Students and faculty from 18 university-based cybersecurity clinics convened virtually to network and learn about the student-led Cyber Clinic at the University of Nevada Las Vegas

On April 18, the Consortium of Cybersecurity Clinics hosted its Spring 2024 “Clinic of Clinics”, a semesterly virtual event for students participating in cybersecurity clinics around the country to network, learn from experts in the field, and partake in group activities. This spring, 70 students from 18 different universities participated.

The event kicked off with a warm welcome from Ann Cleaveland, the Center for Long-Term Cybersecurity’s (CLTC) Executive Director, and Sarah Powazek, Director of CLTC’s Public Interest Cybersecurity Initiative. Both congratulated the Consortium on its recent growth.

Students then seized the opportunity to get better acquainted and network, grouping into breakout rooms to connect and learn more about the work being accomplished by their colleagues at other clinics. Attendees later regrouped to watch a presentation from the University of Nevada, Las Vegas’ (UNLV) Cyber Clinic, who showcased some internal tools and a training simulation students developed to teach new members. 

Mathew Salcedo and Angel Garcia, two co-founders of UNLV’s Cyber Clinic, explained how their clinic specializes in providing free cybersecurity services to small local businesses in the Las Vegas valley. 

The vast majority of clinics in the Consortium are faculty-led and taught as a semester-long course. UNLV’s Cyber Clinic is unique in that it operates as a student-led club, with support from faculty advisors, and operates year-round. This arrangement enables Cyber Clinic members to provide services to clients on an at-need basis, gives students more opportunities to gain experience working with different clients, and builds their skills over the course of their academic careers.

Salcedo and Garcia showcased the web portal application they created for their clinic. The portal is one of many internal tools their students have developed for Cyber Clinic, which serves to streamline clinic operations.

“Most of UNLV’s members have backgrounds in computer science, information systems, and cybersecurity. Many have an interest in software development,” said Salcedo. “This project allowed for some of our members to practice their programming and software development skills. Web applications are a very big portion of cybersecurity. In the past, members have been able to conduct penetration assessments or tests on our own website, too.” 

Garcia explained to the audience how UNLV clinic students access the portal using an email and password, landing at a central dashboard that hosts a timesheet application for members to track their volunteering hours working on cases for clients. The dashboard also featured a training library, where students can access and track completed cybersecurity certification training– including student-developed training and the CompTIA Security+ certification.

UNLV also shared their innovative approach to onboarding their clinic’s new members. Cyber Clinic’s leadership built a training simulation in Minecraft to prepare new members for conducting client site visits and train students how to identify cyber and operational risks in small businesses. At the “Clinic of Clinics” event, Salcedo and Garcia demoed a gameplay walkthrough of their Minecraft  simulation, which was modeled after the Krusty Krab restaurant from the Spongebob Squarepants television show. 

“We tried to incorporate every kind of cyber and operational security problem you may run into when working for a client,” said Salcedo. “We’ve tried to include, virtually, as many different problems and security risks that we’ve actually seen in restaurants or in small businesses in this simulation.” 

The simulation recreates a business owner’s office, visualized as Mr. Krabs office, complete with computers, smartphones, and tablets functioning as the point-of-sale system. Users can interact with these devices to evaluate their cybersecurity practices and identify any potential vulnerabilities.

What a journey this past year has been for us at the Consortium of Cybersecurity Clinics! As we embark on 2024, we’re eager to reflect on last year’s accomplishments and share new data collected from the 2022-23 academic year on the growth of the cybersecurity clinics.

Training More Students Than Ever Before

University-based cybersecurity clinics provide hands-on training to students from diverse backgrounds and academic expertise. This training initiative aims to strengthen the digital defenses of community organizations that often fall through the cracks of cyber defense, as well as train the next generation of cyber civil defenders.

Our latest data shows that over 880 students nationwide have benefitted from this training initiative. Moreover, the 2022-23 academic year marked a significant milestone for the Consortium, with a record-breaking number of over 450 students trained – a 150 percent increase from the previous year. This cohort represents the largest group of students trained in the Consortium’s five-year history.

Expansion of the Clinics Model

Since its inception five years ago in 2018, our network of university-based cybersecurity clinics has grown to encompass 15 active clinic locations. Our clinics now spread across nine different states, bringing us closer to our ultimate goal of launching a university cybersecurity clinic in all 50 U.S. states by 2030. 

The Consortium is committed to expanding the reach and impact of cybersecurity clinics in partnership with Google.org, which is committing more than $20 million dollars to support the creation and expansion of cybersecurity clinics at 20 higher education institutions across the United States.

80+ Public Interest Organizations Served

Many public interest organizations that provide essential public services lack the resources for basic cybersecurity self-defense. Our university-based cybersecurity clinics provide pro bono assistance to these kinds of “target-rich, resource-poor” organizations to help them develop long-term cybersecurity defense, increase their resilience, and expand their cyber security capacity.

Over the past five years, our clinics have supported 83 local and regional resource-strapped organizations with cybersecurity assistance. 

Clinics served a diverse range of public interest-aligned clients in the 2022-23 academic year. Non-profit organizations comprised over half of our clients (52%), with local governments following as the second-largest group served (18%). Additionally, Small businesses (10%) , K-12 education institutions (8%), and healthcare organizations (6%) made up a significant portion of our clientele, underscoring the breadth of our impact across various sectors.

The Work Ahead

The Consortium is proud of the expansion of the clinic model and the positive results this initiative has had for cybersecurity students and community organizations across the country.

Thank you for being a part of our journey. We look forward to continuing our mission to amplify the upside of the digital revolution and ensure that everyone can safely benefit from what technology has to offer. We cannot wait to see how the Consortium of Cybersecurity Clinics continues to grow and make an impact for public interest organizations in the coming year.

Stay tuned for more updates from the Consortium of Cybersecurity Clinics!

The Consortium of Cybersecurity Clinics is seeking a qualified individual for a full-time, year-round Membership Director position to support the Consortium in assisting universities around the country and the world with cybersecurity workforce development and protecting vulnerable organizations from cyberattacks.

The Membership Director supports the Consortium of Cybersecurity Clinics in assisting universities around the country and the world with cybersecurity workforce development and protecting vulnerable organizations from cyberattacks. The Consortium will be growing its membership by 10-20 or more universities and colleges over the next several years. This position works in close alignment with the Executive Committee of the Consortium of Cybersecurity Clinics, currently co-chaired by clinic leadership at the UC Berkeley Center for Long-Term Cybersecurity and the Massachusetts Institute of Technology. 

This is a fulltime, 2-year contract position with the possibility of extension and/or conversion to career.

Application Review Date

The First Review Date for this job is: March 23, 2024 – Open Until Filled

Responsibilities

Provides leadership, structure, and organization for the long-term effectiveness of the Consortium of Cybersecurity Clinics, with responsibility for administrative and programmatic activities. Leads short- and long- term planning, assesses effectiveness, and recommends changes to content, policies and procedures accordingly.

• Conducts strategic planning and works with the Consortium’s faculty executive committee to develop and implement strategic priorities for the Consortium.
• Develops annual program plans, including milestones/deliverables, timelines, monitoring and evaluation frameworks, and ecosystem development strategies.
• Monitors progress toward Consortium-wide goals and objectives, through semi-annual review meetings to review milestones/outputs and plan/problem solve. Establishes and collects key data points from Consortium members and supports related research about the impact of cybersecurity clinics.
• Prepares critical program outputs including briefing documents, donor reports, requests for proposals (RFPs), peer review protocols and templates, surveys, event concept notes and agendas.
• Represents the Consortium in recurring partners meetings and regular management meetings to facilitate knowledge-sharing and collaboration, promote efficiency, and maintain clear channels for feedback and communication.
• Conducts outreach, onboards, and stewards new members of the Consortium. Assesses the Consortium’s organizational effectiveness, and recommends changes to program’s content, policies and procedures to support the success of existing and new members of the Consortium.
• Creates and implements improved processes to qualify, welcome, onboard and steward new members.
• Oversees improvements to the Consortium’s backend infrastructure for member communication and information sharing; selects and supervises vendors to deliver results.
• Ensures that lessons-learned are shared and elevated with Consortium membership, to continue raising the bar for clinic effectiveness.

Facilitates the efforts of Consortium leadership, clinic faculty at various institutions, allied organizations, volunteers, donors and state, local and federal officials to collaboratively strengthen cybersecurity clinics across the US and worldwide.

• Facilitates collaborative problem-solving to reach solutions that benefit all parties.
• Expands the Consortium of Cybersecurity Clinics clearinghouse of clinical resources with new collaborative content; hosts a community of practice around clinical education / technical assistance with peer clinics.
• Develops symposiums, workshops and other convening events.
• Engages the clinic alumni community and corporate partners as ambassadors and program volunteers.
• Supports Consortium-wide programming related to skill development for students.
• Participates in external initiatives such as the Public Interest Technology University Network.

Participates in workshops and publicity events, and provides public relations oversight and social media support.

• Directs and manages professional PR / communications consultants, and student media interns to highlight the accomplishments of Consortium members
• Authors blogs, op-eds and/or social media content that raise visibility for the cybersecurity clinic model and the Consortium and change the way policymakers, researchers, and practitioners think about digital security technical assistance.
• Liaises with Consortium members to ensure that key research findings are communicated with the public and the field. Prepares collateral and data visuals that communicate impact and success stories.

Identifies and pursues funding opportunities and revenue streams.

• In coordination with Consortium leadership and development staff, stewards relationships with a range of program sponsors (including corporate partners, foundations, and private donors), carefully tracking priorities and identifying overlapping interests.
• Identifies and elevates funding opportunities that emerge from Consortium outreach, and helps connect member clinics to prospective funders.
• Participates in budgeting and accounting processes to support a self supporting financial outlook for the Consortium.
• Researches and plans for long-term governance and financial sustainability of the Consortium; presents options to the executive committee.

Required Qualifications

• Bachelor’s degree in cybersecurity, law, science & technology studies, public policy, information science, business, non-profit management or a related area, or equivalent years of related work experience.  
• Academic background in cybersecurity, law, science & technology studies, public policy, information science, business, non-profit management or a related area. 
• Demonstrated success building membership-based organizations, multi-institution collaborations and/or network organizations. 
• Advanced ability to work with an executive committee and/or advisory board to develop and implement a strategic plan.
• Ability to oversee strategic communications and public relations, and establish a basic social media presence.
• Demonstrated success with program building within an academic or other institution. Advanced program management skills, including project management, tracking deliverables, managing budgets, selection and supervision of vendors, and report writing. 
• Advanced interpersonal skills. Ability to lead collaborations with leaders in the field and to convene internal and external peers and experts to achieve results.
• Advanced oral and written communication skills.
• Demonstrated evidence of a commitment to advancing diversity, equity and inclusion.
• Ability to steward funders and other program supporters.

Preferred Qualifications

• 8+ years of management experience in membership-based organizations, coalitions or associations.
• Understanding of the unique digital security needs of under-resourced public interest organizations (such as public agencies, nonprofits, and small businesses).

Salary & Benefits

For information on the comprehensive benefits package offered by the University, please visit the University of California’s Compensation & Benefits website.

Under California law, the University of California, Berkeley is required to provide a reasonable estimate of the compensation range for this role and should not offer a salary outside of the range posted in this job announcement. This range takes into account the wide range of factors that are considered in making compensation decisions including but not limited to experience, skills, knowledge, abilities, education, licensure and certifications, analysis of internal equity, and other business and organizational needs. It is not typical for an individual to be offered a salary at or near the top of the range for a position. Salary offers are determined based on final candidate qualifications and experience. 

The budgeted salary or hourly range that the University reasonably expects to pay for this position is $120,000 to $160,000 annually. This is a 100% FTE, 2-year contract position eligible for full benefits.

Other Information

This is a fulltime, 2-year contract position with the possibility of extension and/or conversion to career.

BY SHANNON PIERSON, PUBLIC-INTEREST CYBERSECURITY FELLOW, CENTER FOR LONG-TERM CYBERSECURITY

At the Consortium of Cybersecurity Clinics’ monthly meetings in November and December 2023, members reflected on the year’s accomplishments and shared anecdotes about the successes of their individual clinics. 

Funding and Development Updates

• In an exciting update, clinic funding is coming to the EU! In partnership with Google.org, the European Cyber Conflict Research Incubator CIC (ECCRI CIC) will launch cyber clinics seminars at select European universities. The initiative aims to expand access and opportunities for students interested in learning about the field of cybersecurity. Clinics will open in Czechia, France, Germany, Greece, Poland, Romania, Spain, and Ukraine, offering tailored curriculums in the respective languages of these countries. 
• University of North Carolina (UNC) Chapel Hill received a grant to establish a cybersecurity clinic that is set to launch in early 2024. UNC clinic coordinators are currently crafting the course curriculum and actively seeking clients for the clinic’s inaugural class. 
• San Diego State University, California State University San Marcos, and National University are joining forces to create a regional cybersecurity clinic in Southern California. This collaboration is managed by the San Diego Cyber Center of Excellence and aims to foster cross-institutional collaboration amongst San Diego’s cyber defenders.

Cyber Civil Defense Research Updates

• Indiana University and Purdue University’s Cybertrack program, an initiative that connects Indiana’s local governments with cybersecurity experts for tailored advice, published its inaugural report in November 2023. The “Cybertrack Report” aggregates results and analysis from 23 cybersecurity assessments conducted on local government entities in Indiana. The report finds that most local governments in Indiana struggle to implement even the most fundamental cybersecurity controls, such as multi-factor authentication (MFA).
• The MIT Cybersecurity Clinic students recently conducted site visits for their clients in the New England area. These visits provided an opportunity for students to observe the physical assets of their clients, such as servers and building layouts. This hands-on experience helped enhance their understanding of employee access to IT assets, organizations’ operational security posture, and the overall company culture.
• The University of Georgia (UGA) CyberArch Clinic assisted seven different organizations this year, clients of which included city governments, water treatment facilities, and small business clients. Additionally, UGA opened a Women in Cybersecurity (WiCyS) chapter.
• Rochester Institute’s (RIT) clinic achieved success with a variety of client projects in 2023, including a first-of-its-kind collaboration with the Rochester Philharmonic Orchestra. As a token of appreciation, the orchestra graciously awarded students free tickets for their services. RIT observed a trend among non-profit clients: most prefer cybersecurity assessments over penetration testing. This preference stems from a desire by these organizations for practical advice on what specific cybersecurity program aspects they can implement to improve their cybersecurity posture.

CLTC congratulates all the members of the Consortium of Cybersecurity Clinics on yet another impactful year in training the next generation of cyber civil defenders and building cyber resilience for community organizations — we can’t wait to see how these initiatives expand in 2024!