Do we really need more lawyers? According to the American Bar Association, there are roughly 1.34 million active lawyers in the United States—about one for every 300 Americans. Surely, that’s enough. But maybe, like other cyber workforce issues, we need more lawyers who deeply understand cybersecurity.
There is a cyber workforce gap in the United States—it’s been growing and it’s getting the attention of our National Security leaders. At the recently held National Workforce and Education Summit, National Cyber Director Chris Ingles announced a mission to help fill the more than 700,000 unfilled cybersecurity jobs through traditional paths, by building new paths and ensuring the workforce is drawn from underrepresented and diverse communities. Globally, the Commerce Department estimates there is a shortage of 2.72 million cyber professionals. Building this workforce is critical to defending the ever-growing digital infrastructure from cyber threats—and the U.S. is way behind.
But do we need more lawyers in this new cyber workforce? I think we might. Cybersecurity law is complex—a merging of technical, business, law enforcement, national security, regulatory, public policy, and geopolitics. It takes years to understand what’s really going on with cyber issues, and the legal landscape is getting even more complex as countries around the world are adopting and proposing new laws to address current and emerging technology challenges and opportunities. Therefore, part of the cyber workforce pipeline must include lawyers who have a deep understanding of cyber and can recognize—and work to rationalize—the changing technology and security of the legal and policy landscape.
The idea that we may need more cyber lawyers was driven home to me this past spring when a number of Congressional members proposed new economic regulations to restructure the U.S. technology industry through changes to the antitrust laws. These proposed laws are currently pending in the Senate. But an unintended but serious consequence embedded in these proposals is the creation of significant—and foreseeable—cyber and national security risks to consumer, enterprise, and government networks and data.
The bills would force the leading mobile device producers to ‘open up the box’ (their devices) and allow unvetted apps onto the device, give the unvetted app access to hardware and software assets, provide a clear path for unvetted apps to send back app data, and create avenues to avoid many of the protections, security checks, patching, incident response, revocation, and privacy rules and transparency currently required by the device producers’ official app stores and terms of service.
Right now, the only way to download an app on an Apple device, for example, is through the official app store, which vets the app, imposes security and privacy checks and requirements, enforces community standards, and performs patching and incident response. Under the new proposals, these protections could be circumvented.
This is not trivial. It’s also contrary to long-standing U.S. government guidance, which states that one should only allow apps on the box (the mobile device) from official app stores (NSA, DHS, FTC), which reject hundreds of thousands of apps a year. With millions of apps circulating, including too many from criminal gangs, disinformation purveyors, foreign security services, and privacy abusers, forcing open the box to bad actors would open the door to theft, fraud, extortion, surveillance, theft of intellectual property, disinformation campaigns, and bricking of devices and networks.
So, what does this have to do with the cyber workforce and cyber lawyers? First, lawyers are able to understand and explain the impact of proposed changes in law, and can advocate for changes when necessary. Second, a workforce of well-trained and seasoned cyber lawyers can spot cyber issues in non-cyber laws and regulations—something non-cyber lawyers may not see. And finally, the proposed changes in these bills (and perhaps others in the future) would impact the security of virtually every enterprise given the common use of BYOD and the melting away of network boundaries. We need lawyers who can recognize non-trivial cyber impacts like this in current and future proposals that affect the global digital ecosystem. When lawyers recognize non-trivial issues within proposals, they can work with their security and legal teams to educate policymakers and avoid adverse unintended consequences.
As we address the pressing need to grow our cyber workforce over the coming years, we need to pay attention to all aspects of the cyber workforce—including the need for good cyber lawyers. It may be hard to say that we need more lawyers writ large, but maybe we need more lawyers who deeply understand global cyber issues so we can help chart a course to a more trusted future.
Adam Golodner is the Founder and CEO of Vortex Strategic Consulting and the Co-Chair of Trusted Future.