Cybersecurity clinics in higher education are the latest in an effort by academic institutions to bolster a national cyber workforce and serve their communities. We are absolutely thrilled to be celebrating two years of the Consortium and its members! Looking back on our history and successes of the last 24 months, the Consortium of Cybersecurity Clinics continues to serve as a central hub for universities across the nation looking to fund and grow cybersecurity clinics, each with tailored curriculum and outreach programs specific to their regions.

Before the official launch of the Consortium, three universities already had the basis for a clinic program. UC Berkeley, under their Citizen Clinic, launched a pilot program in 2018, hiring instructors and accepting students in Spring 2019 to participate in cybersecurity programs for course credit. The University of Indiana was implementing a similar program, soft-launching their clinic in the first academic semester of 2019, and in 2020, the MIT Science Impact Collaborative announced their plans to form the MIT Cybersecurity Clinic with support from PIT-UN.

With the launch of these programs, Berkeley and MIT set out to pull the programs together on a set of conference calls, the first of which took place in May 2021 and included participants from UC Berkeley, MIT, University of Indiana, University of Alabama and R Street Institute. The idea of a “Consortium” was originally pitched to the group as a community of practice that would meet informally a few times a year, but within the first month there was so much energy and enthusiasm that the program expanded into an international Consortium with monthly meetings and a vision of  creating “a cybersecurity clinic in every state by 2030.”

In the two years since its inception, the Consortium has grown from its website launch at UC Berkeley’s Center for Long-Term Cybersecurity in May 2022 into an international collaborative for universities and community colleges that train hundreds of new cyber defenders each year. Focusing on developing innovative strategy, planning courses and curriculum, and sharing best practices, the Consortium of Cybersecurity Clinics takes pride in expanding who participates in cyber through promoting regional diversity.

Our team could not haver imagined that what began as a few educators on a video call has developed into a collaboration of 10 active clinics, a growing network of 730+ alumni, and clientele of 120+ organizations nationwide.

On December 19, 2022, the Consortium of Cybersecurity Clinics, representing 10 universities across the United States, as well as a few regional cyber organizations, convened a meeting to celebrate the end of our second academic year. Here are some updates from Consortium Members:

• MIT announced the development of a new tool called SCRAM, which helps organizations understand where they stand with cybersecurity measures.
• Indiana University introduced a partnership with Purdue University and the State of Indiana, which includes a 4 year long, 4 million dollar partnership doing cybersecurity assessments for Indiana counties and municipalities.
• The University of Georgia announced 24 paid interns this fall that serviced 6 organizations, and hopes to bring on additional students in the spring.

Looking to the future, the Consortium of Cybersecurity has several agenda items in the works for their website, including a published Organizational Cybersecurity Maturity Model and a Cybersecurity Toolkit for all clinics to use for under-resourced clients and easily accessible to the general public. But most excitingly, the Consortium is looking forward to seeing the planned developments from members;

• RIT is trialing a SAFE (Security Assessment and Forensic Examination) lab program, paying students as interns on campus to do pentesting and enhancing their skills in the field.
• UNLV is looking for further funding and partnerships, having trialed a successful clinic model that is student led and operated, which trains students as well as partners with other universities to successfully operate a cybersecurity program. UNLV has also announced a methods course available for Spring 2023, which will break down the basics of cybersecurity components and aid students in developing their skills for the job field.
• Stillman College is in the early process of developing a cybersecurity clinic, and is working in close partnership with the Consortium.

In the coming year, the Consortium of Cybersecurity Clinics is looking forward to continuing its outreach program and funding new projects, as well as exploring the new opportunities that becoming an international hub has to offer.

Again, Happy 2nd Birthday to the Consortium, and thank you to all Members for their continued support to bolster cybersecurity clinics worldwide, train the next generation of civil defenders, and improve community resiliency to rising digital threats!

Indiana University, Perdue, and the Indiana Office of Technology are teaming up to help local governments shore up their cybersecurity with an impactful new initiative. The group will conduct cybersecurity maturity assessments for every local government in the state of Indiana, totalling 342 assessments over the next four years.

Congratulations to Consortium member Indiana University Cybersecurity Clinic on this exciting partnership! Cybersecurity clinics provide essential cybersecurity services to their communities, and this local initiative is poised to create tremendous benefit for both students and local governments. Learn more about the collaboration here.

UT has officially announced it is seeking a full-time director to run its new cybersecurity clinic! The director must be capable of delivering risk assessment and incident response services to local small businesses in the Austin community and will be expected to design and teach a course that would prepare students to participate effectively in the delivery of those services. The ideal candidate will be a cybersecurity professional with technical expertise as well as practical experience who has the interpersonal skills to build and maintain client relationships and succeed as a classroom instructor. Pay will be competitive and the position begins no later than the start of the spring semester in 2023.

The full job description can be found here.

The UC Berkeley Center for Long-Term Cybersecruity is recruiting for a Program Director to lead a flagship research program in public interest cybersecurity. This is a two-year contract position with full benefits and opportunity for renewal.

The role will focus leading a research and advocacy portfolio focused on cybersecurity technical assistance for civil society. Applications accepted through 6/17/2022. Apply here!

Our February gathering was our largest yet. We were thrilled to welcome faculty and staff to our discussions from cybersecurity programs at the University of Washington, Cleveland State, Clemson University, and the Universidad Católica del Perú (expanding our international membership). We were able to connect with many of our newer participants through joint engagement with the Public Interest Technology University Network.
 
 This month’s discussion centered on a best-practice sharing conversation about policies and technical infrastructure that protect the privacy and security of both clients and students during a clinic engagement. Each clinic needs to have an instructor, teaching assistant, or other staff person who is responsible for OpSec. Depending on the risk of the clinic’s target client demographic, individual clinics will elect different technical infrastructure and policies to protect student and client anonymity – for example, using VPNs, providing students with dedicated laptops and phones for client engagement, anonymizing client identities in class projects and written materials, among other measures. For managing data and communication risks between clients and clinics, Consortium members have been developing a framework that prompts new clinics to decide on policies and practices that address: Confidential data sharing, Access controls, Data protection (at rest, in use, and in transit), and Endpoint protection. Just a few examples of the questions that clinics need to solve before they launch include: What are the procedures for how faculty and students handle sensitive client data? What level of encryption is needed? How will the work product and final report from the clinic to client be stored and used by the school? Under what circumstances, and how, should client data be anonymized during and after an engagement?
 
Reach out to us at info@cybersecurityclinics.org to join the conversation!