Guest Post: Ben Kastan, Duke Law ’12, on “How to be a cyber lawyer”

I’m very pleased to tell you that today’s post is by Ben Kastan, Duke Law Class of 2012, whose career as a cyber lawyer has enjoyed enormous success as he is now the Associate General Counsel for Cybersecurity at the National Security Agency.

What Ben shares with us is invaluable.  He explains what a “cyber lawyer” actually does in the real world, both in government and in the private sector.  He also talks about his own journey, and provides aspiring cyber lawyers with very practical advice.  You’ll enjoy this one!

How to be a cyber lawyer

by Ben Kastan

Cyber law jobs are exploding—law firms, companies, and government agencies are all looking for cyber lawyers. New cybersecurity laws and regulations are popping up every year. Law schools now have courses and even LL.M. programs in cybersecurity and “cyber law.”

So what is “cyber law”? How do you make it a career? I wrote this piece to provide one practitioner’s perspective on these questions for law students and others interested in becoming a cyber lawyer.

What is cyber law?

Cyber law is not really one discipline—it means different things to different people. It encompasses many different fields of law; the most relevant to a given lawyer will depend on whether you are in government or private sector and your specific role.

When I say cyber law, I mean that amalgamation of laws, policies, and regulations that pertain to information, information systems, and other machines that make modern life possible, such as operational technology.

In the private sector, smaller and medium-size law firms and corporations tend to combine cybersecurity and privacy functions, but privacy and cybersecurity increasingly draw from distinct bodies of knowledge and law. You can work on cybersecurity issues in different practices, such as corporate, regulatory work, or litigation.

You may advise on data breach notification requirements, data security standards (e.g., the security standards for payment cards), sector-specific cybersecurity regulations (e.g., the Transportation Security Administration’s new pipeline regulations), intellectual property, contracts or software licensing, cybersecurity risk with mergers or acquisitions, litigation concerning cyber insurance coverage, cyber-linked commercial litigation, or even helping a client counter online harassment.

You might also handle privacy issues, like the EU’s General Data Protection Regulation (GDPR) or the various U.S. state-level privacy laws. Indeed, in some companies, cybersecurity counsel are also senior privacy officials. Within companies there are also often compliance positions responsible for overseeing cybersecurity and data privacy regulatory compliance issues.  

In large corporations—particularly in the tech industry—the cybersecurity and privacy roles are distinct, with the cybersecurity legal roles focused on compliance with the growing range of cybersecurity laws, and regulations, managing incident response activities, and providing legal insights to efforts to protect the company’s networks and its users from insider and external threats.

The privacy lawyers, by contrast,  will focus on ensuring the company’s products and services comply with the global patchwork of privacy laws that regulate the collection, storage, and use of personal information.

In the government, both military and civilian attorneys practice cyber law. Most government practice, including in cyber law, will deal with questions of “authorities”—i.e., does my Agency, my Department, my Command have the positive authority from the President or Congress (or both) to conduct the proposed activity, and what are the left and right bounds of that authority? Cybersecurity authorities in the U.S. are highly dispersed and often overlapping among many different agencies.

But cyber practice in the government can vary widely. As a military lawyer, you might provide advice on issues like the application of the law of armed conflict to offensive cyber operations. In law enforcement organizations, such as the FBI or Secret Service, cybercrime investigators frequently possess legal backgrounds.

As a civilian cyber attorney supporting a federal agency, you tend to deal with matters like the Federal Information Security Modernization Act, government cybersecurity standards, network security monitoring, and incident response. As a federal prosecutor or state attorney general, you may be responsible for prosecuting criminals who defraud people of their cash or property over the internet.

Both military and civilian attorneys will review proposed activities, whether monitoring a network or sharing information with industry, for compliance with the Constitution and federal laws such as the Electronic Communications Privacy Act and, for intelligence activities, Attorney General-approved procedures under Executive Order 12333 or the Foreign Intelligence Surveillance Act.

The issues you face as a cyber lawyer will change depending on your role so as you’re looking at careers in this space, think about which are most interesting to you.

My path

If these issues sound exciting, you’re probably wondering how to create a cyber law career.

An important thing to remember is that careers zig and zag. You are not stuck where you start and you cannot fully plan or predict the next opportunity or the one after. When I was a 3L, my job offer from the U.S. Air Force Judge Advocate General’s (JAG) Corps was rescinded after the USAF Personnel Command decided I wasn’t eligible to commission. After years of working toward the JAG Corps, I was stuck January of 3L year with no job and no clear prospects. I was crushed.

With the help of the law school, I was able to land a clerkship with a wonderful judge on the North Carolina Court of Appeals. That clerkship helped me hone writing skills and understand the judicial process, but my next step was unclear. It is unusual for clerks from an intermediate state court of appeals to go directly into federal service—typically we go to local law firms, prosecutor’s, or public defender’s offices.

I tried the typical path by applying to local prosecutor’s offices and civil litigation firms. A very astute recruiter for one such firm in Raleigh looked at my resume (full of international, public interest, and human rights work) and informed me that I did not want to do civil litigation. She suggested that I should work for the CIA. That hard conversation made me take another hard look at opportunities in the federal government.

I applied to several federal honors programs and was fortunate to join the NSA as part of the inaugural class of the Agency’s Legal Honors Program (a three-year program for entry-level attorneys). Drawing on my experience as a clerk, I started doing litigation and privacy work and then switched to cyber law after 18 months, which I quickly realized was the right niche for me.

Eight years later, I’m a senior executive leading the cybersecurity law practice at NSA, having had the opportunity to advise on a wide range of issues, including major incident response, election security, and novel industry engagement, as well as serving as in-house counsel to the nation’s premier cyber collection organization. It is fair to say that I could never have predicted or planned my career path so far.  

Finding your path

You can start as an entry-level attorney, as I did, through a federal legal honors program in an agency that works on cyber issues, such as NSA, DHS, DOJ, or CIA. This is probably the most direct path to working cyber law issues in federal government, though many honors attorney programs involve rotations between different practice areas.

Or you can join one of the military JAG corps. Judge advocates are generalists, and it can be difficult to specialize in an area like intelligence or cyber, but all of the military services (including the Coast Guard) work on intelligence and cyber issues.

So if you make your interests known, do well, and the needs of the service align, that is a viable path to enter the field, though cyber roles are not typically one of the first few assignments in a JAG career. Many civilian attorneys across the government and industry are former or reserve component JAGs.

You can also start in a law firm and practice cybersecurity/privacy law as a new associate. Many more firms have a privacy or cybersecurity practice than they did even five years ago.

But note that while many firms advertise a privacy or cybersecurity practice, not all actually have attorneys dedicated to those issues on a regular basis. If you want to tell the difference, it’s best to ask people in that firm what their day-to-day work is like and how much is cyber-related.

If you get into a law firm, you can stay in the law firm world for a career (many do), move laterally to an in-house position handling those same issues, or move into government or academia.

The law firm path is probably the best way to a corporate in-house counsel position because they know you will have experience directly relevant to them and have been well-trained. Yet critical to your ability to influence your own opportunities will be your effort to stay engaged in areas of interest – and evidence those through public writing and speaking – while in private practice.

There are other, less common, cyber law jobs, as well as jobs that are adjacent to cyber law worth considering, such as academic fellowships or think tank positions to teach and perform research be involved in policymaking and consulting. These opportunities can help chart a path toward cyber policy roles with increasing responsibilities—many of the senior cyber policy officials in government are J.D.-holders who have spent time in think tanks.

While cyber law opportunities are myriad, there are some important factors to consider when determining which of those opportunities are right for you. For many people leaving law school, an immediate concern is one of economics—how you are going to pay for rent, food, health insurance or that new student loan bill.

Private firms and companies generally will pay a (significantly) higher starting salary for new associates than the government, however, there may be a tradeoff with the number of hours required to earn that salary. In contrast, the government and the military have lower salaries, but there may be law school loan repayment options and a more predictable work schedule.

It is an exciting time to be entering into a rapidly evolving field, but there is no single ‘right’ path. No one else holds the vision for your career but you, so create your own path based on your economic needs, passions, and values. Your path does not have to look like someone else’s to be meaningful.

How do I get into cyber law?

Now that you know what types of cyber law jobs exist and have an idea of which ones may make sense for your career, how do you go about pursuing those opportunities?

If you are still in law school, it is important to perform well academically and master the core legal skills of writing, advocacy, and research. This point bears repeating—writing, advocacy, and research skills are the cornerstones upon which you will build any successful legal career, including in cyber law.

It is important to develop your personal network and to demonstrate your interest in the field. Meaningful networking requires initiative and sometimes a bit of vulnerability. Putting yourself out there can be daunting.

But the good news is that you have resources at your disposal, such as the law school’s career services office, professors, and the alumni network that you should be able to readily tap into. During law school you can start building these relationships and demonstrate interest in the field through cyber law-related courses and opportunities such as cyber law-related publications, legal clinics, and externships.

You should also not be afraid to reach out to someone who has a job you would want someday, even if it’s on a social media platform like Twitter or LinkedIn. Learn about what their practice entails day-to-day, hear how they got where they are. In my experience, people are very willing to talk—especially to students and newer lawyers—if you approach them in a polite, professional way. The worst they can say is no.

After law school, consider joining your local or state bar association, or the American Bar Association, which has several cyber law-related committees. There are also numerous professional associations that are open to the broader cybersecurity and data privacy communities. These associations frequently develop cyber and data privacy certifications that offer additional ways to demonstrate your interest and competence in the field and they tend to host online job boards for their members.

Finally, I recommend developing a public profile of interest and expertise by seeking out opportunities to publish and speak on cybersecurity issues. You can start your own blog, write an article for one like this, or publish a student note, and your efforts can lead to more regular opportunities with established institutions.

How does one become a successful cyber lawyer?

Most importantly, you need those same basic skills every successful lawyer has. Lawyers are professional communicators. You need to be able to synthesize complex facts and law and convey them in a way a non-lawyer can understand. You also need to do so concisely—lawyers are in a service industry and our goal should be to convey our best legal advice and counsel in a way that a busy leader or client can understand and act on.

If your client is an organization, you also need to understand their business, whether it’s a corporation, a military command, or a government agency. You cannot provide fully informed legal advice and counsel if you do not understand what the clients do, how they do it, and their goals and priorities.

I’m often asked, “Do I need a degree in computer science to be a cyber lawyer?” The reality is that cyber lawyers will deal with a wide range of technology that is constantly changing and a college degree does not necessarily make you an expert. So, formal training like degrees in computer science can help you better understand the technical facts of a situation, but are not necessary.

You do need an interest in technology, digital literacy, a willingness to dive into the weeds of how technology works, and enough humility to ask questions that you fear are stupid. You should know generally how computers, the cloud, the internet, and networking (the routing and switching kind) function, but a technical background cannot substitute for asking questions.

You also need to practice good preparation, such as reading meeting agendas in advance, so that you have awareness of the types of issues that may arise, which may involve unfamiliar technical subjects you can read up on in advance.

Additionally, providing competent legal advice includes providing the policy or prudential perspective—is this something that’s legal today, but may become illegal if Congress reacts poorly? Is this smart? Is it ethical? But to ask these hard questions, you need to be a trusted counselor with a seat at the table. Earning that trust requires understanding technical details, law, and policy, as well as the personalities, communication styles, and interests of your clients.

That may sound hard, but the projects I’ve had the most fun working on involved an interesting, important mission objective, a really smart client, a white board, and a lot of questions. If you enjoy those kinds of engagements, cyber law might just be the right fit for you.

About the author:

Mr. Kastan

Ben Kastan is the Associate General Counsel for Cybersecurity at the National Security Agency. Prior to NSA, he clerked for the Honorable Donna Stroud on the North Carolina Court of Appeals. He graduated from Duke University School of Law in 2012 with a J.D. and LL.M. in International and Comparative Law.


The viewpoints expressed in this article are those of the author alone and do not reflect the views of the National Security Agency, Department of Defense, U.S. Intelligence Community, or U.S. Government. This article has been reviewed for classification and approved for public release in accordance with National Security Agency pre-publication requirements.

The views expressed by guest authors do not necessarily reflect the views of the Center on Law, Ethics and National Security, or Duke University (see also here). 

Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!

You may also like...