US congressional and agency staffers are smarter about cybersecurity legislation thanks to an initiative by students in the NYU Law – NYU Tandon MS in Cybersecurity Risk & Strategy program. A capstone team from the Class of 2019 presented guidelines for writing cybersecurity laws, derived from their program’s capstone project, to several dozen of government’s best at the Woodrow Wilson Center in Washington, DC, recently. Center officials called the presentation an “excellent session on cybersecurity legislation fundamentals” that engaged its attendees “by far the most” of its Congressional Cyber Lab series.
The guidelines originated as part of the capstone project for MS CRS Class of 2019 students Khalil Jackson, Melanie Gersten, James Massot, Deborah Liu, and Ryan Gallagher– an example of experiential learning that moved successfully out of the classroom into a real-world scenario with real-world implications.
“We recognized that a gap exists between legislation and policy being created at the state and federal level and its practicality, especially in regard to privacy,” Khalil said. The team’s research showed that “rule makers and their staffs generally have no strong background in writing achievable legislation regarding cybersecurity.” Participants in the Wilson Center session represented both major parties, both Houses of Congress, various subcommittees, including the Senate Select Committee on Intelligence, the Department of Homeland Security, and the Department of Justice.
Khalil, a senior vice president at Bank of America Merrill Lynch, has over 20 years of experience in technology and cybersecurity, and his colleagues on the capstone team brought a wide range of other relevant experience. By putting together specific groupings for capstone projects, MS CRS program leaders and professors had designed virtual dream teams, he said. “There was an outstanding effort to pair people up and balance the teams, such that in our case we had a mix of technical, law and policy, and other skillsets, and we relied on each other’s expertise to accomplish the common goal.”
The result of their effort was a distillation of nine principles to guide lawmakers to assess the cybersecurity angles of any piece of legislation they’re attempting to write, Khalil said. The principles – singularity, fluency, clarity, enforceability, attainability, authority, security, longevity, and efficiency – were accompanied by questions and checkpoints that would ideally be during the bill drafting process.
In one example used as an illustration of the importance of clarity, the team showed how the Cyber Ready Workforce Act, a bill introduced but never passed, encouraged the acquisition of stackable and portable certification, but failed to define stackable and portable.
Khalil credits the MS CRS program with deepening his understanding of issues such as privacy that are central to creating effective policy that also protects citizens’ rights. “Throughout my career I was familiar with privacy issues,” he said, “but in the program we were taught by world-class professors who wrote the book on privacy.”
The MS CRS program can be conducted at a very high level, he added, because the program is focused on senior professionals – comprising “a whole cohort who are experts in their own right.” As a result, “The downstream of aggregate knowledge has made me much more capable of discussing policy and legislation than before, with a greater level of precision. The actual work of trying to find something unique and creative made us look very closely at the problems in our economy and society.”
Khalil first presented the capstone team’s project to Wilson Center participants in 2019. This year’s initial session was expanded to include breakout sessions moderated by his capstone teammates, and another session may follow in the fall.