Cybersecurity Clinics Create Online Defense for the Public Good

Cybersecurity is emerging as an important technical field within public interest technology because it fulfills a core need faced by all vulnerable communities: a secure, stable digital infrastructure. To begin to address this need, a growing number of “cybersecurity clinics” are operating on college campuses across the country. At the University of California, Berkeley (UC Berkeley), a team of students helped secure the networks of a non-profit that supports migrants arriving in Greece from the Middle East and Africa. Over on the East Coast, students at the Massachusetts Institute of Technology (MIT) prepared confidential digital vulnerability assessments for three New England cities and a hospital. And students at the University of Georgia provided a cyber-risk assessment for a local county government and school system.

Based on the model of clinics at schools of law and medicine, these cybersecurity clinics are hands-on, practicum-style courses that train university students to provide digital security assistance to organizations with limited resources, such as non-profit organizations, local governments, and small businesses.

“The organizations we work with often lack the resources and capacity to defend themselves against a range of threats, including cyber attacks, targeted surveillance, online harassment, and disinformation campaigns,” said Ann Cleaveland, executive director of the UC Berkeley Center for Long-Term Cybersecurity. The Center’s Citizen Clinic has trained more than 100 students and served more than 14 clients ranging from women’s reproductive rights organizations to LGBTQ and international indigenous rights groups. “Our goal is to expand this model in the United States and around the world.”

Building a Knowledge Base

Because the demand for pro bono cybersecurity assistance outpaces the capacity of any single clinic, leaders from a group of clinics teamed up to establish the Consortium of Cybersecurity Clinics, which launched its website in May. The Consortium, supported by New America’s Public Interest Technology University Network (PIT-UN), provides a forum for sharing best practices and lowers the barriers for other institutions of higher education to establish their own digital security clinics.

“The point of the Consortium is to make it easy for faculty at any university to convince their administration that they could quickly launch a clinic of their own,” said Larry Susskind, Ford Professor of Urban and Environmental Planning at MIT and director of the MIT Cybersecurity Clinic. “Consortium meetings provide opportunities for university faculty to access the advice and materials they need at no cost. In this way, the usual obstacles to starting up new clinics can be sidestepped easily.”

“The threats are only going to increase for any organization,” said Mark Lupo, business education and resilience specialist with the University of Georgia, Athens program, who leads the CyberArch cybersecurity clinic. “And the consortium’s value is only going to increase as more universities start programs like this one.”

Since its founding last year, the Consortium of Cybersecurity Clinics has become a center of gravity for faculty at other institutions interested in starting clinics in the United States and globally. It has also created new opportunities for students interested in public interest cybersecurity to expand their skills and network. "We’ve already had people at other universities across the nation — and in countries like Peru and Taiwan — expressing interest in developing programs similar to this. It’s so valuable to have that knowledge and experience base,” said Lupo. The Consortium’s website serves as an online clearinghouse for teaching resources, curricula, case studies, and more.

Developing the Cybersecurity Workforce

Cybersecurity clinics have a dual purpose: The clinics not only deliver vital support to public interest organizations, but they also help grow the pipeline for cybersecurity talent. The clinics provide students with invaluable experience that prepares them for future careers. Beyond technical skills, students learn about teamwork, communication, and project management, and they’re given the opportunity to network with other university students participating in their own cybersecurity clinic.

“It’s a great opportunity for the students to learn best practices from each other and develop contacts across the country,” adds Lupo.

Each clinic within the Consortium is different: Some train undergraduates, and others offer graduate-level courses; and some focus on computer science departments, while others draw in students from fields like law, urban planning, public policy, and business. Clinics typically have between 15 to 40 students per academic term, with one or two faculty and staff advisers or mentors.

Cybersecurity clinics have a dual purpose: The clinics not only deliver vital support to public interest organizations, but they also help grow the pipeline for cybersecurity talent.

The students participating in these clinics typically do not directly manage clients’ digital networks; instead, they provide services such as vulnerability and risk assessments, cybersecurity policy templates, incident response plans, ransomware training, and tools for basic cyber hygiene. Safa Faki, a graduate student who participated in UC Berkeley’s Citizen Clinic, said, “Since working with the Citizen Clinic I have advised numerous civil society activists and victims of torture to better protect themselves in cyberspace. Cybersecurity is a fast-growing field where currently there are more jobs than there are trained individuals to take them.”

Tackling a Growing Threat

Cybersecurity is a looming threat for government, the private sector, and nonprofits alike. For vulnerable communities, cybersecurity defends them against malicious governments, powerful corporations, hate groups, and extremists. As ransomware attacks in recent years have targeted large networks of cities, hospitals, and other civic organizations, the demand for cybersecurity services has spiked.

In May 2021, the U.S. government began working to address the problem: President Biden issued the Executive Order on Improving the Nation’s Cybersecurity, calling for “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” Now, a growing number of philanthropic funders are stepping up to tackle the problem.

Craig Newmark Philanthropies (CNP), the charitable network of the Craigslist founder of the same name, recently committed to donating more than $50 million toward “cyber civil defense,” steering grants toward “educating and protecting American national and global security amid escalating cybersecurity threats.” CNP has been a lead supporter of the cybersecurity clinic model, providing funding for UC Berkeley’s Citizen Clinic.

With today’s looming cybersecurity threat, Matthew Hudnall, leader of the University of Alabama Cybersecurity Clinic, points to the role of clinics in helping protect vulnerable communities as they “assist public and private entities with resources and knowledge that their limited budgets simply cannot provide.”

“These clinics offer the opportunity for our academics and students to give back to the groups that provide vital services in our town,” Hudnall said.

To learn more, make a donation, or if you are interested in starting a cybersecurity clinic at your institution, visit the Consortium website or contact info@cybersecurityclinics.org.

Follow The Thread! Subscribe to The Thread monthly newsletter to get the latest in policy, equity, and culture in your inbox the first Tuesday of each month.