It Is Time for Law Schools To Start Teaching Applied Cybersecurity

Technology is becoming more and more intrinsic to the practice of law, providing a setting that yields more efficient results for lawyers and clients. It has also exposed the legal profession to many cyber risks and threats, which lawyers need to be prepared to foresee and avoid.

Introduction

Having a background in both law and computer science, and having worked in information security for some years, means that I am often on the receiving end of all sorts of IT-related questions from my lawyer friends.

Over the last few years, I have seen these questions evolve from editing PDF files and setting up IMAP email accounts to explaining what a VPN is and why Chrome flags a particular website as not secure. This evolution has not been linear — at all.

Already for the past five years, large law firms had been cautiously testing technology solutions in general, and legal tech ones, in particular, albeit with minimal budgets, and, ultimately, on some occasions also implementing them. The current pandemic, however, has forced lawyers, law firms of every size, and the entire justice system altogether to swiftly rely on technology to prevent what could have been a catastrophic halt.

In a matter of days, face-to-face meetings involving client-confidential information have transitioned to videoconferencing, delicate case files have been moved to the cloud and accessed via VPN by lawyers working from home, the execution of multimillion-dollar M&A deals has become digital, and so forth.

Looking at the bright side, this has undeniably resulted in more flexible work for lawyers and more efficient results for many clients. However, it has also presented cybercriminals with a multitude of opportunities for attacks, all of which carry potentially severely impactful consequences.

Lawyers, therefore, need to be aware of these cyber risks and threats to foresee and avoid them, and in some cases, to promptly mitigate the effects of malicious attacks.

The role of awareness in cybersecurity

Awareness is critical when it comes to cybersecurity. Every year, organizations worldwide spend millions first to assess the level of awareness of their employees vis-à-vis cyber risks and threats, and then on targeted employees awareness campaigns and training.

Large international law firms are part of this cohort of organizations. They not only invest in keeping associates and partners alike aware of cyber risks and threats but also have the resources to establish effective cybersecurity capabilities such as fully-fledged Security Operation Centers (SOCs).

However, solo practitioners and small and medium law firms do not possess the resources to have dedicated in-house cybersecurity teams and consultants-led awareness campaigns. Hence, in the vast majority of cases, they must rely on their knowledge, attitudes, and behaviours to be cyber secure and shield their practices and their clients from cyber risks and threats.

How law schools can ignite and foster a culture of cybersecurity

The purpose of law schools is to educate future lawyers. Regardless of the size of the law firm that they will work for. Therefore, law schools should equip law students with the necessary knowledge, skills, and tools to be cyber-secure legal professionals from day one after graduation.

While technology demands that lawyers change the way they work as they know it, cybersecurity is there, among other things, to protect deontologically paramount duties such as client confidentiality.

For these reasons, law schools should educate students in information security, cybersecurity ethical and legal practices, as well as in avoiding/mitigating cyber risks and threats by:

#1: Generating awareness about cyber risks and threats among law students:

By leveraging real-life case studies, law students can be made aware of the risks and threats associated with technologies that they will later use as lawyers. They can learn to adopt behaviours that are proven to be cyber-secure and prevent attacks and incidents. For example, by studying a real-life Man-In-The-Middle (MitM) attack case, law students could learn the importance of never transmitting personal and confidential data over unencrypted HTTP connections.

#2: Providing students with hands-on IT training:

Through a combination of theory-based learning and hands-on laboratories/workshops, law students can learn basic technical knowledge and acquire practical skills in analyzing and defending computer systems, protecting their clients’ data, and be resilient in the aftermath of attacks and incidents. To this end, core topics could include notions of Computer Architecture and Operating Systems, Computational Thinking, Computer Networking, Information Protection, and Cloud Security.

#3: Contextualizing cybersecurity within the overarching theme of legal education:

Ethics, privacy, and applicable cybersecurity laws and regulation should form an integral part of the applied cybersecurity curriculum. This would provide students with a valuable holistic cybersecurity education, which as a consequence, would also benefit those students interested in becoming cybersecurity lawyers by allowing them to better interact with clients and technical experts, as individual cases may require.

#4: Recruiting ad hoc lecturers with interdisciplinary backgrounds:

To deliver a holistic applied cybersecurity education, law schools should recruit lecturers with an interdisciplinary background in computer science/security and law. After all, a handshake in contract law and one in computer networking are two very different things.

Conclusion

The bond between technology and the legal profession is here to stay. With the profession being digitally transformed and with legal technology automating an ever-larger number of tasks, lawyers will increasingly be exposed to cyber risks. Law schools can play a crucial role in igniting and fostering a cybersecurity culture that benefits lawyers, clients, and that ultimately protects the ethical pillars of the legal profession.