Heading 1

Download

Cyber In security News

TM

OCTOBER 2018
INTERVIEW: MATTHEW WAXMAN / COLUMBIA LAW SCHOOL
PREPARING LAWYERS FOR CAREERS IN CYBERSECURITY
Photo on wall of Prof. Waxman’s office: (foreground) Matthew Waxman and Condoleezza Rice; (background) President George W. Bush and his personal secretary, Ashley Estes, now married to Justice
Brett Kavanaugh

Bobbleheads on Prof. Waxman’s desk: (from left) former Justice David Souter, for whom Waxman clerked; former Chief Justice Charles Evans Hughes; Alexander Hamilton
Matthew Waxman
Tapping into multidisciplinary instruction, law schools provide students with the kind of background they need.
The word “cybersecurity” may raise the blood pressure of general counsel, but it provokes a very different reaction in law students. Instead of data breaches, they think of jobs. Matthew Waxman has an excellent vantage from which to observe this phenomenon. He’s a professor at Columbia Law School, where he teaches (among other subjects) cybersecurity. He’s also co-chair of the Center for Cybersecurity , which is part of the school’s Data Science Institute . Founded in 2012, the institute is the home of eight research centers. All are not only data-driven, they bring together from across the university scholars and experts from diverse fields who were once siloed in separate schools and departments but now work together to solve problems. The students aren’t the only beneficiaries from this approach, Waxman says: he has also learned a tremendous amount. And the upshot is that his students will be well positioned to join the booming cybersecurity job market—a prospect that certainly has their attention. 

CyberInsecurity: Tell me a little about the cybersecurity class you taught last year, and how this year’s offering compares.
Matthew Waxman: I’ve been experimenting with different approaches. Last year I co-taught a cybersecurity class with a professor of computer science and a professor of public policy. We had an equal number of students from all three disciplines, and they had to work together in teams that had computer science students, public policy students and law students—examining, analyzing and dealing with a problem together. And they produced really fantastic memos. This year I’m teaching a course in cybersecurity and data privacy law for law students. One of the features of the course is bringing in practitioners from law firms, along with practitioners who have worked as in-house lawyers and those who have worked as government lawyers, to walk students through some simulation exercises, to try to paint a picture of the problems that a lawyer in this field would confront. An example: After we study some of the law that is related to data privacy and data breaches, we bring in an outside practitioner to work through with the students some scenarios. Imagine you are the in-house counsel’s office at a major retailer, and you’ve just been informed of the following facts about a likely data breach. What do you do?

CI: Is that a simulation or a hypothetical?
MW: I’m calling them simulations with hypothetical facts. We’re trying to walk through not just the concepts, but also the deliberative processes, the analytical processes. We’re interested not just in what are the answers to certain questions, but who do you call, what are the most urgent things that you, as a lawyer, need to worry about? So it’s an attempt to do at least three things. One is to teach students about the substance of law in this area. Second, to teach them about the practice of law and some of the thought processes or the bureaucratic processes that you go through. And third, to show them the range of careers that one can have in this area, which is booming.

CI: I understand that one thing you’re planning to do, with outside help, is to simulate a data breach the way that companies sometimes do.
MW: Yes, one of the things that many companies are doing now is “tabletop exercises,” in order to make sure that they’re ready for cyberattacks or data breaches. And we want to engage in that kind of exercise. What distinguishes it from the way that law school is often taught—because law school classes deal with hypotheticals all the time—is that we want students to assume clear roles. That’s one of the things that is very important to the practice of law generally, and is critical to understanding this field. It’s not just about understanding the legal concepts, but understanding the different roles that are important in handling some of these incidents. How do we think about the responsibility of the board of directors? How do we think about the role of certain officers in the company’s C-suite? What kinds of interactions would in-house counsel have with government agencies in the immediate aftermath of a data breach?

CI: I noticed in looking over your syllabus that the letters TBD—to be determined—appear quite often. Want to explain?
MW: [laughing] Yeah. A part of that is the practical challenge of lining up the best guest speakers on the right dates. But it also reflects the fact that the field is moving so quickly. You can’t scroll through a day’s news without seeing new case studies, new reports, new legislative proposals, new international developments in this field. A syllabus finalized this summer would already be a bit out-of-date midway though the semester.

CI: You must feel at times almost like (you’ll excuse the expression) a journalist.
MW: That’s right. One of the things we’ll be doing throughout the semester—and this is something we did in the course we taught last year—is beginning each session with a review of cybersecurity in the news. What were some of the things you read about over the last week that caught your eye? There’s way too much. That’s one of the challenges for cybersecurity law. Technology is moving faster and faster, but law tends to evolve pretty slowly. One of the real difficulties for this field is: How do you design regulations and regulatory institutions that can keep up with the rapid change of technology? I think that will be a big challenge for the internet of things.

CI: How widely has cybersecurity entered the academic world on the undergraduate as well as the graduate school level? And not just here, but around the country?
MW: At the undergraduate level, there is huge student demand, and a lot of that is driven by the fact that there’s so much going on in the news that captures the imagination of students. It’s also a product of the labor market, and the fact that there is so much work to be done. There are many different paths to follow in this field. Obviously, you can go into a technical field like computer science and engineering and develop a certain expertise. But there are also career paths on the business side or the international relations side. Students are approaching their intellectual interests and their career development from a variety of different perspectives, and one of the real keys to education in this area is developing at least some basic fluency in several different dimensions. The people who are best equipped to emerge as leaders are going to be those who may be trained in a certain specialty and have a high level of expertise in a particular discipline, but who also understand the problems from other disciplines. Speaking as a law professor, my ambition is not to train law students to be able to build their own firewalls, though I have one who did. I want law students to understand a certain basic knowledge of the underlying technology—like some core concepts of how the internet functions. I also want to encourage and empower them to dig more deeply into the areas of technology and public policy that interest them.

CI: The ABA has made it clear in its Model Rules that lawyers have a duty to be technologically literate. And savvy, to some extent. Is this an issue you address with students?
MW: Yes, it is. In addition to legal requirements and the kinds of good personal data practices that any individual should have, lawyers have certain ethical obligations to protect client information. This is an important issue that firms are confronting, and with big commercial implications. A number of cases have been widely reported—major cyberattacks or data breaches. Law firms often hold company crown jewels. It may be important trade secrets. It may be sensitive information about impending deals. It may be sensitive information about top corporate officials. This means that they are a target for hackers, and we will continue to read stories about big firms being hacked.

CI: For law students who focus on data privacy and cybersecurity, is there a career path to an in-house job?
MW: Absolutely. I would say that developing expertise in cybersecurity and data privacy law is a great way for a student or a young lawyer to position himself or herself for a career as an in-house lawyer. First of all, the field itself is booming, and so there’s great demand among companies in those spaces. But also, every major company needs to be thinking about these issues. Every large in-house counsel’s office needs to develop some capacity in this area. Even if they’re relying heavily on outside counsel for a lot of the work, the in-house counsel needs to know what questions to be asking.

CI: And what about at law firms?
MW: One trend that we’re seeing is a dramatic rise in the number of big law firms advertising cybersecurity and data privacy practices. Part of that has to do with the fact that there’s just a lot of work out there. And part of it is that big corporate clients or big individual clients, when they’re shopping firms, want to know that a firm can take care of their needs in this area. So you’re seeing more and more firms advertising their practice in this area, and students are flocking. It’s a big draw for many students.

CI: When you were coming up from the ’hood, there weren’t these kinds of classes. You took a national security approach, and you followed a path that took you through a healthy stint of government service at a very high level (and I’ll come back to this in a minute). Looks like it all went very well. But how did you acquire your knowledge of tech?
MW: [laughing] You’re right, I didn’t take classes that I now teach. I personally come at these issues mostly from a national security and foreign policy perspective. That’s the angle that I’ve entered this world through, and there are, of course, huge national security and foreign policy dimensions to them. But this is not a field that I was introduced to in law school. I have had to build my understanding of technology as I’ve gone. Now my work deals not only with cybersecurity and data privacy, but also artificial intelligence and machine learning—another area where the intersections with law are huge, and with big public policy and commercial dimensions. So I’ve had to teach myself a lot about technology. One way is through my work at the Data Science Institute. I have ready access to some of the world’s premier experts in network security, hardware security, data science, engineering—right here on campus. But universities can often be pretty siloed. And one of the great things about the Data Science Institute is that it brings us together around common challenges and problems, like encryption, that many of us are looking at from different angles. So I find myself very fortunate that, at 46 years old, every day is a great education for me.

CI: Do you have a sense of what material in your courses your students are most interested in?
MW: They’re certainly interested in the kinds of things that we read about in the news, like big data breaches and state-sponsored cyberattacks. Students are also very interested in data privacy—in part because it’s something that’s very personal for them. Students are coming into class with multiple devices. They’ve got their laptops open. They’ve got their phone on the table. They’re constantly reminded about issues of personal data privacy. So when we study data privacy and surveillance, that hits home. They start thinking about just how many digital crumbs they’re leaving about themselves as they go through the world.

CI: Tell me about your government work.
MW: I worked at RAND as a national security analyst before and during law school. And I was interested in going into the field of national security law before it was a big thing. These days you have a lot of big law firms saying that they have a national security practice. That wasn’t something that a lot of firms were advertising in the ’90s. After my clerkships, including my clerkship at the Supreme Court for Justice Souter, I went to the National Security Council staff in the White House. I started there about six weeks before 9/11. And on that day the world changed, as did the field of national security law. I went into government thinking that I was going to be working on great power politics, but all of a sudden the focus was terrorism. And so I ended up serving a few years at the National Security Council, a few years at the Defense Department and a few years at the State Department, where I helped run something called the policy planning staff, which is the secretary of state’s internal think tank. I left government at the end of 2007 and joined the faculty here at Columbia, where I teach national security law and international law. I’ve always had a particular interest in issues of law and technology, and the way in which the development of new technologies challenges old laws.

CI: Which of your jobs was the most important in your career development?
MW: I would say that working as an aide to National Security Advisor Condoleezza Rice was the most important to my career development. It was the most intense, and the one in which I learned the most—not just about national security and foreign policy, but also about the way that  government functions, the importance of structures and processes for making decisions. It also helped me understand the way in which individuals throughout government institutions react to and handle different kinds of problems. As an instructor of law and someone who writes about law, I tend to think about issues in terms of the institutions that have to deal with them and apply and implement law.

CI: Tell me about the past year working for WestExec Advisors .
MW: It’s a strategic advisory firm that was established last year. Two of the founding partners, whom I’ve known for a while, are Tony Blinken, who is also a Columbia Law School graduate and was deputy secretary of state, and Michèle Flournoy, who was undersecretary of defense. Its work includes geopolitical risk analysis, helping corporate clients understand public policy and foreign policy developments, and a range of other advisory services. The team is especially strong on cybersecurity and cutting-edge technologies, so we work a lot with the tech sector, including major companies as well as startups. It’s an exciting way for me to think about applying what I know from government and my own research to the kinds of problems that companies and industries confront. It’s also a great way for me to learn about the challenges that the private sector is wrestling with.

CI: What about Jigsaw —how did that gig come about?
MW: One of my colleagues from the State Department is the CEO. He came in to stand up and run what was then called Google Ideas and grew into Jigsaw. A set of issues that we worked on together at the State Department was the way that information technology and social media were affecting foreign policy. Jigsaw is about developing tools to deal with online threats, such as online radicalization or denial of service attacks. Its mission is to help develop knowledge and tools to help keep the internet free and open and safe. For me, one of the things that’s great about the relationship is that while I can bring my international law and policy expertise to their work, I get to work with world-class engineers and computer scientists.

CI: One subject that we come back to, again and again, is the complicated relationship between companies and government. Efforts to collaborate always seem to bump into confrontations that could have huge ramifications. You have experience working with both. Do you see any signs of progress?
MW: I would say that we are making some progress, but it’s slow and uneven. Everybody recognizes that a big part of cybersecurity is improving information sharing and cooperation between private and public sectors. But nobody has a perfect answer for how to do that. There are some real cultural frictions between Silicon Valley and governments. Lawyers are often at the front lines of collaboration between the private sector and government. And so this is an important set of issues for students to be aware of. Anybody who goes into this field sees very quickly how important public-private interactions are—and how much room there is for improvement.
The demand for classes in cybersecurity is growing rapidly at both the graduate and undergraduate levels.
Hypotheticals require answers, but simulations force students to work through processes.
SUBSCRIBE FOR FREE