News / March 2022

“Five Questions” Video Showcases Citizen Clinic, National Consortium of Cybersecurity Clinics


A new video published by the Public Interest Technology University Network (PIT-UN) features Ann Cleaveland, CLTC’s Executive Director, and Lisa Ho, Academic Director of the School of Information’s Master of Information and Cybersecurity (MICS), sharing insights based on their experience from overseeing UC Berkeley’s Citizen Clinic, a trailblazing public interest digital security clinic that trains and deploys student teams to help nonprofits, journalists, human rights defenders, and social justice activists defend against digital threats.

The video is part of a series of “PIT Cases,” a website developed by PIT-UN to share knowledge about projects and classes run by members in the network, a partnership of 48 colleges and universities convened by New America, the Ford Foundation, and the Hewlett Foundation. The case studies are presented as part of PIT-UN’s mission “to help advance the field of public interest technology to bring positive impact to communities around the globe.”

In the video, part of a series themed “5 Questions With…,” Cleaveland and Ho discuss the newly established National Consortium of Cybersecurity Clinics, a network of university-based cybersecurity clinicians, trainers, and advocates committed to “sharing best practices, expanding the reach and visibility of cybersecurity clinics, and lowering the barriers for other institutions of higher education to successfully establish their own clinics.” In addition to UC Berkeley, the Consortium also includes MIT, the University of Alabama, Indiana University, the Global Cyber Alliance, R Street Institute, and others. The National Consortium of Cybersecurity Clinics convenes regular meetings for clinical educators and others; facilitates peer networking for faculty, staff, and students; and provides a community of practice and an online clearinghouse to share teaching resources, curricula, video-based case studies, and other instructional materials.

Below are the five questions and (lightly edited) answers featured in the video:

1. How will the National Consortium of Cybersecurity Clinics benefit the Public Interest Technology University Network?

Ann Cleaveland: The National Consortium of Cybersecurity Clinics is a network of university-based cybersecurity clinics that are working to help public interest organizations improve their cybersecurity defenses, free of charge. The model is similar to clinics in law and medicine, where student teams are trained to help organizations at risk of cyber attack to improve their defenses. Clinics in the consortium help organizations ranging from cities and towns, to hospitals, human rights activists, journalists, critical infrastructure providers, and small businesses. Cybersecurity clinics are a way for universities in the PIT-UN network to meet their ideals and responsibilities for public service.

The consortium is benefiting PIT-UN in a couple of ways. First, we’re helping existing clinics strengthen and connect with each other. This includes peer networking for faculty, staff, and students in our clinics. And we’re creating a clearinghouse of resources for cybersecurity clinics, including curriculum, teaching materials, and operational materials. We’re also helping university-based clinics connect to others in the cybersecurity technical assistance field, including other allies, advocates, and providers of training materials, like the Global Cyber Alliance.

We’re also lowering the barriers for other universities, colleges, and community colleges to create their own clinics. For the planning phase, we’re helping people think about questions like, how do I get institutional buy-in? What kind of clients should my clinic serve? Should I start with graduate students or with undergraduates? Another big consideration for clinics is the mechanics of running a clinic. So we’re helping people think through the processes and technical controls that will help keep clinic students and clients safe during a cybersecurity engagement. And of course, there’s the curriculum. Consortium members have contributed instructional materials, syllabi, lecture notes, and other resources to help a new clinic lower the time to start up.

2. What are some best practices for building successful partnerships between PIT-UN members?

Ann Cleaveland: There are three ingredients to good partnerships between PIT-UN members. First, you have to start with a shared excitement and passion around the topic. We just happen to have a group that is really excited about the win-win that is a cybersecurity clinic, this idea that we can train the next generation of cybersecurity professionals while at the same time helping important community and public interest organizations improve their cybersecurity self-defenses.

The second ingredient is an ambitious vision. We spent the first few meetings of the National Consortium of Cybersecurity Clinics developing a vision that was really inspiring to the membership. The vision is having a university-based clinic in every state in every region to serve that local community in the next decade. Everybody’s motivated to grow and improve their own clinics, but we also have a shared vision and commitment for improving the whole field.

And then, of course, you need resources. I can’t say enough about what members have contributed on a volunteer basis to stand up the Consortium. But communities of practice don’t magically convene themselves. Faculty are really busy, and they’ll vote with their feet if they aren’t getting value out of the partnership. We’re incredibly grateful to PIT-UN for having provided the seed funding for staff and leadership to steward the group to advance an agenda that’s more than the sum of its parts, to do outreach, and to curate the clearinghouse of resources that we have for clinicians.

3. What are some best practices for working with cybersecurity clinic clients?

Lisa Ho: When working with cybersecurity clinic clients, one of the things that we’ve found very valuable to successful outcomes is investing in building trust. Building trust is so important, particularly when doing vulnerability assessments, because it can be disarming and uncomfortable to learn about your weaknesses. Especially within smaller organizations, it may feel personal to those involved.

Among the processes that we’ve found are helpful in building trust are formal processes, such as confidentiality agreements that students, faculty and staff sign. This gives a baseline level of assurance to clients. Second, even just acknowledging upfront that it may be uncomfortable helps clients get prepared for the mental and emotional process involved. Third, through UC Berkeley’s Citizen Clinic model, the faculty have a key role in establishing a relationship with the client before turning over interviewing to the students. In this way, the clients know that they have a trusted entity that they can turn to if needed.

4. How do you engage students to take part in the cybersecurity clinics?

Lisa Ho: Students are very motivated by the service opportunity to help deserving organizations defend themselves. For students who are already studying cybersecurity, the value of hands-on work with clients is clear. Even if the students are already working cybersecurity professionals, as many in our program are, helping very small organizations on a shoestring budget requires a whole new framing of cybersecurity problems and solutions. Students are excited by that.

We also invite students from all across campus who don’t have a background in cybersecurity. They’re also motivated by the mission of helping organizations who are doing important public service and social justice and humanitarian work. We’re reaching out to students with the message that cybersecurity is an essential skill in any domain, and there’s room in cybersecurity for people with all kinds of backgrounds, because working with clients requires more than technical expertise. There’s the need to do background research on the client’s contextual environment. There is interviewing and relationship-building with the client, policy and procedure drafting, report writing, training — all kinds of skills are needed. Cybersecurity is both a social and technical domain, and cybersecurity clinics help students from all fields see that there is a career path for them in cybersecurity.

5. Where do you see the field of public interest technology in five years?

Ann Cleaveland: Something we often say is that cybersecurity is “everything where humans and machines intersect that is important enough to be called security.” Five years from now, I think we will see, to a much greater degree than we see now, students from a variety of disciplines seeing that there is a place for them in the cybersecurity field. Cybersecurity is an instrumental enabler to so many things that we care about, like democracy, free speech, human rights, and functioning cities and public health infrastructure. For me, seeing the field of public interest cybersecurity recognized as a priority within the field of public interest technology is essential.

As I mentioned, the vision of the National Consortium of Cybersecurity Clinics is to have a university-based clinic in every state and region in the next decade. This is so important if we’re going to have a new generation of public interest technologists who are trained to think about the security implications of the technologies that they deploy. And this is not just a technical question. This is about people and policy, human behavior, ethics, and economics. So many of our industry colleagues tell us that they need graduates who, for example, know how to build secure machine learning products. This is just as profoundly essential for the field of public interest technology as it is for industry.