The School of Information-based program has trained 300+ students to defend nonprofits and social-sector organizations against cyber attacks — and sparked a global movement.
When a group of students gathered recently in UC Berkeley’s South Hall to present their work, it quickly became clear that these were not typical class projects.
One student team explained how they had provided digital security assistance to an East Coast-based mutual aid organization that serves people facing housing and food insecurity. The students identified critical vulnerabilities in the organization’s digital defenses and set up a process to help manage which staff members and volunteers have access to potentially sensitive information.
Another team detailed how they had worked with an environmental organization whose work puts their digital networks in the crosshairs of powerful corporate interests and nation-states. The students helped the staff identify a range of security issues on their public-facing website.
A third group shared how they had provided assistance to an LGBTQ+ support center whose community members are facing doxxing and hate crime concerns. The students helped the center’s staff secure their communications, and they conducted an audit to identify gaps in the center’s security and protect private data.
The presentations were part of an end-of-semester showcase for the UC Berkeley Cybersecurity Clinic, a practicum-style course at the UC Berkeley School of Information, with joint support from the Center for Long-Term Cybersecurity (CLTC), that trains students to provide pro bono digital security assistance to organizations that face a range of cyber threats, but have limited capacity to defend themselves. Similar to university clinics in law and medicine, the cybersecurity clinic model provides students with “real-world” experience while serving the public good.
Since its inception in 2018, the UC Berkeley Cybersecurity Clinic has focused on assisting nonprofits and social-sector organizations that are targeted not just for their data, but because of the nature of their work makes them targets for coordinated campaigns from well-resourced adversaries, including hostile governments, hate groups, and extremist networks.
The semester-long Clinic is one of the only cybersecurity courses at UC Berkeley open to students from across the campus, and it has attracted undergraduate, graduate, and Ph.D. students not just from the School of Information, but also from fields like journalism, law, public policy, computer science, political science, sociology, economics, and cognitive science. “Cybersecurity is a multifaceted issue that requires multifaceted viewpoints,” says Elijah Baucom, Director of the UC Berkeley Cybersecurity Clinic. “Cybersecurity has to become more accessible, because everyone has an intersection with cybersecurity.”
Catalyzing a Global Movement
To date, the Berkeley Cybersecurity Clinic has trained more than 300 students across nearly two dozen academic disciplines and served over 50 nonprofit and social-sector organizations on four continents. At the same time, the program has helped spark a movement that has led to the establishment of cybersecurity clinics at colleges and universities around the world.
In May 2021, CLTC teamed up with a handful of other colleges to co-found the national Consortium of Cybersecurity Clinics, an organization designed to support the growth of the clinic model in cybersecurity, including by promoting the sharing of best practices, curricula, and other resources. In less than five years — thanks in part to early seed funding from Craig Newmark Philanthropies and the Fidelity Charitable Trustees’ Initiative, as well as a transformative infusion of philanthropic support from Google — the network of clinics in the Consortium has grown to 60 clinics globally. Cybersecurity clinics are now operational in 28 U.S. states, Washington, D.C., Canada, Taiwan, Peru, Sri Lanka, and Pakistan. During the 2024-2025 academic year, clinics in the consortium collectively reached 2200 students and 700 organizations.
While each clinic serves a distinct set of “clients,” such as small businesses, K-12 schools, local governments, and small critical infrastructure providers, the UC Berkeley Cybersecurity Clinic is among the few that support often under‑resourced, mission-driven nonprofit and social-sector organizations that are more prone to ideologically‑based attacks. This semester, students in the UC Berkeley program are assisting clients focused on issues such as reproductive rights, environmental justice, and promoting transparency and accuracy in journalism.
Working together with “senior consultants,” students who have completed at least one semester of the clinic, Baucom is developing resources designed for the digital security needs of mission-driven nonprofits and social-sector organizations. In October, CLTC released Securing Mutual Aid: Cybersecurity Practices and Design Principles for Financial Technology, a comprehensive guide with practical recommendations specific to the cybersecurity challenges of food banks, disaster relief, bail funds, and other mutual aid organizations. And this semester, the clinic’s team is developing a resource hub with tailored recommendations and best practices for different types of nonprofits.
Expanding Research and Innovation in Cyber and AI Risk
The need to train the next generation of public interest cybersecurity professionals is as urgent as ever. As cyber threats proliferate and threat models evolve, including emerging AI-enabled attacks, many organizations lack the resources to protect themselves.
Beyond direct client work, the clinic’s senior consultants are advancing the field through research on the specific context of threats facing clinic clients. Researchers affiliated with the clinic are also working on helping organizations manage the advent of generative AI, including how to protect personally identifiable information in the age of AI, with emergent risks arising from inferences drawn from past conversations. Rather than recommending that organizations prohibit AI use, the research team is developing pragmatic approaches to help organizations understand the potential benefits of AI, the human and environmental impacts, as well as data security and privacy risks.
“Effective cybersecurity isn’t about imposing rigid best practices, but understanding each organization’s unique context and capacity.” – Elijah Baucom, Director, UC Berkeley Cybersecurity Clinic
Marisa Hall, a senior consultant and student in the School of Informatio’s Master of Information and Cybersecurity (MICS) program, is pursuing research on user-centered cyber risk management, exploring the intersection of secure-by-design principles and universal design. Her work reflects the clinic’s core philosophy: “Anyone can learn the technical stuff, but the social stuff is harder and more impactful,” Hall says. “That’s why I love being a part of this clinic at UC.”
“Often, when we talk about the types of clients, cybersecurity is conflated, as if all recommendations are for everyone, but different organizations have different threat models,” Baucom says. “There’s a shortage of cybersecurity professionals, and we can’t solve that shortage if we can’t make it accessible, including by translating it into language that the organizations we work with can understand. Effective cybersecurity isn’t about imposing rigid best practices, but understanding each organization’s unique context and capacity.”
Opening Up a New Horizon
At the end-of-semester showcase, the students shared what they gained from the experience. Some stressed the value of working with operating nonprofits. “Before this class, I didn’t have a lot of knowledge about digital security that applied to a real organization like this,” one student said. “Getting to know their day-to-day operations, there are a lot of good practices to apply on an organizational level.”
They noted that effective cybersecurity for vulnerable populations requires more than technical knowledge; it demands empathy and cultural competence. As one student put it, “ultimately the client has the final say in capacity and implementation.”
Others explained that the program helped them identify new career paths, as the program was their first introduction to the field. “I had worked in consulting before, but had never considered that cybersecurity is such an important need of nonprofits,” one student said. “This is an opportunity to support nonprofits in a different way.”
Other students stressed the value of “right-sizing a situation,” of meeting organizations where they are and providing tailored approaches. “Best practices don’t mean best fit,” the student explained.
Another student explained how they had to try not to “freak out” their client by revealing how exposed they were. “Understanding the level of comfort of your client is really important,” the student said. “This opened up my horizon.”
Get Involved with the UC Berkeley Cybersecurity Clinic
UC Berkeley Students
Are you interested in participating in the Cybersecurity Clinic? Visit https://www.ischool.berkeley.edu/programs/cybersecurityclinic
Nonprofit and Social-Sector Organizations
Interested in how your organization could benefit from the support of the UC Berkeley Cybersecurity Clinic? Email cybersecurityclinic@ischool.berkeley.edu with suggestions.
Help Fuel Clinic Impact through Philanthropic Partnership
Individual, foundation, and industry donors have helped catalyze Berkeley’s clinic and are needed to keep this work growing. Give now to the Cyberdefense for Reproductive Rights Fund, or contact Shanti (at) berkeley (dot) edu to discuss other engagement opportunities.
Learn More
- Visit the homepage of the UC Berkeley Cybersecurity Clinic
- Learn more about the Consortium of Cybersecurity Clinics
- Read a Berkeley News article, Cybersecurity Clinic Helps Nonprofits Protect Themselves
- Read more about how the clinic model has grown: Growth and Impact: Cybersecurity Clinics Reach New Heights
