Published on 2/24/20 in The Daily Record

With cybersecurity scandals becoming increasingly prevalent — the 2017 Equifax data breach is just one example — the University of Maryland Francis King Carey School of Law is providing non-lawyers with the legal knowledge they need to prevent and handle any future fiascos.

Since 2015, UMD has offered a master’s of science degree in cybersecurity law — a two-year program that educates non-lawyers on the basics of law and cybersecurity policies.

While students can obtain technical degrees in cybersecurity elsewhere in the state, the program at the University of Maryland law school — which focuses on the legal policy aspects of cybersecurity — is the first of its kind in Maryland.

Professor Markus Rauschecker, who directs the cybersecurity program at UMD’s Center for Health and Homeland Security, said that the target audience is working professionals who want to know more about law and policy issues in the cybersecurity field but don’t want to become practicing attorneys.

“No organization is going to be able to protect themselves 100% of the time from cyber attacks, so the question is how well protected and how well prepared are you for when it happens?” Rauschecker said.

Simon Hartley, who works for CIS Mobile in Washington, was one of the program’s first graduates in 2017. He called the program a “godsend” that helped him prevent potential data leaks from the company.

In a previous job, Hartley said, his company hired a lawyer to help with cybersecurity matters — only to find the person didn’t know much about cyber policy.

“We hired someone from a prestigious law firm with a J.D. (degree) and they were near-useless to us,” Hartley said. “They had a great legal training, but it was an inch deep and a mile wide.”

Applicants for the UMD cybersecurity master’s program don’t need a law degree, Rauschecker said, adding that most students are working adults with families. Because the class is taught online, students can watch lectures and complete weekly assignments at any time and from any place — and can thus live anywhere in the country.

“What the program really enables is for you to understand the legal implications of certain decisions or strategies relating to cybersecurity, and what the potential pitfalls are out there,” Rauschecker said.

Hartley said the University of Maryland’s was the only cybersecurity law program he could find in the country when he enrolled. He added that the Maryland/D.C. area is a fitting place to start such a program because it’s “ground zero” for cybersecurity developments, given the number of government agencies in the area.

Rauschecker noted that the master’s program is different from the law school’s certificate in cybersecurity program, which is offered only to students enrolled in the law school.

The master’s in cybersecurity program’s first cohort had five students but has since grown to 35 students.

Each semester, classes are updated or tweaked to reflect developing issues in the cybersecurity world, Rauschecker said. Topics such as the ransomware attacks on servers used by Baltimore’s city government or the Equifax data breach have been discussed in class.

Policy questions, such as whether a government agency can compel a private company to grant government access to a consumer’s encrypted devices, also pop up in class, Rauschecker said.

“These are really cutting-edge issues which we don’t necessarily have a definitive answer for,” he said.

Students take basic legal courses before delving into cybersecurity policy and taking specialized classes on topics such as cybercrime, international cyber law or the Department of Homeland Security and counterterrorism.

Rauschecker said students will often implement skills they learn in class in their day-to-day jobs.

“We get students with all kinds of jobs — sometimes they have fascinating startups — but they realize, ‘Uh oh, I’m good at the technology aspect of cybersecurity, but there’s a whole element of law and policy I need to know,’” Rauschecker said.

He emphasized that cybersecurity skills are in high demand and that there are “more jobs than people to fill them.”

Michael Greenberger, a University of Maryland law professor who teaches cybersecurity law, noted that the university will begin a partnership next semester with UMBC to offer a four-year, dual-degree program for students looking to receive a law degree and a master’s of professional studies degree in cybersecurity.