By Bruce Tomaso
Erin Nealy Cox ’95 is truly a crime fighter for the 21st century. The U.S. Attorney for the Northern District of Texas is an expert in prosecuting cybercrimes.
Nominated by President Trump last September, the 48-year-old magna cum laude SMU Dedman School of Law graduate oversees federal prosecutions in 100 Texas counties with a combined population of about 8 million. Nine of the state’s 20 biggest cities are under her jurisdiction. She’s in charge of roughly 100 government attorneys and a like number of support staff in five divisions.
Few lawyers in America possess her combination of training and career experience in the law, technology, business, and administration. In addition to her SMU Dedman Law degree, Nealy Cox holds a degree in finance from the McCombs School of Business at the University of Texas at Austin. After law school, she clerked for U.S. District Judge Barefoot Sanders of the Northern District of Texas and Chief Judge Henry Politz of the U.S. Court of Appeals for the Fifth Circuit. She also served as a litigation associate at two prestigious law firms—Simpson Thacher & Bartlett in New York City and Carrington Coleman Sloman & Blumenthal in Dallas.
She joined the U.S. Attorney’s Office in Dallas in 1999. In 2004, she was assigned to Justice Department headquarters in Washington, as chief of staff and senior counsel in the Office of Legal Policy, the division responsible for coordinating and advancing the department’s top policy and legislative initiatives. In her 19 months there, those priorities, under President George W. Bush, included an intense focus on counter-terrorism.
In 2008, she left the government—and the law—to take what she calls a “giant career leap” into the cyberworld: She started the Dallas office of Stroz Friedberg, a worldwide business consulting firm specializing in cybersecurity and investigations. Eventually, she was promoted to lead the firm’s global response unit, assisting clients across the world that fell victim to intrusions, data breaches, and other cyber risks. At the time of her appointment as U.S. Attorney, Nealy Cox was a senior adviser at McKinsey & Co., serving in its cybersecurity and risk practice.
She is married to Trey Cox, a Dallas trial lawyer. They have three school-age daughters.
Nealy Cox spoke with Dallas writer Bruce Tomaso about her office’s efforts to combat cybercrimes, about her winding career path, and about what law schools can do to best prepare their students for the challenges awaiting them in the digital world. (The interview was edited for clarity and conciseness.)
With cybercrimes so much on the rise, there’s a real value to businesses and to the public in having prosecutors who are intimately familiar with the subject. Is this an area that’s underserved?
As recently as five years ago, I might have said so. But cyber is so prevalent these days. In the U.S. Attorney’s Office, we’ve really prioritized it. We’re in a better position today than we were a few years ago to provide folks with insights into the subject. We’re always getting better, but we can always do more. It’s hard to even suggest that cybercrime should be a category of its own. Cyber is now a part of almost every crime we see in this office. There’s hardly a case that doesn’t touch digital or cyber in some way.
What can law schools and, more specifically, institutions like the Tsai Center for Law, Science and Innovation do to help prepare students to pursue opportunities in this area?
Understanding what takes place at the confluence of law and technology and business is critical, and the Tsai Center is uniquely suited to meet that need. Rarely did any issue that I worked on in the private sector not implicate at least one of those realms. If we think of cybersecurity as purely a technical problem, or purely a business issue, or if we try to silo it into pure law, it’s very difficult to deal with. We have to take a multidisciplinary approach to this complex problem.
Yet, when you look at corporate org charts, or university catalogs, many of them continue to treat law and technology and entrepreneurship as different verticals—different worlds.
That’s right. And some universities even put pure cyber studies into different verticals: computer science, or its forensics, or something in engineering. That really doesn’t comport with how we view the subject in the law, or in business. I do think that’s changing, thanks in part to interdisciplinary initiatives like the Tsai Center. Universities are starting to model programs around a more holistic approach. Students with that kind of broad exposure, when they graduate, are much more marketable. They’re not just computer engineers, or people with law degrees. They’re people who really know how to deal in the digital world. Thankfully, that vernacular is becoming more common.
What advice would you give to a student thinking about going into law?
Study law in a way that’s open-minded. When I was in law school, I knew I wanted to be a trial lawyer. And I’ve loved it. It’s been great. But we don’t all have to be trial lawyers. There are so many things you can do with a law degree. It’s as valuable and versatile as an MBA. Learning the law gives you a set of skills—analytic skills, strategic skills, advocacy skills—that you can use in almost any profession.
And what about trying to get as broad an education as possible outside law school?
That’s extremely valuable. We learn so much more when we’re exposed to people with different experiences from our own. When I was at SMU, Professor [Thomas] Mayo taught a law and medicine small group. It was half medical students and half law students, and it was a great class. The combining of ideas and experiences was very positive. There was a collective growth of wisdom.
Clearly, your career is testimony to the opportunities available at the intersection of law, business and technology. How did you come to that?
Unwittingly, I have to confess. After 9-11, there was a real push by the Attorney General [John Ashcroft] to draw resources into cyber because of its connections to counterterrorism. I was in the U.S. Attorney’s Office then, and, like everyone, I wanted to serve in whatever way I could. So even though I had avoided math and science like the plague in college, I found myself deep into cyber technology, working with FBI cyber squads, Secret Service cyber squads, military intelligence officials—and it was fascinating! That’s why I tell law students—be open to all the possibilities around you. If I hadn’t been willing to jump into a completely new and foreign area, I would never have gotten the experience I needed to do the things I’ve done. Don’t put yourself on a narrow path. There are so many opportunities for lawyers these days.
When you first got into it, it must have been a small club.
It was. When I left the U.S. Attorney’s Office 10 years ago to open the Dallas office of Stroz Friedberg, a lot of people I knew were scratching their heads. Leaving the law to do cybercrime investigations? Who’d ever done that?
But then you had these high-profile hacking cases—at Target and Home Depot and Neiman Marcus and other places—and since then, it’s sort of become top-of-mind. Law students today are more interested in cyber. A lot of lawyers in this office are becoming more interested, because they know cyber issues are going to impact their day-to-day activities. Cybercrime is not going away any time soon.
Was it a steep learning curve for you at first?
It was. But I would argue that trial lawyers are really good at jumping into new areas. Trial lawyers have to take sophisticated concepts and boil them down to the simplest terms so a jury can understand them. With cyber, oftentimes I’d be trying to explain very complex, technical concepts to people who didn’t have any technical background, whether it was juries, or judges, or consulting clients that had suffered a major intrusion. You have to be able to dive in and understand the subject matter so you can explain it to others, so they can make reasoned, informed decisions. That’s what a trial lawyer does in getting a jury to reach a verdict. It’s a great skill to have for any profession.
Despite all the highly publicized cases of corporate hacking, a lot of people still think it won’t happen to them. As a consultant, did you find that businesses were generally well-protected?
If there was a large breach in, say, retail, then every retailer would be concerned about it. But consumer-goods makers weren’t concerned. They’d think, “We’re not a retailer.”
Banks were really the first sector to go through an online adjustment, for obvious reasons: That’s where the money is, right? So banking became the first sector to be hardened. But retailers and others would say, “Well, we’re not a bank.” They were convinced they weren’t going to be plagued by those same problems, and so they became soft targets. Ultimately, after you saw large, disruptive breaches in almost every sector out there, people started to think, “You know, this is a problem that is not going away.”
Even now, we’re still learning about the implications of cyber. We know that people are trying to disrupt our elections. We know that state-sponsored corporate espionage is prevalent—and not just for top secret data, but even for relatively mundane things that American companies make. We have to recognize that our information is a critical asset, whether it’s some trade secret or the CEO’s emails. We have to protect that information, and we have to think comprehensively about how to do it.
You know, there’s no silver bullet out there. The clients that I consulted with in the private sector always wanted us to tell them the magic formula. But there isn’t one. Cybersecurity involves a comprehensive layering of diligent defensive and offensive measures. It requires a lot of thought. It requires a company to be nimble and, most of all, to devote substantial resources to security. That’s where many companies fell behind: they didn’t devote resources to it until they had a wakeup call.
Generally, I think we’re in a better place today, but we’ve still got a long way to go.
Even if a company has a solid, secure system in place, that doesn’t stop an employee from leaving an encrypted laptop in the back seat of her car, or using her spouse’s name as her password, or getting up from the computer and walking away for 45 minutes.
So how much follow-up is needed? How much does this have to be a continuing education process?
It has to be constant. It has to be at the forefront of everyone’s mind. We have to stay vigilant. I know sophisticated business executives who use the same password for 10 accounts. And that’s a very bad idea!
Criminal prosecutions must have a strong deterrent effect.
I sure hope so. (Laughs)
But when you’re tracking the use of the internet for felonious activities—selling drugs, sex trafficking, investment scams, whatever—it must seem like playing global Whack-a-Mole. The bad actors are overseas. Companies change names. They can relocate from Romania to Singapore simply by switching servers. Assets get shuffled around.
The nice thing is that we have some really smart people working on those problems. I’m constantly amazed at how innovative and passionate our cyber folks are. So there’s a lot of stuff that we can do and it’s very impressive.
Cyber prosecutions are some of the most sophisticated work we do. And it’s work that the federal government is uniquely suited to do. Because there is such an effort to obfuscate the evidence trail, oftentimes as we follow it into foreign countries. We deal with foreign officials and with international agreements that govern things like getting access to documents and other evidence. Only a government entity can do that.
When I was consulting, we helped our clients investigate breaches within their networks. Our goal was to figure out what happened, what, if any, data got out, what the risks and implications of that were, and how to secure the network. Essentially, though, we were conducting internal investigations. Once the trail left the client’s network, we could only go so far with it.
But as the government, we can take all these dots from various companies and connect them to put together a major case. We can work cooperatively with foreign countries and make a real impact. There’s a lot of that going on right now.
It’s axiomatic that technology outpaces regulation: Somebody comes up with a new application, whether it’s online shopping, or ride sharing, or cybercurrency. Then, once people start using it, we debate whether there’s a public interest in regulating it. If the decision is yes, it can take years to promulgate the regulations. And by that time, 20 new applications have come on the market. Can anything be done to narrow that gap, or will regulators always be chasing the tail?
We’re probably always going to be a little behind. But I’m not one to over-regulate. I think we sometimes rush in to regulate based on one case, when it doesn’t necessarily call for new regulation across the board. We ought to be careful about that. When we look at cybercrimes, we talk all the time around here about which criminal statutes are suited to this case. Can we go after this bad behavior with an existing law? Oftentimes, we find that works.
There’s a lot of discussion now—and a lot of confusion—about whether and how to regulate cryptocurrencies. Some legal experts say that before we rewrite federal banking and securities laws that have been around since the 1930s, maybe we should wait and see whether anyone is even using Bitcoin five years from now.
Certainly, we’ve seen technologies fizzle out. With cryptocurrencies, there are legitimate exchanges, and there are exchanges that facilitate bad behavior. You can see the appeal of an anonymous currency to both legitimate businesses and a swath of illegitimate businesses. In this office, we don’t put them all in the same box. When we go after digital exchanges that are facilitating bad behavior, we always look first at the laws already at our disposal—for example, the money-laundering statutes. Let’s try what we have first and see what happens. U.S. Attorneys all across the country are weighing in on this front.
You quote one of your mentors, the late Shannon Ross [a former criminal chief in the U.S. Attorney’s Office] as saying, “Every criminal defendant deserves two lawyers: a good criminal defense lawyer and a prosecutor who seeks the truth.” Why has that stuck with you, and how does it inform what you do in this office?
It goes to the essence of what’s different about being a lawyer who represents the United States. We are not subject to the whims of a paying client. Our client is every citizen of the United States, and we’re here to do the right thing, and only the right thing: to seek the truth. Sometimes, that means we don’t go to a grand jury. Sometimes, the truth tells us no federal crime has been committed. Even then, we’ve done our job. It’s a very liberating way to practice law. But also, it carries a unique obligation. Being a trial lawyer when your client is the whole country brings a special responsibility.
Have you ever accidentally downloaded a virus on your home computer?
I’m positive that I have. (Laughs.) I don’t do anything work-related on my home computer, and I try to keep the software updated. I’m probably more careful than the average person. But, chances are, yes.
The first time you applied for a job here, you were turned down.
I was. I had no business applying, really. I was fresh off a judicial clerkship [with U.S. District Judge Barefoot Sanders]. I’d seen a lot of trials, and I’d decided that being a federal prosecutor was for me. I’d caught the bug. And, of course, I wanted to get started as soon as I could. I was told, appropriately, that I wasn’t ready—that I had no business being here.
Do you ever look around your office now and have a good chuckle about that?
Every single day. (Grinning broadly.)