To start off, could you talk a little about the path that led to where you are today? How does one become an expert in cybersecurity law?
I have always been interested in the way that technological change can disrupt familiar legal and policy frameworks. When I started in academia in 2002, I tended to think about this through the lens of conventional military and counterterrorism capabilities, including surveillance and other technical means of intelligence collection. Naturally, the security of networks, computers, and devices played an important part in that puzzle, and that (combined with a long-standing love of all things computer-related) sparked my initial interest in serious study of cybersecurity’s legal and policy aspects. The fact that pretty much everyone, over time, has come to depend so much on the security of our systems and devices just enhanced that initial interest.
One thing that especially appealed to me, from the beginning, was the inherently cross-disciplinary nature of this topic. In an ideal world, policymakers would have some basic fluency with the relevant technical concepts; engineers would understand the basics of the legal framework; lawyers would appreciate the business considerations; executives would understand the public policy considerations, and so on around the horn. Few people have the time and resources to gain true depth across all these areas, of course, but that doesn’t mean we can’t make useful strides through purpose-designed cross-disciplinary efforts. It seemed to me that a sustained effort to develop new courses, designed from the ground up to blend key insights from a variety of fields in a mutually-accessible way, might prove helpful. That’s been the guiding principle of our Hewlett-supported effort here at UT.
Last year, you published your “eCasebook” on Cybersecurity Law, Policy and Institutions (v.3.0)—a 137-pager supporting a full three-credit course on the legal and policy considerations for government and the private sector when thinking about cybersecurity challenges. How does the book reflect the cross-disciplinary focus of your work on cybersecurity studies at UT Austin?
The book project—which I am updating constantly—has been a real labor of love, and I couldn’t be more pleased with the interest it has generated (it’s posted for free at the link above, and last time I checked it had been downloaded more than 5,000 times since it went live in March 2020).
When I first started designing a course for this area, I made a conscious choice to do it in a cross-disciplinary way. I anticipated having both law and policy students in the course initially, and hoped eventually to attract engineers, computer scientists, and business students too (we have all of the above, and then some, now!). My goal was that it would be equally accessible for all of them. As a result, I assume only the most limited prior legal, policy, or technical knowledge, and have written the book to provide, as much as possible, the framing that anyone would need to follow along. But it’s not dumbed down; the aim is to spell everything out but not to be simplistic.
At any rate, the biggest challenge wasn’t calibrating the level of difficulty across different topics. Instead, it was developing a comprehensive organizational framework that would make sense of the topics included, which run the gamut from insurance coverage and false advertising to military cyber operations against the Islamic State. Put another way, there was a serious question at the beginning about the scope of the topic, and whether there was something sensible to say about how so many seemingly-disparate issues relate to one another.
Well, there is. My book is built around the proposition that every society has a powerful interest in minimizing hostile cyber activity targeting individuals, organizations, and the government itself, while at the same time there are offsetting societal interests—such as law enforcement or fighting a war—that might lead that same society to permit certain institutions to engage in “offensive” cyber activity. This certainly is true for the United States, for example, and the book’s organizational structure is a roadmap that reflects this. The bulk of the book maps out the array of considerations that arise under the heading of “defense,” covering everything from imposing costs on attackers, to incentivizing and enabling better defensive efforts, to organizing for responses to serious incidents. But the back-half of the book focuses on the flip side, with a similar study of “lawful” hacking carried out by law enforcement, intelligence agencies, and the military. Ideally, the student (or other readers) eventually forgets to ask whether they are reading a policy book, a law book, or something else, and instead simply comes to feel that they are getting a serious tour of the entire range of subjects under this broad heading.
By the way, I’ll post the dramatically-improved v.4.0 this month. Stay tuned!
What can you tell us about your students working on cybersecurity law and policy? Who are they, what are they studying, and where do they go after graduating?
You know, I think the most-fun aspect of this program has been the blending of students from so many different parts of the University. UT-Austin is a very large place, with a stunning array of fantastic grad programs. I already knew our law students of course, and also the grad students from the LBJ School of Public Affairs. Deepening the ties between those two buildings has been a blast! But adding in a bunch of engineers, computer scientists, information school students, and business students, well, that has really enriched things. And it’s especially nice to see the students getting to know each other.
I see all that in the core “Cybersecurity Law, Policy, and Institutions” course that I teach based on the eCasebook, but it’s true also in the Strauss Center’s larger “Cyber Fellows” program, of which my course is just a part. The idea of this program is to curate a growing set of both bespoke courses (that is, courses we create from the ground up for the program) and existing UT courses, and to reward those students who take—and do well in—at least four of them while also participating in our speaker events and other extracurriculars. So, for example, we have also created a course intended to introduce cybersecurity-related technical concepts to non-technical students, which is a rather unique course that adds tremendous value for our business, policy, and law students. And we’ve got a growing roster of enrichment courses, covering topics like incident response, privacy law, and the international law of cyber operations. It’s too soon to say what career impacts all of this will have—many of the students who began this program are still at UT—but at the anecdotal level there are many exciting developments so far. For example, one of our policy grad students spent a summer at a US embassy in a major allied country and ended up playing a key role in relation to a cybersecurity diplomatic effort.
UT Austin has been the host of the Austin Regional of the Cyber 9/12 Challenge for the past few years. Can you tell us about the competition, and what’s special about the event you host in Austin (aside from the BBQ, of course)?
Are you sure you don’t want me to focus on brisket tacos or tricks for avoiding the line at Franklin Barbecue? Alright, alright, alright.
The Atlantic Council’s long-running “Cyber 9/12” cyber policy competition is a tremendous learning experience for students. I’m sure many readers will know all about it already, but just in case not: The basic idea is that dozens of four-person teams of students from around the country, reflecting all sorts of different degree programs, compete in judged rounds offering policy recommendations in response to a rapidly-evolving set of fictional cybersecurity crises. Students receive a packet of realistic-looking documents in advance to support their opening-round written submissions, they then appear in person to answer questions from the judges, and then the cycle repeats (with increasingly dire fictional developments) as some teams progress to further rounds.
My center had been supporting teams going to DC for this competition, and it was clear that they were learning a huge amount from it—and enjoying it immensely. Unfortunately, not everyone who might be interested could make the trip, and even those who did often lamented that they would love to have had a version of that experience more than once. And so we eventually talked to our Atlantic Council friends about the possibility of hosting an “Austin Regional,” here at UT. In no time at all, we had an agreement in place, and it’s been a great success every January since.
Part of what makes any UT-based event unique, of course, is Austin’s trademark combination of great food, great hospitality, great music, and great weather (even in January … or perhaps I should say, especially in January). Another part is the intensive hands-on support from the Strauss Center’s amazing staff team, who specialize in making sure things never fall through the cracks and in making sure everyone feels warmly welcomed. And in part, it’s the wonderful cohort of judges and special guests we’ve been able to involve. I won’t soon forget the fantastic social-engineering training session that Rachel Tobac gave during a break between rounds last year, or the keynote from Chris Krebs.
Finally, it feels like a missed opportunity not to include some frivolity in this Q&A, as you and your co-host Steve Vladeck do at the end of each episode of your National Security Law Podcast. So: favorite Star Trek episode (any series), and why?
Did you know that Steve and I once did a live performance of the show for a U.S. Intelligence Community gathering, and for frivolity, we simply posed the question: Star Wars or Star Trek? There was a moment of silence, then mayhem in the auditorium as the debate flared through the room. Happily, it appears our Intelligence Community is heterodox on this important subject!
*Your* question has the same potential for starting a brawl, so I’ll open by saying that there’s no best episode, but rather just a great many brilliant ones. And I’ll cheat a bit by narrowing my focus to STTNG. That doesn’t help me much, I have to admit, but picking from among a bunch of Next Generation favorites I’ll somewhat arbitrarily go with … The Inner Light (named for a George Harrison-written Beatles song!). I could give a recap, but I don’t want to deprive anyone of the joy of how the story unfolds. I’ll just say that it is a lovely and well-told tale. Might make you want to learn a few songs on a flute!