Month: January 2024

Congressman Marc Veasey Advocates for Cybersecurity Clinics to Close Workforce Gaps and Strengthen National Security

Texas Congressman Marc Veasey recently spoke as an advocate for cybersecurity clinics, a trailblazing model that is scaling nationally and worldwide through the Consortium of Cybersecurity Clinics. 

Veasey, a member of the U.S. House of Representatives Committee on Energy and Commerce, made the remarks as part of a January 11 subcommittee hearing titled “Safeguarding Americans’ Communications: Strengthening Cybersecurity in a Digital Era.” The purpose of the hearing was to respond to the increasing frequency and complex nature of cyberattacks and mitigate the risks to America’s communications networks.

Congressman Marc Veasey

“Clinics offer a potential path to help increase the number of cybersecurity professionals and help [underrepresented] civil society organizations, state and local government agencies, and small and medium-sized businesses develop their cyber workforce security.“

Congressman Veasey

In Fall 2022, Congressman Veasey also introduced the Cybersecurity Clinics Grant Program Act, which would create a Department of Homeland Security (DHS) grant program to fund higher education-based cybersecurity clinics at community colleges and minority-serving institutions. The legislation would also require DHS to develop an experiential cybersecurity curriculum for grant recipients.

A recording and transcript of Congressman Veasey’s remarks can be found below.

“What a great hearing to talk about cybersecurity defenses — I think that we cannot have enough conversations about it. I think that we need to continue to do everything that we can to raise awareness amongst the American public and even empower individual Americans to do what they can in their own small businesses and homes to protect themselves. 

Last Congress, I introduced the Cybersecurity Clinics Grant Program Act. The bill would create a grant program at the Department of Homeland Security to fund higher education-based cybersecurity clinics at community colleges and minority-based institutions. 

Cybersecurity clinics are interactive, they’re personalized workshops that provide education on the importance of protecting devices, data, and identity from physical and digital compromise. It’s my belief that this model can really empower students and we can start working with people while they’re young — before they start their businesses and have to worry about their own households being compromised — on how they can protect themselves. 

The benefits of these clinics at higher education institutions are twofold: the first is that these clinics really do offer a potential path to help increase the number of cybersecurity professionals; and the clinics help [underrepresented] civil society organizations, state and local government agencies, and small and medium-sized businesses develop their cyber workforce security. 

Because again, I think that everyone is going to have to participate sooner or later in order to get this right. Efforts like these should help set the framework for a robust and strategic pipeline that can close the cyber workforce and skills gap while also strengthening our national security defenses domestically and globally.” 

Clinics in Review: 2023 Highlights and Impact

BY SHANNON PIERSON, PUBLIC-INTEREST CYBERSECURITY FELLOW, CENTER FOR LONG-TERM CYBERSECURITY

At the Consortium of Cybersecurity Clinics’ monthly meetings in November and December 2023, members reflected on the year’s accomplishments and shared anecdotes about the successes of their individual clinics. 

Funding and Development Updates

  • In an exciting update, clinic funding is coming to the EU! In partnership with Google.org, the European Cyber Conflict Research Incubator CIC (ECCRI CIC) will launch cyber clinics seminars at select European universities. The initiative aims to expand access and opportunities for students interested in learning about the field of cybersecurity. Clinics will open in Czechia, France, Germany, Greece, Poland, Romania, Spain, and Ukraine, offering tailored curriculums in the respective languages of these countries. 
  • University of North Carolina (UNC) Chapel Hill received a grant to establish a cybersecurity clinic that is set to launch in early 2024. UNC clinic coordinators are currently crafting the course curriculum and actively seeking clients for the clinic’s inaugural class. 
  • San Diego State University, California State University San Marcos, and National University are joining forces to create a regional cybersecurity clinic in Southern California. This collaboration is managed by the San Diego Cyber Center of Excellence and aims to foster cross-institutional collaboration amongst San Diego’s cyber defenders.

Cyber Civil Defense Research Updates

  • Indiana University and Purdue University’s Cybertrack program, an initiative that connects Indiana’s local governments with cybersecurity experts for tailored advice, published its inaugural report in November 2023. The “Cybertrack Report” aggregates results and analysis from 23 cybersecurity assessments conducted on local government entities in Indiana. The report finds that most local governments in Indiana struggle to implement even the most fundamental cybersecurity controls, such as multi-factor authentication (MFA).
  • The MIT Cybersecurity Clinic students recently conducted site visits for their clients in the New England area. These visits provided an opportunity for students to observe the physical assets of their clients, such as servers and building layouts. This hands-on experience helped enhance their understanding of employee access to IT assets, organizations’ operational security posture, and the overall company culture.
  • The University of Georgia (UGA) CyberArch Clinic assisted seven different organizations this year, clients of which included city governments, water treatment facilities, and small business clients. Additionally, UGA opened a Women in Cybersecurity (WiCyS) chapter.
  • Rochester Institute’s (RIT) clinic achieved success with a variety of client projects in 2023, including a first-of-its-kind collaboration with the Rochester Philharmonic Orchestra. As a token of appreciation, the orchestra graciously awarded students free tickets for their services. RIT observed a trend among non-profit clients: most prefer cybersecurity assessments over penetration testing. This preference stems from a desire by these organizations for practical advice on what specific cybersecurity program aspects they can implement to improve their cybersecurity posture.

CLTC congratulates all the members of the Consortium of Cybersecurity Clinics on yet another impactful year in training the next generation of cyber civil defenders and building cyber resilience for community organizations — we can’t wait to see how these initiatives expand in 2024!

Commonly Asked Questions About Cybersecurity Clinics

Since the Consortium published the Clinic Development Toolkit last July, we’ve had great conversations with people in the community about how to start a cybersecurity clinic. 

In all our conversations, we continue to emphasize that there is no one “right way” to implement a clinic successfully. The model is adaptable to institutions of different sizes, resources, and degree programs. 

Here are some answers to common questions we hear from folks interested in starting up new clinics:

Cover image of the Clinic Development Toolkit
Download the toolkit

The Consortium

Question: How does the Consortium support new clinics?

Answer: The Consortium is a forum for faculty, students, trainers, and advocates to network and share knowledge, expand the reach of cybersecurity clinics, and lower the barriers for other institutions of higher education to successfully establish their own clinics. We host a monthly conference call for peer learning and sharing among established and new clinics. Members have access to a growing library of collective resources, designed to help new clinics get up and running without recreating the wheel. Consortium lines of effort such as our fundraising and impact & learning committees are also aggregating best practices that will be available to new clinics.

New clinics can establish mentorship relationships with existing clinics, and we host events for clinic students and training workshops for clinic instructors (stay tuned for more information about a clinic-focused pre-conference workshop at the 2024 NICE Conference.) [Note: The Consortium’s mission is to help build the capacity of all cybersecurity clinics, and Consortium members don’t advise new clinics on individual grant applications for opportunities like the Google Cybersecurity Clinics Fund.]

Where to House A Clinic

Q: Does an institution have to have a well-developed Cybersecurity or Computer Science program to launch a cybersecurity clinic program?

A: No. Clinics can be established as part of a degree program that is not directly related to technology, or outside of degree programs (for example, as a student club.) Successful existing clinics are often interdisciplinary and may be housed in business schools, law schools, and other departments. Having a faculty champion and buy-in from departmental and institutional leadership and administration at launch is more important than having a cybersecurity or computer science degree program.

Curriculum

Q: Is there a set curriculum for a cybersecurity clinic?

A: No. Curricula vary across clinics, depending on the emphasis of the clinic and the course requirements in a given institution. However, many clinics have similar modules and learning outcomes. Several Consortium members have shared their syllabi and other course materials with the community. For more information, check out “Teaching Syllabi” on our Resources page, and/or get involved in the Consortium!

Student Recruitment

Q: Can students with no prior cybersecurity experience participate in a cybersecurity clinic?

A: Yes. Several existing clinics allow students from all majors and grade levels to join, regardless of prior experience. Most clinic programs provide initial training to students to make sure everyone has the shared baseline knowledge to participate (see examples from UC Berkeley and MIT ). Students from non-technical majors bring complementary knowledge, and often have transferable skills they do not even realize. An interdisciplinary approach helps to create a well rounded team able to effectively engage with the client and analyze requirements from multiple perspectives.

Q: How do clinics grow the number of students in their clinics?

A: In order to grow the clinic, students across your campus need to be aware of and inspired by the opportunity to participate in the clinic. There are many ways that clinics conduct outreach to students, like campus-wide postering, hosting info sessions for prospective clinic students, and developing partnerships with student affairs/student advising. The best ambassadors to recruit new students to the clinic are often alumni of the clinic who can speak to their experiences providing cybersecurity assistance to organizations in need.

Another common limiting factor is faculty and instructor capacity. Recruiting volunteer mentors is one way that clinic instructors have augmented their capacity to advise students in the clinic and accept more students into the program.

Student Registration

Q: Do clinics accept only currently-enrolled students?

A: Existing member clinics of the Consortium of Cybersecurity Clinics are higher education-based programs, and work with undergraduate (including community college) and graduate students. Some institutions can accept visiting students to the clinic on a case-by-case basis, without requiring formal admission. Check with your institution to find out about concurrent enrollment and visiting student policies.

The cybersecurity clinic model is adaptable to other types of cybersecurity workforce development programs (for example serving non-traditional students, folks returning to the workforce, career changers, or other community members). If you are interested in developing a cybersecurity clinic outside of a university or college, the Consortium welcomes your participation and membership. [Note: there are some opportunities, such as the Google Cybersecurity Clinics Fund, for which only institutions of higher education are eligible.]

Student Support

Q: Do clinics compensate students for work in the clinic? What kinds of student support do clinics offer?

A: It depends. Some clinics are able to support students financially for their work in the clinic, while others provide course credit, and still others function as an extracurricular activity. Each clinic will need to work within its host institution to decide if and how it wants to approach student support. Compensating students at the typical hourly rate of your institution, stipends, paid internships, course credit, and tuition relief (while in the clinic) are all options that have been used successfully. Schools should look internally at the different tax implications for students before selecting an approach.

Student Leadership

Q: Can students participate in creating and leading clinics?

A: Yes. Students bring great perspective and ideas to the design and implementation of a clinic. Some cybersecurity clinics are organized as student organizations, such as the successful Free Cyber Clinic at the University of Nevada, Las Vegas. [Note: there are some opportunities, such as the Google Cybersecurity Clinics Fund, which do not accept applications submitted independently by students and require a faculty or institution lead.]

Budget and Equipment

Q: What kind of equipment and supplies (e.g. hardware, software, or other equipment) should clinics budget for?

A: Clinics often provide laptops and security keys to students specifically for working in the clinic. At a minimum, clinics also need to purchase products and/or services that provide secure data storage and that allow for secure communication and collaboration between the clinic and its clients (for example, encrypted messaging and/or VPN services).

Q: What other guidance can I find on a start-up budget for a cybersecurity clinic?

A: The cost of clinic startup and operations depends on faculty teachers, paid student internships, materials, enrollment, and full-time support staff or TAs. Consortium clinics have found that $300k is a good funding target for the first year, and $100k each year thereafter. Page 11 of the Clinic Development Toolkit has more information on typical line-items in a start-up budget. Note that marketing and outreach may be needed to start-up a clinic and should be considered as you develop your clinic budget.

Clients

Q: How do clinics market their services to potential clients?

A: One successful approach to marketing clinic services is to partner with a community organization that can connect your clinic to organizations in need. Many clinics partner with local hubs that serve as trusted partners, vouching for the quality of the clinic program to potential clients, and finding clients that would most benefit from the free services. For example, clinics have partnered with the Small Business Development Centers in their communities who can help with outreach to small business owners. Other clinics have established partnerships with entities like the United Way. Once the clinic has an established track record, clients also come via word-of-mouth.

Q: Is a “clinic” seen as a time-limited event that happens annually, or an ongoing entity?

A: The university-based cybersecurity clinics in the Consortium are ongoing entities, where students and clients have the opportunity to develop a sustained engagement (i.e. over the course of a term or semester).

Instruction: Virtual vs. In Person

Q: Can clinics run virtually, or do they have to be in person?

A: Instruction and clinic participation can be either in person, virtual (online) or hybrid depending which is considered most effective for the clinic and client. We have seen all of these options work successfully in existing clinics. If the clinic’s clients are local, many clinics make an effort to have students meet with clients in-person.

Risk Management

Q: How do university-based cybersecurity clinics handle liability?

A: Typically, an MOU (sometimes called a Statement of Expectations) is executed between the clinic client and the clinic’s host institution. Clinic directors can work closely with their institution’s legal department or general counsel to work out the specifics of an MOU or other agreement. If you need help getting started, contact cybersecurityclinics@berkeley.edu for templates that have been shared by existing clinics and made available through the Consortium as a resource to the community. Many schools also require students to agree to a code of conduct for working in the clinic. See pages 13-14 of the Clinic Development Toolkit for more information.

Fundraising

Q: Do clinics fundraise?

A: Many clinics are supported at least partially by grants or other philanthropic support. Pages 11 and 12 of the Clinic Development Toolkit cover a range of fundraising strategies and tips including how to identify and approach prospective funders. The Consortium of Cybersecurity Clinics will expand clinic fundraising materials and suggestions on its Resources webpage in 2024 – stay tuned!

Subscribe to the Consortium