There’s no doubt that cybercrime is on the rise across the world, affecting millions of people and costing trillions of dollars globally as organizations, businesses, and whole nations try to fend off increasingly sophisticated threats.
Recently, Indiana University students helped the Balkan state of Kosovo fortify itself against cyberharms by advising the Parliament on the development of its national cybersecurity legislation.
“The Kosovo government was so impressed by the work our IU students’ did in researching the bill. Throughout the process, they ensured that their legislative timelines aligned with the clinic’s timeline to maximize the possibility of incorporating the students’ work into their internal legislative processes,” said Scott Shackelford, academic director of the IU Cybersecurity Clinic as well as chair of the Cybersecurity Risk Management Program and associate professor of business law and ethics in the Kelley School of Business.
The student team working on the legislation came from the IU Cybersecurity Clinic, formed in 2019 to help Indiana communities, organizations, and businesses combat growing cybersecurity threats. Five graduate students, three from the Maurer School and two from IU’s interdisciplinary Master of Science in Cybersecurity Risk Management program, took on the task of reviewing the draft of Kosovo’s cybersecurity act and making recommendations on its many provisions.
The clinic’s big leap to the international realm was facilitated by Asaf Lubin, an associate professor of law at IU Bloomington’s Maurer School of Law and a fellow at IU’s Center for Applied Cybersecurity Research. A former colleague from Yale who worked in Kosovo initially reached out to Lubin regarding Kosovo’s cybersecurity legislation, and Lubin turned to the clinic students.
“Kosovo had a draft of a cybersecurity act that had been in and out of Parliament for a while,” Lubin explained. “When I was approached for help, it seemed an opportune time to connect them with clinic students.”
One of those students is Simon (Chieh-Jan) Sun, a candidate for a Doctor of Juridical Science degree at IU’s Maurer School of Law.
Sun explained that the team took a comparative approach, analyzing each of the draft law’s provisions with respect to international conventions, EU legislation, legislation from countries that have more dominance in cyberpower, and legislation from countries that are in a similar situation to Kosovo.
“We had weekly discussions to discuss the act’s various chapters and our comments on them,” Sun said. “Our input ranged from just offering some resources for reference to revising certain wording to making suggestions that some provisions be deleted entirely.”
Over months of work, the students drafted a 100-page analysis that they shared with Kosovo government officials. The final Kosovo cybersecurity legislation will directly reflect the IU students’ work and recommendations, Lubin noted.
“Kosovo is using the report to adjust the language of their bill,” he said.
The project also creates good opportunity for more international collaborations in the future, according to Lubin.
“The cybersecurity skills that the clinic teaches are transferrable. Learning about cybersecurity regulatory environments and enforcement mechanisms from a comparative perspective is useful regardless of whether the client is an Indiana business, a state agency, or a foreign nation,” he said.
“I think it’s likely that we will see a cybersecurity legislation avalanche in the global south, and this project opens up opportunities for other countries to learn from what our students have done,” Lubin continued. “There’s a desperate need for cybersecurity expertise in the legislative context, and we can help other countries advance their cybersecurity practices.”
Both Lubin and Sun credit IU’s impressive suite of academic and research programs in cybersecurity, and in particular, the IU Cybersecurity Clinic, for creating a robust environment that fosters cybersecurity expertise and knowledge.
“IU is truly special in this regard, especially the intersection of business, law, and informatics in the clinic,” Lubin said. “It gives us many ways to collaborate and creates immense opportunities for students that don’t exist elsewhere.
Sun said the interdisciplinary nature of the clinic really helped the student-team tackle the Kosovo project, which he deemed a beneficial experience for all.
“We learned to better understand what clients really need and how to work with their process, and we deepened our own understanding of cybersecurity regulation,” Sun said. “I do think we created something very positive for the Kosovo government, and for the clinic as well.”
