BY SHANNON PIERSON, PUBLIC-INTEREST CYBERSECURITY FELLOW, CENTER FOR LONG-TERM CYBERSECURITY

At the Consortium of Cybersecurity Clinics’ monthly meetings in November and December 2023, members reflected on the year’s accomplishments and shared anecdotes about the successes of their individual clinics. 

Funding and Development Updates

• In an exciting update, clinic funding is coming to the EU! In partnership with Google.org, the European Cyber Conflict Research Incubator CIC (ECCRI CIC) will launch cyber clinics seminars at select European universities. The initiative aims to expand access and opportunities for students interested in learning about the field of cybersecurity. Clinics will open in Czechia, France, Germany, Greece, Poland, Romania, Spain, and Ukraine, offering tailored curriculums in the respective languages of these countries. 
• University of North Carolina (UNC) Chapel Hill received a grant to establish a cybersecurity clinic that is set to launch in early 2024. UNC clinic coordinators are currently crafting the course curriculum and actively seeking clients for the clinic’s inaugural class. 
• San Diego State University, California State University San Marcos, and National University are joining forces to create a regional cybersecurity clinic in Southern California. This collaboration is managed by the San Diego Cyber Center of Excellence and aims to foster cross-institutional collaboration amongst San Diego’s cyber defenders.

Cyber Civil Defense Research Updates

• Indiana University and Purdue University’s Cybertrack program, an initiative that connects Indiana’s local governments with cybersecurity experts for tailored advice, published its inaugural report in November 2023. The “Cybertrack Report” aggregates results and analysis from 23 cybersecurity assessments conducted on local government entities in Indiana. The report finds that most local governments in Indiana struggle to implement even the most fundamental cybersecurity controls, such as multi-factor authentication (MFA).
• The MIT Cybersecurity Clinic students recently conducted site visits for their clients in the New England area. These visits provided an opportunity for students to observe the physical assets of their clients, such as servers and building layouts. This hands-on experience helped enhance their understanding of employee access to IT assets, organizations’ operational security posture, and the overall company culture.
• The University of Georgia (UGA) CyberArch Clinic assisted seven different organizations this year, clients of which included city governments, water treatment facilities, and small business clients. Additionally, UGA opened a Women in Cybersecurity (WiCyS) chapter.
• Rochester Institute’s (RIT) clinic achieved success with a variety of client projects in 2023, including a first-of-its-kind collaboration with the Rochester Philharmonic Orchestra. As a token of appreciation, the orchestra graciously awarded students free tickets for their services. RIT observed a trend among non-profit clients: most prefer cybersecurity assessments over penetration testing. This preference stems from a desire by these organizations for practical advice on what specific cybersecurity program aspects they can implement to improve their cybersecurity posture.

CLTC congratulates all the members of the Consortium of Cybersecurity Clinics on yet another impactful year in training the next generation of cyber civil defenders and building cyber resilience for community organizations — we can’t wait to see how these initiatives expand in 2024!

The Consortium

Question: How does the Consortium support new clinics?

Answer: The Consortium is a forum for faculty, students, trainers, and advocates to network and share knowledge, expand the reach of cybersecurity clinics, and lower the barriers for other institutions of higher education to successfully establish their own clinics. We host a monthly conference call for peer learning and sharing among established and new clinics. Members have access to a growing library of collective resources, designed to help new clinics get up and running without recreating the wheel. Consortium lines of effort such as our fundraising and impact & learning committees are also aggregating best practices that will be available to new clinics.

New clinics can establish mentorship relationships with existing clinics, and we host events for clinic students and training workshops for clinic instructors (stay tuned for more information about a clinic-focused pre-conference workshop at the 2024 NICE Conference.) [Note: The Consortium’s mission is to help build the capacity of all cybersecurity clinics, and Consortium members don’t advise new clinics on individual grant applications for opportunities like the Google Cybersecurity Clinics Fund.]

Where to House A Clinic

Q: Does an institution have to have a well-developed Cybersecurity or Computer Science program to launch a cybersecurity clinic program?

A: No. Clinics can be established as part of a degree program that is not directly related to technology, or outside of degree programs (for example, as a student club.) Successful existing clinics are often interdisciplinary and may be housed in business schools, law schools, and other departments. Having a faculty champion and buy-in from departmental and institutional leadership and administration at launch is more important than having a cybersecurity or computer science degree program.

Curriculum

Q: Is there a set curriculum for a cybersecurity clinic?

A: No. Curricula vary across clinics, depending on the emphasis of the clinic and the course requirements in a given institution. However, many clinics have similar modules and learning outcomes. Several Consortium members have shared their syllabi and other course materials with the community. For more information, check out “Teaching Syllabi” on our Resources page, and/or get involved in the Consortium!

Student Recruitment

Q: Can students with no prior cybersecurity experience participate in a cybersecurity clinic?

A: Yes. Several existing clinics allow students from all majors and grade levels to join, regardless of prior experience. Most clinic programs provide initial training to students to make sure everyone has the shared baseline knowledge to participate (see examples from UC Berkeley and MIT ). Students from non-technical majors bring complementary knowledge, and often have transferable skills they do not even realize. An interdisciplinary approach helps to create a well rounded team able to effectively engage with the client and analyze requirements from multiple perspectives.

Q: How do clinics grow the number of students in their clinics?

A: In order to grow the clinic, students across your campus need to be aware of and inspired by the opportunity to participate in the clinic. There are many ways that clinics conduct outreach to students, like campus-wide postering, hosting info sessions for prospective clinic students, and developing partnerships with student affairs/student advising. The best ambassadors to recruit new students to the clinic are often alumni of the clinic who can speak to their experiences providing cybersecurity assistance to organizations in need.

Another common limiting factor is faculty and instructor capacity. Recruiting volunteer mentors is one way that clinic instructors have augmented their capacity to advise students in the clinic and accept more students into the program.

Student Registration

Q: Do clinics accept only currently-enrolled students?

A: Existing member clinics of the Consortium of Cybersecurity Clinics are higher education-based programs, and work with undergraduate (including community college) and graduate students. Some institutions can accept visiting students to the clinic on a case-by-case basis, without requiring formal admission. Check with your institution to find out about concurrent enrollment and visiting student policies.

The cybersecurity clinic model is adaptable to other types of cybersecurity workforce development programs (for example serving non-traditional students, folks returning to the workforce, career changers, or other community members). If you are interested in developing a cybersecurity clinic outside of a university or college, the Consortium welcomes your participation and membership. [Note: there are some opportunities, such as the Google Cybersecurity Clinics Fund, for which only institutions of higher education are eligible.]

Student Support

Q: Do clinics compensate students for work in the clinic? What kinds of student support do clinics offer?

A: It depends. Some clinics are able to support students financially for their work in the clinic, while others provide course credit, and still others function as an extracurricular activity. Each clinic will need to work within its host institution to decide if and how it wants to approach student support. Compensating students at the typical hourly rate of your institution, stipends, paid internships, course credit, and tuition relief (while in the clinic) are all options that have been used successfully. Schools should look internally at the different tax implications for students before selecting an approach.

Student Leadership

Q: Can students participate in creating and leading clinics?

A: Yes. Students bring great perspective and ideas to the design and implementation of a clinic. Some cybersecurity clinics are organized as student organizations, such as the successful Free Cyber Clinic at the University of Nevada, Las Vegas. [Note: there are some opportunities, such as the Google Cybersecurity Clinics Fund, which do not accept applications submitted independently by students and require a faculty or institution lead.]

Budget and Equipment

Q: What kind of equipment and supplies (e.g. hardware, software, or other equipment) should clinics budget for?

A: Clinics often provide laptops and security keys to students specifically for working in the clinic. At a minimum, clinics also need to purchase products and/or services that provide secure data storage and that allow for secure communication and collaboration between the clinic and its clients (for example, encrypted messaging and/or VPN services).

Q: What other guidance can I find on a start-up budget for a cybersecurity clinic?

A: The cost of clinic startup and operations depends on faculty teachers, paid student internships, materials, enrollment, and full-time support staff or TAs. Consortium clinics have found that $300k is a good funding target for the first year, and $100k each year thereafter. Page 11 of the Clinic Development Toolkit has more information on typical line-items in a start-up budget. Note that marketing and outreach may be needed to start-up a clinic and should be considered as you develop your clinic budget.

Clients

Q: How do clinics market their services to potential clients?

A: One successful approach to marketing clinic services is to partner with a community organization that can connect your clinic to organizations in need. Many clinics partner with local hubs that serve as trusted partners, vouching for the quality of the clinic program to potential clients, and finding clients that would most benefit from the free services. For example, clinics have partnered with the Small Business Development Centers in their communities who can help with outreach to small business owners. Other clinics have established partnerships with entities like the United Way. Once the clinic has an established track record, clients also come via word-of-mouth.

Q: Is a “clinic” seen as a time-limited event that happens annually, or an ongoing entity?

A: The university-based cybersecurity clinics in the Consortium are ongoing entities, where students and clients have the opportunity to develop a sustained engagement (i.e. over the course of a term or semester).

Instruction: Virtual vs. In Person

Q: Can clinics run virtually, or do they have to be in person?

A: Instruction and clinic participation can be either in person, virtual (online) or hybrid depending which is considered most effective for the clinic and client. We have seen all of these options work successfully in existing clinics. If the clinic’s clients are local, many clinics make an effort to have students meet with clients in-person.

Risk Management

Q: How do university-based cybersecurity clinics handle liability?

A: Typically, an MOU (sometimes called a Statement of Expectations) is executed between the clinic client and the clinic’s host institution. Clinic directors can work closely with their institution’s legal department or general counsel to work out the specifics of an MOU or other agreement. If you need help getting started, contact cybersecurityclinics@berkeley.edu for templates that have been shared by existing clinics and made available through the Consortium as a resource to the community. Many schools also require students to agree to a code of conduct for working in the clinic. See pages 13-14 of the Clinic Development Toolkit for more information.

Fundraising

Q: Do clinics fundraise?

A: Many clinics are supported at least partially by grants or other philanthropic support. Pages 11 and 12 of the Clinic Development Toolkit cover a range of fundraising strategies and tips including how to identify and approach prospective funders. The Consortium of Cybersecurity Clinics will expand clinic fundraising materials and suggestions on its Resources webpage in 2024 – stay tuned!

Students and faculty from 11 cybersecurity clinics joined to learn about cyber careers and tackle a scenario on hacktivism

BY SHANNON PIERSON, PUBLIC-INTEREST CYBERSECURITY FELLOW, CENTER FOR LONG-TERM CYBERSECURITY

On November 9, the Consortium of Cybersecurity Clinics hosted its semesterly “Clinic of Clinics”, a virtual event for students participating in cybersecurity clinics around the world to network, hear from experts in the field, and engage in tabletop exercises and other activities. This fall, 87 students from 11 university-based cybersecurity clinics participated, our largest turnout yet.

The event kicked off with a briefing from Matthew Grote, Senior Lead for Cyber Defense Innovations at the Cybersecurity and Infrastructure Security Agency (CISA). Grote provided a comprehensive overview of the agency’s mission and responsibilities, plus an in-depth analysis of the cybersecurity challenges posed by some of the most pernicious state and non-state threat actors operating in cyberspace. 

Grote explained that CISA’s cybersecurity mission is to reduce the most significant cyber risks across domestic cyberspace by providing guidance, coordination, policy actions, no-cost services, grants, and leadership focus. The agency is devoted to securing critical infrastructure, fostering operational collaboration with industry partners to ensure the security of their technology, and disrupting threat campaigns orchestrated by advanced persistent threat (APT) groups from nation-states and ransomware entities.

He also emphasized that CISA allocates a significant portion of its efforts and resources to understanding, monitoring, and countering cyber threats originating from a handful of state and non-state actors. These actors include the People’s Republic of China, Russia, North Korea, and Iran, as well as criminal ransomware groups. These threat actors are becoming increasingly sophisticated and aggressive, capitalizing upon the vulnerabilities of an increasingly interconnected society composed of devices and systems that are inherently difficult to defend.

Grote said that students interested in pursuing a cybersecurity-related career in the federal government can explore job opportunities on CISA’s career page, and they can pursue federal internships and scholarship and fellowship programs through CISA’s annual internship program, the CyberCorps: Scholarship for Service, the Presidential Management Fellows Program, and the Presidential Innovation Fellows Program.

Grote underscored the risks posed by adversaries in cyberspace to U.S. critical infrastructure, emphasizing CISA’s pivotal role in thwarting and safeguarding against imminent threats. 

“China is almost certainly capable of launching cyber attacks that could disrupt critical infrastructure services in the U.S., particularly against oil and gas pipelines and rail systems,” Grote said. “That capability is something we worry about at CISA. Our work focuses on hardening these networks to ensure we are prepared.”

Following Grote’s presentation, staff from the Atlantic Council’s Cyber Statecraft Initiative led students in a tabletop exercise based on a fictional scenario in which a cyberattack on a desalination plant in Los Angeles during the 2026 FIFA Men’s World Cup threatens the water supply in the region. In the narrative, an anti-capitalist hacktivist group claims responsibility for the attack, stating that its primary objective is to raise awareness about the cost-of-living crisis and housing insecurity in Los Angeles.

Students were assigned to smaller groups in breakout rooms. They analyzed the cyber incident by scrutinizing both facts and assumptions in the scenario, identifying relevant stakeholders, and formulating policy recommendations. They also outlined short-, medium-, and long-term objectives and evaluated worst-case versus likely outcomes. Finally, students deliberated on effective public communications strategies and reflected upon the increasing role of software and technology in society, proposing interventions that could prevent such incidents from occurring in the future.

The Atlantic Council’s learning activity, which was based off of scenarios they previously ran for the Cyber 9/12 Strategy Challenge, provided students from the cybersecurity clinics with a deeper understanding of the policy and strategy challenges associated with managing trade offs during a cyber crisis.

“We were debating back and forth about whether covert or overt action was the best practice initially,”  said Kincaid Keating, a student from the University of Alabama. “We eventually concluded that we should keep incident response covert and public communication about the attack limited until we obtained more information, scoped the damage, and obtained concrete facts about the incident. From that point, we discussed pulling in the appropriate agencies and building a team to look into this cyber incident to determine what assets were compromised and how this attack happened, and to begin system recovery.”

The exercise debrief concluded what was the most well-attended Clinic of Clinics in the Consortium’s history. Students who participated in the event will receive a custom mint-green challenge coin. They can collect a new coin for each Clinic of Clinics they participate in.

CLTC sends our sincere thanks to CISA, the Atlantic Council, and everyone who participated! Stay tuned for more from this community of public interest cyber defenders.