A New Approach to Cybersecurity Law

In a new, interdisciplinary course, students at Columbia Law School tackle the technical, legal, and policy aspects of cybersecurity.

In late September, when a new cybersecurity class at Columbia Law School met, a student noted that the Securities and Exchange Commission had just disclosed that its EDGAR database had been breached. Authorities suspect that hackers were hoping to trade on insider information, she added.

Then the conversation got really interesting. Another student asked how a would-be stock trader could obtain material, nonpublic information from EDGAR, which houses only public documents relating to public companies. A third student offered a theory: Perhaps the hacker was breaking into a staging server, where documents are held prior to their public release.

Such rich discussions were exactly what the professors had in mind when they created the course Cybersecurity: Policy, Legal and Technical Aspects. Taught jointly by professors from Columbia Law School, Columbia University’s School of International and Public Affairs (SIPA), and the Computer Science Department of Columbia’s Fu Foundation School of Engineering and Applied Science, the new course draws students from all three schools. As a result, students are constantly educating one another, as are the professors, each of whom is an authority in a different facet of the field.

Professor Matthew Waxman“The thought behind this class is that, to really understand the challenges of cybersecurity, you need an interdisciplinary background,” explains Matthew Waxman, the Liviu Librescu Professor of Law who is chair of the Law School’s National Security Law Program and co-chair of the Cybersecurity Center at the Columbia Data Science Institute. “You need an understanding of the technical aspects of digital technologies; the legal issues and pertinent regulatory frameworks; and the politics and policy decisions being made in this area.”

In recent years, through his work on cybersecurity, Waxman came to know Professors Steven Bellovin of the Computer Science Department and Jason Healey of SIPA. “We’ve been intellectual collaborators for some time,” says Waxman, who has held high-level positions in the U.S. Departments of State and Defense, and at the National Security Council. “We wanted to try teaching together.”

With the enthusiastic support of all three deans, the Data Science Institute, and the Columbia Global Policy Initiative, the professors launched the course in September. The curriculum will cover cryptography, surveillance, and international cyber conflict. Though one professor usually takes the lead in each class, depending on the topic—Waxman, say, when outlining the legal framework governing surveillance law—all participate in every session. There’s no textbook, so readings run the gamut—from court cases to scholarly articles to legislative materials to press reports to blog entries to YouTube videos.

Guest speakers also add spice. At a class in September, for instance, Pulitzer Prize–winning journalist Barton Gellman—a visiting scholar at the Law School this year—discussed the secret, post-9/11 National Security Agency surveillance programs that fugitive ex-NSA contractor Edward Snowden revealed to the world in 2013, in large part through Gellman. Gellman raised questions about whether the traditional legal distinctions drawn between content of our private conversations—which the government cannot listen in on without a warrant—and their metadata (e.g., the phone numbers a suspect calls), which lacks such protection, continue to make sense in our contemporary digital world.

Behind such conversations is an ambitious goal to train professionals who “speak more than one language, if you will,” as Bellovin, the Percy K. and Vida L. W. Hudson Professor of Computer Science, put it. The co-author of the cybersecurity bible Firewalls and Internet Security, he has served as a top technology adviser to the U.S. Federal Trade Commission, the Privacy and Civil Liberties Oversight Board, and the Department of Homeland Security.

“As a tech guy who has spent a reasonable amount of time in Washington, D.C.,” he continues, “there are a lot of decisions that are made there without an understanding of the technology implications of what’s been decided.”

Healey, a senior research scholar at SIPA, had similar experiences while serving as director of cyber infrastructure protection at the White House from 2003 to 2005. “I was struck by the complete misunderstandings between the technologists and the policy folks,” he recalls. Even the simple word “attack”—which was, to the technical people, just a descriptive term for any unauthorized breach—was emotionally fraught for the military generals, he explains. Healey, who has a master’s degree in computer science, was the founding director of the Atlantic Council’s Cyber Statecraft Initiative, where he is still a senior fellow, and the editor of the first history of cyber conflict, A Fierce Domain: Cyber Conflict, 1986–2012.

As their culminating project, students will write a paper proposing a solution to a cybersecurity problem. The twist is that each paper must be written by a six-person team, composed of two students from each school.

“As professionals,” Waxman explains, “grads should be equipped and trained to work with people from different disciplines. Lawyers and policy analysts need to work with engineers, and engineers need to understand legal constraints and ethical issues.”

In completing the assignment, the students will, indeed, learn to speak each other’s languages. 

###

Posted on October 12, 2017

Back to latest news at Columbia Law