Teaching ‘Cybersecurity Law and Policy’

Editor’s note: Please see here for the most-recent version of Professor Chesney’s free eCasebook (Cybersecurity Law, Policy, and Institutions), which supersedes the syllabus/primer described below.

What exactly should be covered in a course on the legal and policy aspects of cybersecurity?

That’s a tough—but fascinating—question. Cybersecurity as a legal and policy topic today is akin to environmental law and policy in the 1970s: a suddenly-pressing set of issues at the intersection of science, government, business, and international affairs, implicating a wide array of existing and potential laws and institutions. This is part of what makes it such an exciting area to study; nearly everything about it is in flux, and in the headlines too. But it also makes it difficult to optimize course coverage.

I am one of many professors who have been working on this course-design question in recent years. Like many of the others, I am supported in this work through the William and Flora Hewlett Foundation’s Cyber Initiative (led by Eli Sugarman). Hewlett perceived the importance of this design challenge many years ago, and has played a critical role—the critical role—not only in resourcing the effort to address but also in promoting a collaborative, open-source approach to sharing the fruits of it.

In that spirit, I’m writing now to share the details of the “Cybersecurity Foundations: Law, Policy, and Institutions” course that I teach at the University of Texas. I hope it is useful to those who are developing their own courses (please feel free to borrow any part of it you wish). And I hope too that readers will send me feedback on how it should be improved (for it certainly needs improvement).

First, a quick outline of this post:

1. Who is this course for?

2. What is the basic concept of the course?

3. Enough already, show me the details in terms of topics, readings, and question prompts!

4. Logistical details?

5. I have suggestions/criticisms to share. How do I reach you?

1. Who is this course for?

As explained below, the course content focuses on legal matters and questions of public policy (domestic and international). But the course is intended for more than just law and public policy students. My aim is to enroll grad students also from business, engineering, and computer science (in keeping with the cross-training goals of UT-Austin’s Integrated Cybersecurity Studies initiative).

This blended audience introduces a pedagogical challenge: When covering materials from a particular discipline, how do you make them interesting for the students who hail from that background without making it too hard for the others? There is no easy answer, though the problem has not seemed too significant in practice. It calls for extra care in explaining to the students what they are meant to extract from the readings, and as you will see below I sought to do that in part by including extensive questions-for-consideration in connection with each reading.

At any rate, the problem in practice proves to be much less acute with legal and policy materials than it would be in the reverse situation in which law and policy students might be dropped into a grad-level course in computer science or engineering. The latter is a very serious challenge. We address that problem at UT-Austin by having Matt Tait (@pwnallthethings on Twitter) teach a parallel Cybersecurity Foundations course introducing key technical concepts in a manner designed expressly for the non-technical grad students (law, policy, etc.).

2. What is the basic concept of the course?

The essential idea is to provide students with a broad appreciation for the actors, incentives (legal, financial, etc.), and policy goals associated with both the defensive and offensive aspects of cybersecurity (largely from a U.S. perspective).

By defensive, I mean that a central aim of “cybersecurity” is to minimize unauthorized access to or disruption of data and information systems.

By offensive, I mean that there are some specialized contexts (examples include law enforcement, espionage, covert action, and armed conflict) in which U.S. government policy aims affirmatively to enable at least some degree of intrusion or disruption.

We begin with the defensive perspective, surveying the landscape of actors, laws, regulators, policy issues, etc. Then, having plumbed those depths, we pivot to the offensive perspective and do much the same thing.

3. Enough already, show me the details in terms of topics, readings, and question prompts!

All of this is contained in a “syllabus” document. In this case, my syllabus is much more than a one- or two-pager just listing the topics and weekly readings. Though there are lots of reading assignments, the syllabus itself functions a bit like a casebook in that there also is a ton of narrative text framing each week’s topic, and also extensive questions-for-consideration matched to each reading.

The end result is that the document runs 58 pages (though the first five are class policies that you might want to skip). The full document is here.

Have a look, feel free to use any or all of it in your own teaching/studying and be sure to share suggestions for improvement (see #4 below). Meanwhile, for those not yet inclined to click-through to the document, here’s the top-level outline of topics:

I. THE DEFENSIVE PERSPECTIVE

A. Punishing Attackers

1. Cyber Crime: Introduction

2. Cyber Crime: Responding with Prosecution and Civil Suits

3. Punishing APTs/Nation-States?

B. Encouraging Potential Victims to Better Protect Their Systems

4. Mandating Better Private-Sector Defense: Regulation

5. Motivating Better Private-Sector Defense: Litigation and Insurance

6. Enabling Better Defense: Removing Barriers to Info-Sharing & Research

7. Getting the Government to Protect Itself Better

C. Managing Consequences

8. Responding to Breaches & Botnets

9. Defense in the Context of a “Significant Cyber Incident”

II. THE OFFENSIVE PERSPECTIVE

10. Should the Private Sector Hack Back?

11. Law Enforcement and Network Investigative Techniques

12. Espionage and Covert Action

13. Armed Conflict in the “Cyber Domain”

III. CRISIS SIMULATION

14. End-of-course team-based exercise

A note on depth of coverage: Obviously one could break out many of these topics to serve as stand-alone courses, and some such specialized courses are common. Many schools, for example, offer a course in computer crimes (the topic of Part I.A.1-2), and courses dealing with the international relations aspect (Part I.A.3 and Part II.12-13) are becoming more common as well. I don’t view my Foundations course as covering those topics in anything like the same depth. My aim instead is to give students a reasonably-sophisticated introduction to each area, and (especially) to help them see how the areas all relate to (and sometimes are in tension with) one another. Ideally a student would be able to take a course like this, and then go on to deeper study of one or more particular sub-issues.

4. Logistical details?

This version of the course was designed to meet once a week for 14 weeks, two hours at a time. This proved to be too little time, so next fall it will spread out into a three-credit format. Moving to three credits apparently also will make it easier for grad students from outside the Law School to take (or so I’m told). Speaking of which…

5. I have suggestions/criticisms to share. How do I reach you?

I agree that there is huge room for improvement in just about every aspect of this, and welcome your suggestions. Maybe the order of topics is wrong or incomplete? Maybe the readings for a particular topic are sub-optimal? Maybe the questions prompts need work?

You can direct message me on Twitter (I’m @bobbychesney) or you can email me at rchesney@law.utexas.edu. Thanks for taking the time!