studies on cybersecurity instruction as evidence of this. Working with Harvard’s Berkman Klein Center for Internet & Society, He gathered 60 – 70 syllabi from cybersecurity law instructors across the country and found common themes, but little he could point to as a solid core of knowledge.
Rather than spending too much time discussing the minutiae of what a cybersecurity law program should include, the panelists' comments focused on a common theme to their instruction: that such a program should focus on practical application of legal skills, not theory. In a brief discussion on the value of case law in cyber-legal instruction, Scholz characterized case analysis as a unique skill lawyers can bring to the table in a multi-disciplinary field. Sandeen agreed but emphasized statutory and regulatory interpretation skills over case reading.
The panel emphasized a need for instruction that equips future lawyers with the ability to parse ever-changing technology and regulation and easily communicate legal issues to non-lawyer stakeholders. Multiple panelists pointed out the growing ubiquity of cybersecurity issues in business, and Chesney in particular highlighted the growing importance of cybersecurity in our national dialogue and lives. Business and technology, especially the internet, are only becoming further intertwined, and as Chesney aptly put it, “you may not be interested in cybersecurity, but it's interested in you.”
The panelists reported a common experience of teaching for a multi-disciplinary audience: not just law students, but public policy, business, and computer science students as well, that further highlights the importance of this approach. Cybersecurity legal experts are unlikely to work in a vacuum, but the analytical skills of a lawyer are a valuable asset to a team tasked with solving cybersecurity policy problems.
Scholz characterized the practice of cybersecurity law as predominately a “risk-gauging” activity that attempts to chart a careful, accurate course for clients in the frequent absence of clear regulation and jurisprudence. I see this as a good goal for cybersecurity law instruction. Law is a slow, ponderous field, and the arc of technological advancement is the exact opposite. Especially at the cutting edge of technology, the law tends to be unclear and imprecise. Though Scholz was careful to frame the perspective from the view of in-house counsel, litigators and transactional attorneys have much to gain from this framework. Where the law is unclear, the ability to make accurate strategic predictions based on prior policy and data is likely the best tool in the aspiring cyber-attorney’s toolbox.
This dovetails with the panelists’ intuition and experiences on how instructors should teach cybersecurity law and policy. With a multi-disciplinary classroom, most reported challenges using traditional legal instruction methods, such as case reading. The panelists emphasized getting students to engage with the material through group activities, mock debates, and oral presentations. Multiple panelists suggested focusing on current events in instruction, having students analyze current legal problems as they happen in real-time. Some discussed the value of guest speakers, able to offer differing perspectives on cybersecurity and the law. Sandeen in particular argued for an emphasis on foundational, transferable legal skills focused on analyzing statute and regulation. All of these approaches seem well-suited to train lawyers who are law and policy decision-makers able to thrive in an inter-disciplinary environment.
Panelists were fairly candid about challenges facing the cybersecurity law and policy field as well. The panelists identified a sort of myopia in the field of cybersecurity law and policy. Lubin brought up the fact that cybersecurity instruction tends to have a US-based viewpoint; most case studies are American cybersecurity events. While worthy of study, cybersecurity events happen worldwide, and international issues could be brought into sharper focus. Of course, no class can cover all things and Lubin later admitted he often cuts international legal issues from his curriculum, but I think his intuition here is correct. He refers to the Sony hack of 2014 and Russian election interference in 2016 as examples of American-focused cybersecurity case studies, but both malefactors were from outside the US. Cybersecurity issues are inevitably going to intersect with international law, and a well-rounded cyber-lawyer should be at least conversant in international law principles.
He also raised the point that there is a dearth of a diversity of voices in the field and posited that incorporating a race and gender diverse viewpoint would be worthwhile. Sandeen, concurring, briefly discussed the role of women in information management history and that this should be emphasized going forward. Panelists also discussed the lack of clarity between cyber and privacy law from an outside viewpoint and how that can muddy the waters when making a case for instruction and investment. Lubin pointed to great disparities in investment in cybersecurity law and policy across institutions and how this has ramifications on the quality of instruction. A lack of diversity and investment in cybersecurity law and policy are definite headwinds for the field, and each is worthy of in-depth future CLPSC panel discussion.
Alan Dugger is a second year law student at the University of Nebraska where is also part of the Nebraska Governance and Technology Center Student Fellows program and supports the center’s faculty as a research assistant. His interests include online speech, privacy rights, voting rights, and internet regulation. Learn more about Alan.
Tags: Guest and Fellow Post
.jpg)