Case Studies in Client Engagement with Cybersecurity Clinics


Voting Rights Organization

The Challenge: In the run up to the 2020 primary election, a volunteer-led, U.S.-based voting rights organization had increasing concerns about the digital safety of their team members and the integrity of their data. In particular, the organization was concerned that online disinformation campaigns could hamper its efforts to ensure a fair and open democracy.

What Citizen Clinic Did: A team of students from Citizen Clinic, led by mentors from UC Berkeley and partner organizations, reached out to help the organization secure its online systems to be more resistant to cyberattacks.

They began by conducting a large-scale audit to understand the organization’s cybersecurity challenges and the threats their team members faced. This audit exposed that the organization had no formalized structures in place for securing online accounts and responding to security incidents. More worryingly, many of the organization’s online accounts were accessed by multiple volunteers through shared logins.

The Citizen Clinic student team identified the shared accounts as the greatest immediate risk, and focused their efforts on moving the organization toward a more robust, secure account system.

Outcomes: As a result of Citizen Clinic’s recommendations, the organization has successfully created an account structure through which login credentials do not have to be shared among volunteers, which will make it easier to implement further security measures in the future. With a plan for improving its cybersecurity in place, the organization can more confidently carry out its mission to protect voter rights.

A Regional Abortion Fund

The Challenge: A regional abortion fund dedicated to supporting the reproductive rights of Americans faced diverse challenges online, including online harassment from bots and trolls, threats of data breaches to reveal patient, provider, and donor information, and fraudulent websites that promote fake clinics or scams to collect donations.

What Citizen Clinic Did: The Citizen Clinic student team performed an audit of the client’s information storage and communication systems, as well as a comprehensive risk assessment that led to the identification of key organizational assets and likely threat scenarios. As part of this process, the team met with different people in the organization and rigorously documented the organization’s information workflow.

The students created a series of spreadsheets to help organize this information, which ultimately helped identify which systems were most vulnerable and contained sensitive information. This risk assessment revealed a major vulnerability in a document storage system that contained both financial information and patient data. In addition, vulnerabilities were found in the organization’s email system, as well as in an online form and data collection tool. The Citizen Clinic’s student team also upgraded some of the organization’s key digital business systems, which had previously been too difficult to safely and efficiently use. They also completed a migration of assets to a more secure data storage platform; re-organized a folder structure to better manage access permissions; and enabled multi-factor authentication for the organization’s new accounts.

“We used our training and policies to present the ideas from our threat model to the staff of the organization and to begin an organizational conversation about information security,” one of the students explained. “Cybersecurity is not all tech. It involves strategic thinking and prioritization of threats, and a strategic search for creative end solutions that are simple and practical enough for clients to implement.”

Outcomes: The team provided the client with a comprehensive report that included a risk assessment, explanation of deliverables, and original context research for the project. They created security policies and information workflows for different roles within the organization — including board members, staff, and volunteers — and drew an outline of each member’s access to the digital storage system and how each member can manage their permissions optimally. Working with the fund’s interim executive director, the team delivered a comprehensive security training that introduced members to the threats they face, the new storage system, and the security policies and general best practices to follow on a daily basis to keep the organization secure.

A Domestic LGBTQ Support Organization

The Challenge: A U.S.-based LGBTQ nonprofit organization was subjected to hate campaigns from extremist groups and violent online communities. Beyond harassment on social media and denial of service attacks on their web applications, the organization has had its member’s personal information – home addresses, dead names, phone numbers, and photographs – collected and published on the web (also known as doxxing). This has led to staff members’ facing in-person harassment and death threats.

What Citizen Clinic Did: The Citizen Clinic team first gained a foundational understanding of the organization’s unique context, a contextual research process that included an in-depth interview with the technology director and a review of the organization’s existing cybersecurity protocols.

Based on insights from industry experts, the students provided concrete suggestions about how the organization could enhance its cybersecurity training program, as well as its telephone and website security. They also connected the organization with experts who could provide future support beyond the Clinic’s capabilities. After implementing cybersecurity practices, the students developed short security quizzes to assess the degree to which these practices had “sunk in” to the organization’s members. The quizzes were intended to remind staff about existing policies as well as to assess any possible weak spots in training. In addition, the students instigated a comprehensive phishing campaign, and emailed fifteen members from an unfamiliar email address and urged them to click a link and submit their credentials. The phishing campaign provided the Technology Director with concrete feedback on the organization’s strengths and vulnerabilities to phishing attacks.

Outcomes: The Citizen Clinic student team holistically assessed this organization’s cybersecurity capabilities, improved its training program, provided feedback on strengthening its hotline and website, and connected the organization to additional pro bono resources. Ultimately, the efforts improved the organization’s ability to handle DDoS attacks, misinformation campaigns, phishing attempts, and doxxing by trolls. “We were successful in helping the organization because we understood its unique needs, concerns, and goals,” one of the students said. “By focusing on both implementing new policies and making sure those policies were accepted by members, we helped the organization find effective and practical solutions.

Land Is Life, an Indigenous Community Support Network

The Challenge: Land is Life is a non-profit civil society organization that supports local communities around the world that are adversely affected by development projects, particularly those that relate to environmental and human rights. Land Is Life and its partner network are frequently subjected to online disinformation campaigns, data breaches, and other online threats from a variety of threat actors, including governments, corporations, cartels, and paramilitary groups.

What Citizen Clinic Did: A student team from Citizen Clinic performed an analysis of factors contributing to vulnerabilities and threats to Land is Life. The students interviewed regional field directors in different geographies (i.e. Africa, Asia, and Latin America), which revealed that team members around the world used a variety of digital devices, communication methods, and security practices. While the organization had baseline security practices in place, they lacked standardized secure protocols for communications and travel.

Citizen Clinic addressed this problem by developing a communications and travel protocol guide with a quick-guide section for easy usage. The student team also wrote an onboarding guide for technology so that employees could quickly set up their devices in a secure fashion, independent of their understanding of secure communications or travel practices. They also conducted phishing testing that revealed the organization is vulnerable to phishing attacks. They presented Land is Life’s leaders with a series of recommendations for implementation and integration. “We wanted to keep documents concise and condensed so that users of the document could quickly acquire the information they need and would not get fatigued from its density, while also being thorough in informing people of the motivations behind why such practices are necessary or important,” the students explained.

Outcomes: The Citizen Clinic team recommended and implemented a variety of solutions to help Land is Life and its partners to improve their cybersecurity, including multi-factor authentication, password management tools, and enhancing other security protocols. As a result of implementing these recommendations, the organization’s baseline digital defenses were greatly improved. “In some ways, Citizen Clinic engaging with Land is Life is like engaging with many dozens of organizations,” says Casey Box, Executive Director of Land is Life. “Citizen Clinic took the time to do a diagnostic amongst my entire team and partners to understand how they operate day-to-day at the organization, and what kind of threats and concerns they had in regards to their digital security. We developed a plan that we rolled out over the course of two years to develop protocols, systems, and different ways that we could strengthen our digital security as an organization.”