Last week, I graduated from the University of South Florida with a Master’s of Science in Cybersecurity. For two years, while maintaining a busy practice of law, having family obligations and trying to maintain some sense of normality in a pandemic, I slogged through 30-credits worth of courses with assignments, projects and tests in an area that requires a very different set of skills than those used by an attorney (my chosen profession).
The cybersecurity program forced me to explore topics in digital evidence, network forensics, information security and risk management, cryptography, data networks and systems, business continuity, disaster recovery plans, and cyber-crime. The program prepares graduates to solve novel real-world issues using innovative, analytical, and deep technical skills in the security domain.
WHY DO IT?
A colleague was curious as to why I decided to pursue a master's. I certainly did not need another advanced degree to be successful in the legal profession. A master’s does not equate to a promotion, pay raise or more clients.
Well, it started with me just being curious -- I wanted to understand the jargon in forensic reports.
What is nmap and wireshark?
Where is the FTP port?
How does one read an endpoint report?
Then it became a quest to understand cybersecurity from a technical perspective.
In my personal opinion, the legal profession and our legislature have proven slow to evolve and keep up with cybersecurity challenges. Attorneys continue to apply old concepts and laws to new problems. The judiciary relies on the doctrine of stare decisis that requires courts to apply laws in the same manner to cases that have the same or similar facts. But, with digitization, IoT and AI, we face a new, never before seen set of challenges. Someone who does not understand cybersecurity from a holistic perspective may not appreciate the detrimental effect of applying archaic laws to this 21st century problem.
For a cybersecurity professional, the risks are real, ever-evolving, rapidly changing, and the stakes are high. If one is going to practice law and specialize in the area of cybersecurity, it is important to have a basic understanding of the technology, business, political and socio-economic aspects of the industry. For example, law makers should consider the challenges that cybersecurity professionals face with implementing security protocols, dealing with human error, convincing executives to provide more funding for technology updates while knowing that even with all this work, motivated hackers will find a way to bypass some of the best security.
Failing to understand the technical challenges and processes involved in cybersecurity could lead to bad law. For example, some privacy and data protection laws require "reasonable security" to protect data, but what is reasonable security? Some attorneys may argue that a data breach is irrefutable proof that there was a lack of reasonable security. But, maybe not. The definition of “reasonable security” changes depending on the industry, risk assessments and available resources. And, even with better or best security, a hacker may find a glitch that results in a cyber incident.
So, yeah, I went back to school and finished the program to tackle this 21st century problem. But, the most important lesson was that in cybersecurity, you never stop learning.
~ Florida CyberSec Lawyer, Robert Stines, Esq., CIPP