To prepare future lawyers to shape cybersecurity policy, Scott J. Shapiro ’90 does not focus on case law. Instead, law professor Charles F. Southmayd teaches students how to hack.
Hacking — the act of exploring ways to breach defenses and exploit weaknesses in a computer system or network — may not be part of the conventional law school curriculum. But when students in Shapiro’s cybersecurity course learn how to crack passwords, they see firsthand what it means for devices and systems to be vulnerable to security breaches. With that technical understanding, Shapiro said, they are better qualified to answer questions of digital policy, privacy and national intelligence. And from there, they can craft and test laws to protect data from theft and damage.
“The paradox is that we live in an information society and yet we don’t know how it works. The internet is so easy to use, why would you bother to learn? »
—Professor Scott J. Shapiro ’90
“It’s extremely difficult for law students and for jurists like me to speak intelligently about regulating an activity that we can’t even imagine,” Shapiro said.
The course outline, co-taught by Shapiro and guest law lecturer Sean O’Brien, lists topics more often covered in computer science classes than in law classes. Networks, encryption, firewalls, operating systems, and passwords all appear. However, the course does not require any technical skills other than the ability to use a web browser.
Shapiro said it’s a mistake to assume that today’s students – digital natives – automatically understand technology just because they grew up with it. He drew a parallel: few drivers understand the inner workings of their car. The internet, Shapiro said, is no different.
“The paradox is that we live in an information society and yet we don’t know how it works,” Shapiro said. “The Internet is so easy to use, why bother to learn? »
Shapiro’s first course to examine cybersecurity issues emerged after the 2017 publication of his book The Internationalists: How a Radical Plan to Ban War Remade the World, which he co-authored with Gerard C. and Bernice Latrobe Smith Professor of International Law Oona Hathaway ’97. The book is about the 1928 attempt by world leaders to make war illegal and the legacy of the resulting treaty on the laws of war. People started asking Hathaway and Shapiro what the law had to say about cyber warfare.
To explore the question, the two teamed up with Joan Feigenbaum, renowned cryptographer and Grace Murray Hopper Professor of Computer Science and Economics at Yale, for a class on cyberconflict. The class brought together law and computer science students to learn about the technical and legal aspects of cyberattacks between nation states. This earlier class informed its current course.
One of the differences between the course and a typical law course is that the final project is not an article but a video of three hacks. A student bought a cheap credit card reader and then demonstrated how to hack credit card numbers. Another has compiled lists of dictionary words, which people often use in passwords. After coming up with a combined list of words that numbered in the millions, the student tested them against a series of masked passwords – and successfully cracked them.
“We’re not grading so much on technical sophistication, but on hustle and bustle,” Shapiro said.
The class is taught as a laboratory, in which students learn by doing. In one exercise, they use one computer to remotely enter another, even though it is intentionally buggy and configured for that purpose. Prior to these activities, students learn the difference between ethical or “white hat” hackers, who use open source tools to improve and protect the cyber landscape, and people who hack to cause harm. O’Brien said it’s important to distinguish the two.
“Our students need to know how computer networks and data can be hacked, and how the humans behind them can be tricked, to truly appreciate the practice of cybersecurity.”
—Guest Lecturer in Law Sean O’Brien
“With an understanding of this duality, students will complete our program with the vigilance necessary to protect systems and mitigate or defend against attack and cybercrime,” O’Brien said. “Our students need to know how computer networks and data can be hacked, and how the humans behind them can be tricked, to truly appreciate the practice of cybersecurity.”
Shapiro, who is also a philosophy professor at Yale, has a long history with computing. As a high school student in the 1980s, he was caught up in the wave of personal computing brought by the Apple II. He learned to code and before starting law school and completing a Ph.D. in philosophy, he set up a company that set up databases. After joining Yale University, he founded the Yale CyberSecurity Lab, which provides facilities for teaching cybersecurity and information technology. All the while, Shapiro has been captivated by the legal issues raised by the hack. His forthcoming book, Insecuredetails its history, philosophy and technology.
“Hacking is so interesting from a legal perspective because it’s the only activity I know of that can fall under three different areas of law, depending on who you are and why you’re doing it. You can commit a crime, spy or start a war. Each of these categories – crime, espionage and war – are very different from each other,” Shapiro said. “They all have different legal structures. And that’s what, theoretically, really fascinates me.
After Shapiro taught the cyber warfare class, he wanted to connect with someone with recent experience in the tech world. Through Knight Professor of Constitutional Law and First Amendment Jack Balkin, the founder of the Yale Information Society Project, Shapiro met with O’Brien, founder of the project’s Privacy Lab initiative. As an IT professional for more than two decades, O’Brien agreed that having a solid understanding of technology is crucial for future decision makers.
“Having a solid understanding of the underlying technology that comes into our lives, as well as security dilemmas, gives the law that governs and regulates that technological vitality and meaning,” O’Brien said. “We don’t want lawyers who believe the internet is just a series of hits, and we really need lawyers who are deeply concerned and invested in the strength of our information systems.”
Charlotte Blatt 22 took the course precisely for this reason. Blatt, who has a background in national security and foreign policy, came to class with some insight into the cybersecurity threats facing businesses and governments today. But she said she had little understanding of the issues from a technical standpoint. She wanted to know more before starting a post-law job at a firm specializing in data strategy and security.
“This course prepares me for this job because I will be able to better understand what customers go through when they have been hacked,” Blatt said, adding that she will be able to communicate with customers “who are having problems that I previously did not have. not the words or knowledge to accurately describe.
Eventually, Blatt hopes to work for the federal government, either as an assistant United States attorney or in an agency dealing with national security issues.
“The knowledge gained from this course is also useful when the client is the US government,” she said.
Knowledge of cybersecurity principles will be crucial for all future lawyers, not just those entering the field, Shapiro said. All knowledge workers — of which lawyers are an example — must protect sensitive information, Shapiro stressed. For lawyers, this includes their clients’ data. In this sense, cybersecurity is an extension of what law schools have always taught.
“We believe that we are training the next generation of leaders and the next generation of leaders must know how the Internet works. They must understand how cybersecurity and hacking work, what is the relationship between hacking, national security law, the criminal law and international law,” Shapiro said. “This is a service vital to our mission to educate the next generation of leaders for our information society.”