Public interest cybersecurity clinics are emerging as a vital resource in providing digital security services to non-profits, journalists, activists, municipalities, and others who face online threats, but have limited resources to defend themselves. Similar to clinics in law and medical schools, cybersecurity clinics train students to help client organizations secure their networks and maintain the online presence needed to carry out their missions. Cybersecurity clinics also help fill the tremendous and growing need for cybersecurity talent who can enter the workforce with hands-on experience.
The Center for Long-Term Cybersecurity (CLTC) pioneered the cybersecurity clinic model through the Citizen Clinic, and in October 2021, we convened a distinguished panel as part of our annual Research Exchange to discuss the history and value of the clinic model and how it is evolving. The panelists discussed the important role that cybersecurity clinics may play in protecting civil society organizations, while also fostering digital security and consulting skills across a new generation of college students from diverse backgrounds and varied academic disciplines.
The Trailblazing Citizen Clinic Model
CLTC and the UC Berkeley School of Information launched the Citizen Clinic course in 2018 to train students to provide cybersecurity support to under-resourced organizations. Since its founding, the Clinic has trained more than 80 students to provide support to 10 diverse client organizations on four continents, helping them build cybersecurity self-defense skills to guard against digital threats like cyberattacks, targeted surveillance, online harassment, and disinformation campaigns. Client organizations have ranged from LGBTQ and women’s reproductive rights organizations to international indigenous and migrant rights groups. Over half of Citizen Clinic alumni are women.
Expanding Resources — and a New National Network
To scale the clinic model and its impact, CLTC launched the Citizen Clinic Cybersecurity Education Center (citizenclinic.io), an online resource that makes robust curriculum, best practices, and helpful resources available to colleges and universities that are considering launching their own clinics. Other early leaders in this arena include MIT, whose cybersecurity clinic focuses on providing digital security assistance to city governments.
In 2021, CLTC, together with MIT and other clinic providers — including the University of Alabama, Indiana University, the Global Cyber Alliance, and R Street Institute, among others — launched a new National Consortium of Cybersecurity Clinics. This important new initiative shares a vision for university-based cybersecurity clinics to serve every U.S. state and region. The Consortium, which recently added its first international members, organizes monthly dialogues for clinical educators and others interested in public interest cybersecurity, connects clinicians for collaboration opportunities, and serves as a community of practice and clearinghouse to share teaching resources, curricula, video-based case studies, and other instructional materials.
Expert Panelists Articulate the Value of Cybersecurity Clinics for the Future
In October 2021, CLTC convened a panel discussion on “The Future of Public Interest Cybersecurity Clinics.” This panel drew on the experiences of cybersecurity clinic leaders and participants to identify keys to success for this model. The panel was moderated by Andreen Soley, Director of New America’s Public Interest Technology University Network (PIT-UN), a network of 43 colleges and universities that are working to build out the field of public interest technology. Panelists included Larry Susskind, Ford Professor of Urban and Environmental Planning at MIT, who oversees the MIT Cybersecurity Clinic; Tiffany Rad, CEO and Co-founder of Anatrope, Inc., who teaches the UC Berkeley School of Information’s Citizen Clinic course; and Lily Lin, a project manager at Microsoft who participated in the Citizen Clinic while enrolled at the School of Information.
“PIT-UN believes strongly in the need to connect students to the things they’re learning in the classroom with the real-world applications of their skills and knowledge out in the world,” Soley explained in her introductory remarks. “We’re particularly keen to support and amplify projects that protect the most vulnerable among us, online and offline. It’s one of the reasons why public interest cybersecurity is so important. We are happy to support the growth of these projects at universities and colleges, both within the network and outside of the network.”
Following are some key takeaways from the panel discussion:
Public-interest organizations have limited resources to defend themselves online: Most public-interest organizations lack the capacity or resources to support even baseline digital security. Cybersecurity clinics are an essential resource, as they not only help clients assess their existing and potential vulnerabilities, but they also can make recommendations for products or solutions that are practical and economical. “Many cybersecurity products are beyond the budget for most of the nonprofits,” Tiffany Rad explained. “We start out with, okay, we have no budget, how can we help these organizations that very much need our help?”
Organizations face threats that go beyond securing their networks: Public-interest organizations face an array of challenges as they work to carry out their missions online, and cybersecurity clinics can do far more than helping them fend off cyberattacks. Past clients of Citizen Clinic, for example, have contended with coordinated misinformation and disinformation campaigns, physical security threats, and harassment on social media. “If you take a city perspective, and talk about threats to critical urban infrastructure, cybersecurity is up at the top of the list right now,” MIT’s Larry Susskind said. “Yes, we have legislation pending to try to provide money to build more infrastructure, but our urban infrastructure is under attack every day. Not all those attacks are successful. But we know that the levels of attacks are increasing.” Cybersecurity clinics should thus collaborate with clients to evaluate the full spectrum of challenges they may face online.
Diversity is essential for success: Cybersecurity clinics are most effective when they include students from diverse backgrounds and academic disciplines. Depending on a client’s needs, law and policy expertise may be just as important as technical know-how. The ability to communicate with clients in clear language is a key attribute of successful clinic participants, as it is essential for building trust with clients. “Having someone who has a different type of background than cybersecurity would be fantastic, so we’re branching out and bringing in students from different programs at Berkeley,” Rad said. “It’s not just all technical. You’ve got to look at the human elements of how people are using this cybersecurity…. If you’re saying to an organization, I’m going to bring in 18 students to take a look at all your vulnerabilities, that’s something that takes trust.”
Cybersecurity clinic “trainers” require their own up-front training: Cybersecurity clinics should invest time up-front to ensure that students are sufficiently knowledgeable before pairing them with client organizations. UC Berkeley’s Citizen Clinic spends six weeks preparing course participants, and MIT has established a series of one-week modules with multiple choice exams to ensure students are prepared to help clients. “The exams are important because I can assure communities that would like help with a vulnerability assessment that I’m sending them students who are prepared,” Susskind explained.
Clinics are limited in their ability to implement solutions: Cybersecurity clinics offer valuable services to clients, including confidential vulnerability assessment and identification of appropriate open-source intelligence tools, but they typically do not carry out services, such as vulnerability scans or conduct penetration testing, that require “touching” the clients’ systems. Organizations may thus require additional resources following the engagement to implement and maintain recommended systems, and clinic participants should steer clients toward solutions that are relatively easy to implement. “We are consultants,” Rad explained. “If we create a system that’s too technical or too hard to access, no one’s going to use it.”
Cybersecurity clinics are a vital tool for expanding the pool of public-interest cybersecurity practitioners: Cybersecurity clinics are growing the pipeline for talent in the public-interest cybersecurity space, and helping to train a new generation of technologists who understand the needs of under-resourced and marginalized communities. Lily Lin shared that, in her role at Microsoft, she often finds herself as the voice for underrepresented populations, who are not always considered in the design of digital technology. “I wouldn’t still be at Microsoft if it wasn’t for Citizen Clinic,” Lin said. “The thing that we keep coming back to is that technology needs to be easy for users, and designed with people’s problems in mind. How do we make these technologies work for people with different economic needs and security issues?… I’m a huge advocate for bringing in disadvantaged populations and user research practices.”
Clinics can work hand-in-hand with researchers: Cybersecurity clinics expose important questions and potential opportunities for research. For example, MIT’s Suskind suggested, based on his experience, that researchers should explore how a “minimum standard of care” for cybersecurity might be required of municipal governments before they become eligible for assistance following an attack.
Clinics need to work together for long-term success: The cybersecurity clinic model is relatively new, and it will be essential for clinics to continue to remain engaged with each other for sharing and learning. The recently launched National Coalition of Cybersecurity Clinics marks an important opportunity for clinics to work together to ensure this model continues to improve and evolve.
Establishing a cybersecurity clinic requires a dedicated leader: Cybersecurity clinics are not easy to establish and maintain, and these programs require dedicated resources and leadership. “Someone needs to take the lead who has the idea that this is part of fulfilling their institution’s social responsibilities,” Susskind said. “This is not just an opportunity for technical training. Colleges and universities have social responsibilities. And one of them is to assist those in enhancing cybersecurity for those who don’t presently have the capacity to do that…. If you start with someone who thinks they’re doing this for that reason, and you’re looking for partners who you want to work with to build capacity, the rest will take care of itself.”