How to Start a Cybersecurity Clinic

Consider the following scenarios.

"Amid the explosion of successful ransomware attacks worldwide, a small county government with no information technology (IT) staff developed a customized ransomware response plan that included a chain of command, a system shutdown plan and a negotiation cost-benefit analysis.

As social engineering continues to top the charts in data breach attack patterns, a fully volunteer-run nonprofit obtained high-quality cybersecurity awareness training materials and adopted training requirements for all members.

A critical infrastructure provider in a rural municipality patched software vulnerabilities and updated configuration settings that had created system exposures for years."

These sound like outcomes from expensive professional consulting engagements, yet they are sample successes from a small number of university-based cybersecurity clinics around the country whose students are helping public interest organizations develop their cybersecurity defenses free of charge.

In their August 2020 Lawfare post, “Improving Cyber-Oriented Education, One Cyber Clinic at a Time,” R Street policy director Tatyana Bolton and Chris Inglis, now White House national cyber director, make the appeal that cybersecurity clinics are mutually beneficial to universities, their students and their surrounding communities. And the importance of clinics’ contributions at the frontlines of cyber civil defense is only growing.

But how does a cybersecurity educator go about establishing a cybersecurity clinic? We are among the founding members of a growing and international Consortium of Cybersecurity Clinics, committed to expanding the number of cybersecurity clinics that serve the public good and to sharing resources among clinic practitioners. This post describes key considerations for new cybersecurity clinics, drawing on the combined expertise of clinics operating at Indiana University, Massachusetts Institute of Technology, University of Alabama, and University of California, Berkeley, among others. 

The good news is, many different kinds of clinics can be successful. Some of the clinics in the consortium teach undergraduates, and others offer graduate-level courses. Some clinics have their roots in computer science departments, and others draw students from urban planning, law, public policy, business and other disciplines. Clinics also have different specialties and areas of expertise. For example, the MIT Cybersecurity Clinic has built up expertise working with small towns and municipalities, as well as with hospitals in New England. The Citizen Clinic at UC Berkeley works globally with nonprofit clients at risk of politically motivated cyberattacks, such as women’s reproductive rights organizations and LGBTQ+ and international indigenous rights groups. In addition to local and regional nonprofits and critical infrastructure organizations, the clinics at Indiana University and University of Alabama also serve underresourced small businesses. 

We’ve discovered at least three operational areas in which successful clinics have practices in common, described further below: 

• Strategic planning: Before launching a clinic, defining the clinic’s target clients and services within the broad universe of cybersecurity risk helps to develop a core of expertise and repeatable processes. 
• Course structure and curriculum: Prequalification of students, smaller classes and a multidisciplinary approach to the cybersecurity curriculum have worked well for our clinics.
• Effective client relationships: Developing mechanisms to create shared expectations between clinic and client, and ensuring sustainability for client organizations, is critical to the ultimate goal of improving clients’ cyber defenses. 

Strategic Planning

Strategic planning is one of the most important and easiest-to-overlook elements of launching a successful clinic. In our collective experience, faculty interested in launching a clinic should factor in at least one academic term to plan and/or prototype a clinic before it will be up and running. Central to strategic planning is the determination of which services to provide to clients and the scope of those services. Given the fast-evolving threat landscape, the limitless creativity of adversaries, and digital technology’s reach into every aspect of human life, this may not be straightforward. Decision criteria include the risk tolerance of the client and clinic, the needs of the clients, the skill level of clinic practitioners—both faculty and students, and available tools.

For most university-based clinics, the risk to both clients and students is likely to be the first and most restrictive decision criterion to consider. Excluding more intrusive, higher risk operations from clinic services (such as application and infrastructure penetration testing, deployment of honeypots, or anything that modifies a client configuration) helps mitigate risks. Developing a risk management framework for clinic faculty to vet potential clients is also essential. For example, even a clinic specialized in assisting clients at high risk of politically motivated cyberattacks has occasionally had to turn away clients when circumstances prevented students from engaging safely. 

All clinics should implement policies and technical infrastructure that protect the privacy and security of both clients and students. Depending on the risk of the clinic’s target client demographic, individual clinics will elect different technical infrastructure and policies to protect student and client anonymity—using virtual private networks (VPNs), providing students with dedicated laptops and phones for client engagement, anonymizing client identities in class projects and written materials, among other measures. For managing data and communication risks between clients and clinics, consortium members use a framework that prompts each clinic to decide on policies and practices that address the following: confidential data sharing, access controls, data protection (at rest, in use and in transit), and endpoint protection. 

After considering risks, clinics should include in their strategic planning the specific needs dictated by the industry or type of organizations the clinic is targeting for assistance. Most clients share a common set of desired cybersecurity outcomes (for example, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) Framework: identify, protect, detect, respond and recover), and most engagements include gaining a clear understanding of the organization’s objectives and business model, information assets, network infrastructure, risk tolerance, and gaps in cybersecurity preparedness. However, different clients have substantially different service needs deriving from their threat and regulatory environments. For example, a regional hospital system will differ from a secondary school, and a reproductive rights group will differ from a voter education organization. Clinics are uniquely positioned to provide contextually informed assistance, underpinned by core areas of expertise and repeatable processes.

Finally, the capabilities of students is an important criterion when determining the scope of services. Low-risk services that may be easier for students to provide in the course of just one or two semesters include risk assessment, asset inventory (including noting higher risk assets such as those containing protected health information), basic network diagramming, policy and human resources handbook review (such as password, workstation, mobile device, travel and email policies), security training (like phishing identification and response, acceptable use), and vulnerability assessments. Clinics in the consortium have also helped manage supervisory control and data acquisition (SCADA) vulnerabilities, update privacy policies, and craft incident response plans. Even basic, low-risk services are very impactful and can make the difference between an inconvenient attack and a disastrous one.

Whether a clinic can recruit from across its campus will also affect the capabilities that student teams can offer to clients. Cybersecurity is a multifaceted endeavor, and successful client engagements depend on technical, policy and managerial skills. Domain knowledge in human behavior, law, city planning and other social sciences have proved valuable in our clinics in many situations. We have found that dedicating time and resources to recruiting, with messages about the impact of cybersecurity for the public good, resonates with diverse students and ultimately creates stronger teams to engage with clients.

Course Structure and Curriculum

Consortium members also have common best practices when it comes to structuring clinical courses and curricula. Clinics provide hands-on, experiential training, and instructors have a responsibility to ensure the services that student teams deliver to the clinic’s beneficiaries are high quality and sound. For these reasons, clinics will have smaller class sizes (ranging from 15 to 40 students per academic term), usually with one or two faculty and staff advisers or mentors. Most clinics then form teams of three to six students to engage with each client.

Successful clinics also implement mechanisms for prequalifying the students who will participate in client engagements. Clients need to be confident that the students conducting cybersecurity assistance have a standard of knowledge, skills and motivation before the engagement begins. Effective qualifying mechanisms vary. Some clinics have course prerequisites in computer science or cybersecurity. At Berkeley, students apply to enroll in the course, describing the skills they will contribute and their motivation for joining a public interest clinic. MIT has developed a teaching tool to certify undergraduates before matching them with client organizations—a four-week, open-source, introductory course in Cybersecurity for Critical Urban Infrastructure. At the University of Alabama, students must be enrolled in a qualifying cybersecurity class and complete the MIT Cybersecurity for Critical Urban Infrastructure course. Other U.S.-based clinics are also starting to require that students acquire this certification before embarking on client engagements, and through its open-source, online version the course has reached over 7,000 more students globally. 

Client service and consulting skills are among the most practical and valuable capabilities developed by students in cybersecurity clinics. Strong clinic curricula include coaching in relationship management skills that prepare students for client interactions and for the reality of future cybersecurity roles. The Cybersecurity for Critical Urban Infrastructure course includes modules that simulate client interactions, teaching students how to have productive conversations around potentially sensitive or embarrassing security findings and how to constructively engage stakeholders.

The University of Alabama leverages its business cybersecurity students to identify risks and perform a basic risk assessment. They learn basic risk assessment techniques in the classroom as well as business continuity planning. They also have hands-on experience with vulnerability scanning software tools in the classroom before applying those tools to a client’s network. The installation is handled by the client’s IT resource, and vulnerability scans are collected, interpreted, and analyzed by the student team and shared with the IT vendor and client.

Best-practice curricula also teach students how to protect themselves as cybersecurity practitioners while they are helping to protect their clients. Measures include online, physical safety and mental health components. For example, some clinic engagements teach students to set up privacy-preserving phone numbers and end-to-end encrypted messaging depending on the types of adversaries that their clients face. Berkeley’s Citizen Clinic curriculum introduces the concept of psychosocial resilience and a module covering how mental wellness impacts security practitioners and the organizations that they support.

Effective Client Relationships

At the end of the day, cybersecurity clinics make an impact on cyber resilience only if they have effective relationships with their clients. Onboarding and offboarding of clients are critical components of effectiveness. 

Onboarding must take into account a truism of underresourced public interest and civil society organizations: Their time is often their most scarce and valuable asset. Defining shared expectations for the client’s time commitment, and the return on investment that the client will receive for that commitment, is paramount. We have found that leadership buy-in at client organizations during the onboarding stage can be the difference between a project that delivers meaningful cybersecurity defense and one that falls short of real impact. At a minimum, onboarding should include definition of a feasible and impactful project, or a course structure that inherently defines project scope (such as student teams conduct and deliver a cybersecurity risk assessment in the course of a semester), and signed agreements, such as a client memorandum of understanding, a letter of agreement, and potentially a nondisclosure agreement. Clinics may work with their university’s office of legal affairs or general counsel to draft such agreements, which should spell out the client’s and clinic’s mutual responsibilities for a successful engagement. 

When it comes to offboarding, sustainability is a hallmark of an effective client engagement. Rarely, if ever, do our clinics’ clients have the human or financial resources typical of an enterprise-level IT department or security organization. Mitigations or security measures recommended or implemented by student teams need to align with the client’s capacity to maintain them over time. This often means that custom code, new security software or anything with a technical administrative burden to the client organization will be less effective than helping a client update existing software, improve security policies and procedures, or train nontechnical staff in cybersecurity. And when offboarding after a semester, every clinic-recommended measure must have an internal owner at the client organization who will have the capacity and authority to incorporate the recommendation into their daily workflow going forward. 

Finally, all clinics would ideally have mechanisms for evaluating the effectiveness of their cybersecurity assistance as a component of offboarding and follow-up. Many clinics use post-engagement surveys and exit interviews to better understand how effective they have been at helping clients reduce cyber vulnerabilities. And through datasets that clinics are beginning to accumulate about the preparedness of their public interest and civil society clients, we hope to develop a more textured understanding of the resilience measures that are most needed. But evaluation of cybersecurity resilience has an element of proving the counterfactual—a perennial challenge recognizable to many in the field: How do you prove that a client experienced fewer cybersecurity harms than it would have experienced in the absence of the clinic’s services? Our clinics are grappling with the deeper challenge together through discussions convened by the Consortium of Cybersecurity Clinics.

University-based cybersecurity clinics are a way for universities to meet their ideals and responsibilities for public service by addressing two intersecting challenges at once. Clinics help fill the tremendous and growing need for cybersecurity talent that will enter the workforce with hands-on experience. Clinics also develop resilience in important, at-risk sectors that can least afford cybersecurity technical assistance—such as small public agencies, human rights organizations and local businesses. But any one clinic can make only a finite contribution. To generate the impact to which we aspire, university-based cybersecurity clinics need to be replicated in every U.S. state, serve every region and provide specialized technical assistance to many kinds of underserved clients. We hope the resources and “how-to” advice we offer here reduce the start-up barriers for others.

Note: The authors are founding members of a Consortium of Cybersecurity Clinics with international membership. For additional teaching resources and/or information about how to become involved, please visit cybersecurityclinics.org.