“Cybersecurity is no longer just an IT issue,” says University of Maryland Center for Health and Homeland Security (CHHS) program director and Maryland Carey Law professor Markus Rauschecker, JD. “There are a lot of people that need to get involved when it comes to protecting against cybersecurity incidents and also responding to cybersecurity incidents.”

(l-r) Ben Yelin, JD, CHHS senior law and policy analyst, and Marcus Rauschecker, JD, CHHS program director.

A quick scan of recent ominous headlines warning about data breaches, ransomware, worms, and viruses shows that cybercrime is on the rise. The impact of cybercrime can clearly be seen in the numbers. According to the 2019 Official Annual Cybercrime Security Report by Cybersecurity Ventures, cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015.

While technology professionals are certainly in demand to fill the growing need for cybersecurity experts, there also has been explosive growth in the need for cybersecurity law and policy experts capable of advising companies about the legal ramifications and responsibilities surrounding cybersecurity.

“There’s a huge need for cybersecurity professionals in this country and there’s a significant shortage in the amount of qualified people who can fill those open positions,” says Rauschecker. In fact, new cybersecurity workforce research issued by the Information Systems Audit and Control Association (ISACA), a globally recognized IT governance association, found that 69 percent of respondents say their cybersecurity teams are understaffed.

The workforce shortage is one of the reasons the National Security Agency (NSA) National Cybersecurity Curriculum Program (NSA NCCP) put out a call for proposals in 2017 to develop a free, open-source cybersecurity curriculum with the goal of building a cyber-skilled workforce that can contribute to the security of the nation in the public and the private sectors.

Rauschecker, and Ben Yelin, JD, CHHS senior law and policy analyst, both experts in cybersecurity, answered the call and were awarded a grant in 2017 to develop a cybersecurity law curriculum for NSA NCCP.

Maryland Carey Law was at the forefront of the cybersecurity crisis wave when it offered its first cyber law course back in 2012, followed by the creation of the Cybersecurity and Crisis Management Law Program in partnership with CHHS in 2016. The cutting-edge program combines theoretical study and practice-based learning on legal and policy issues in cybersecurity, homeland security, public health, and emergency management to help prepare graduates to provide effective counsel to government and private-sector organizations.

“We thought we could fill in an important gap,” says Yelin, describing the law and policy focus of their curriculum. “Most educational institutions were going to contribute technical models; lessons on how to protect your network; how to protect your company from ransomware. There was this void when it came to the law and policy issues related to cybersecurity.”

Rauschecker agreed, adding, “Here at UMB, we are one of the few schools in the country that really focuses on the law policy issues in cybersecurity, and we’ve done that for a number of years now. We have an advantage over other institutions in that we have such an established program already.”

After the team was awarded the grant in summer 2017, it quickly got to work developing a user-friendly curriculum it wanted to be accessible to learners ranging from fellow law professors to mid-career professionals. The team spent a year-and-a-half refining and developing three course modules on law and policy issues in cybersecurity that are now available on the Cybersecurity Curriculum Program website CLARK.

The courses are:

• Cybersecurity Law and Policy
• Law and Policy of Cyber Crime
• National Security, Electronic Surveillance, and the Fourth Amendment

The courses are broken into 14 micromodules designed to be studied a la carte or as a suggested eight-week course, depending on the user’s level of knowledge. Micromodules in the Law and Policy of Cybercrime course include Warrant Requirements in Cyberspace, and Preparedness and Response to Cybercrime Incidents. Other micromodules include Electronic Surveillance Jurisprudence, History and Overview of the Fourth Amendment, and Legal Framework for the Collection of Bulk Metadata.

Yelin says the target audience is mid-career professionals who have no background in law and policy issues as well as professors who may be designing their own curricula. “It gives people who are already experts on the technical side an ability to get a foundation of knowledge on all types of law and policy subjects,” he states.

As cybercrime continues to proliferate across the globe, there will be an ever-increasing need for lawyers who understand the accompanying complex legal issues. Rauschecker says cybersecurity law is a growing field that’s full of opportunities to do meaningful work.

“I always tell my students that this is an area of law that’s still in its formative phase,” he says. “There’s still a lot of open-ended questions that haven’t been answered yet, so that means there has to be a lot of robust debate. I think that just makes it a very exciting field to be in, a field where you can really contribute a lot."