On May 9, three teams of undergraduate and graduate students from diverse disciplines—including computer science, information management, economics, and law—delivered final presentations about their work with Citizen Clinic, an initiative launched within the Center for Long-Term Cybersecurity to provide technical assistance to organizations that are vulnerable to cyberattacks for political reasons.
In introductory remarks, Citizen Clinic Deputy Director Steve Trush commended the Spring 2019 cohort of students for coming into the program with an open mind and helping their client organizations think differently about cybersecurity. “Citizen Clinic is the main public interest technology effort not only for CLTC , but for the university as a whole,” Trush said. “You all got to know the people who need protection, their context and mission, and how they live their lives. You took what we take for granted as being cybersecurity best practice and made it actually work for them.”
Each student team delivered a 20-minute presentation that included background about their partner organization, including the key political, economic, social, technological, environmental, and legal (PESTLE) factors that determine its threat landscape. The students then provided an overview of the services they performed for their clients, as well as recommendations for future work.
One of the teams explained that they developed a work plan and resources for their client, which they described as an international defender of human rights in the digital environment. (For security reasons, the names of the students and client organizations are confidential.) “We conducted a risk assessment identifying 14 risk items that we then sorted into three categories,” said one of the Citizen Clinic participants, a graduate student at Berkeley School of Law. “We developed a 32-page travel protocol guide for our client to use for their international work as well as a cybersecurity handbook that included recommendations for developing an incident response and communication strategy.”
Another student team detailed their efforts to provide cybersecurity support to an organization that works in the pro-choice movement, which they explained has a “highly volatile operating landscape” with a “very complex attack surface,” and faces ransomware attacks, distributed denial-of-service (DDos) attacks, social engineering attacks, and other threats.
The students explained that they provided trainings and other learning resources—including employee-focused content about potential security enhancements, such as single sign-on (SSO) solutions—and they developed an onboarding guide to provide cybersecurity information for current and new employees. They also established a new data back-up and storage policy; they updated a cybersecurity handbook to include information about an incident response strategy, email encryption, and other details; and they created a one-page brief focused on HIPAA compliance.
In their presentations, each of the student teams assessed how well they were able to meet their client’s needs, and they offered recommendations for continued collaboration with the partner organizations for future semesters. The students concluded their presentations by providing feedback about the course and suggestions for practical improvements.
“The support from the [Citizen Clinic] teaching team was great and provided useful resources such as risk assessment data plans and tools for open-source intelligence gathering,” said one of the team members, a PhD student in computer science. “The teaching materials and guest speakers throughout the semester allowed us to develop a greater sense of awareness of the threats faced by civil society groups.”
All three student teams noted that their client organizations were grateful for the support they received through the program. “We were able to show a lot of respect and interest to support their goals and helped them to demystify cybersecurity and show how it could be a priority for them,” one student explained. “They really did see that this was an important thing to focus on and it was helpful for them to have Citizen Clinic come in and tell them in an informal and friendly way how they can work on cybersecurity, and that it doesn’t have to be just IT staff focusing on technical details, but can be more of an organizational approach.”
Visit this page to learn more about Citizen Clinic.