Improving Cyber-Oriented Education, One Cyber Clinic at a Time

Cybersecurity talent gaps continue to exist across the United States, yet private sector leaders and the federal government have not been able to make the meaningful investments necessary to fill the more than half a million​ current vacancies nationwide, including more than 33,000 vacancies in the public sector workforce alone. Cybersecurity clinics ​offer a high-potential path to sharply increase the number of experienced cybersecurity professionals coming out of U.S. universities at minimal cost and with low barriers to expansion. Located in a region with an insatiable appetite for cybersecurity talent and an impressive array of educational institutions, the greater Washington, D.C. area would be the perfect place to pilot a regional program.

This issue of cyber workforce shortfalls and its impact on national security was a key focus of the Cyberspace Solarium Commission's (CSC) final report released earlier this year. The commission was established in the 2019 National Defense Authorization Act (NDAA) ​to develop a consensus on a new strategic approach for defending the United States in cyberspace. More specifically, the commission comprehensively reviewed existing policies and proposed 82 remedies, all of which, the commission argued, are dependent on the underlying foundation of recruiting, developing, and retaining a robust cyber workforce. The commission recommended a number of proposals to improve federal support for private sector, state and local efforts to improve cyber education as well as workforce development to fill the gap of cybersecurity talent within the federal workforce. These included diversifying the pool of candidates for cyber work; commiting to recruiting beyond conventional pathways into the government; expanding the existing CyberCorps: Scholarship for Service program, ​which provides cyber scholarships in exchange for a student’s commitment to a period of two years of public service; and a recommendation for the U.S. government to promote digital literacy and civics education as a national security imperative.

The comprehensive strategy needed to address cybersecurity workforce shortfalls will require the combined efforts of federal, state, local and private sector resources focused on a spectrum of programs ranging from creating awareness to developing specific skills and expertise. However, one recommendation in particular is a quick-start project that can increase the number of students coming out of colleges and universities with experience at relatively modest cost: cybersecurity clinics.

Cybersecurity clinics tackle one of the most daunting challenges of filling cyber security jobs by offering a means to combine education with hands-on experience as early as possible. Even with the necessary academic credentials, only a quarter ​of surveyed students responded that educational programs were adequately preparing them for entry level cybersecurity jobs. These numbers suggest that, despite progress in increasing cybersecurity educational opportunities like apprenticeships and fellowships, the United States falls short in giving students the hands-on experience needed for the cybersecurity careers that are becoming increasingly important to our nation’s national security. Equally important, early hands-on experience gives students an earlier introduction to the increasingly interdisciplinary nature of field cybersecurity work, and thus increases both their effectiveness and early employability. This reality mirrors the experience of the medical profession, where every member of the practice–nurses, physician assistants, doctors, and specialists–needs a mix of hands-on experience to leaven their academic studies as a precondition for employment.

As noted in the Solarium Commission’s March 2020 report, cybersecurity clinics are one way to improve cyber-oriented education and provide hands-on training for cybersecurity positions from day one. This very encouraging new concept, pioneered at the University of California Berkeley’s Center for Long Term Cybersecurity, provides experience to students while sharing students’ expertise with underserved organizations in the community. As the university notes, this leadership-focused program helps “build a pipeline of public-interest technologists who know how to help under-resourced organizations operating in complex political, sociological, and legal contexts.” Students in cyber clinics create interdisciplinary teams, perform threat assessments, security audits, implement risk-mitigation strategies and craft policy to defend civil society organizations from cyber threats. “The public interest clinic model not only gives students hands-on experience with what it is really like to practice cybersecurity, privacy, and digital safety,” says Sean Brooks, Director of UC Berkeley’s Citizen Clinic, it draws in a greater diversity of students from programs and backgrounds not traditionally associated with the field. This is critical—if we’re going to solve the public problems of the future, we need a generation of public interest technologists who can work collaboratively across disciplines to resolve a new generation of threats.”

U.C. Berkeley’s program, along with others at Indiana University and in Malaysia, offer a compelling vision ​and proven skills development roadmap for educators and employers to close the widening cyber talent gap. With the growing demand for cybersecurity skills, the greater Washington, D.C. area would be a perfect incubator. Defense contractors, cybersecurity firms and regional powerhouses in health, finance and technology development from the Dulles technology corridor to Baltimore are perfect landing places for experienced cyber graduates. In a region where a major city was held hostage by a ransomware cybersecurity attack ​in the last year, and that also serves as host to the federal government, intelligence community and the national defense enterprise, cyber clinics could help produce more experienced cybersecurity talent that is very much in demand in today’s strategic landscape. Based on the demonstrated success of these existing programs, it is clear that cybersecurity clinics could speed up the creation of necessary skills and experience to start reducing the United States’s half a million cybersecurity vacancies by producing a steady stream of program-specific work opportunities in a collaborative environment.

To provide the necessary expertise and training, the Washington, D.C. region boasts one of the highest densities of universities in the country and multiple Centers of Academic Excellence​ and CyberCorps Scholarship for Service institutions. All of these colleges and universities provide alumni networking; internship opportunities; professional alliances and clubs; and other programs to connect their graduates with post-graduation professional opportunities. None of these programs, however, are as impactful in providing hands-on experience as the clinic model perfected by Berkeley and the legal ​and medical​ communities which cybersecurity should now emulate. Like internships and fellowships, cybersecurity clinics allow students to work in cybersecurity right out of school. But unlike those traditional programs, cybersecurity clinics are mutually beneficial to both a university’s students and to its surrounding community.

Just as legal and medical clinics enhance access to justice and medicine, cybersecurity clinics would enhance skills development, access to cybersecurity policy and assessments and build capacity in civil society organizations. In the medical profession, 111 clinics ​in 25 states are each run by around 16 student volunteers and are credited as coursework. Cyber clinics can be similarly​ funded by the school or outside sources. (American University, for instance, has 12 legal clinics in areas such as International Human Rights, Disability Law and Employment Law among others.) With the open-source syllabi​ provided by U.C. Berkeley, as well as standard confidentiality agreements, hold-harmless agreements and a small professional staff which oversee student involvement, these clinics can be replicated by numerous Universities at small cost. In many cases, communities served by the projects, as well as private sponsors, contributed ​to the projects and can contribute to new projects in different regions. The private sector and philanthropic organizations are also critical to the success of these programs and should consider cyber clinics a good investment for public interest and national security.

With their advantages of relatively small investment, easy replication and hands-on experience, cybersecurity clinics could be a timely means to improve cyber-oriented education. With one of the largest cohorts of universities in the country and a diverse and burgeoning marketplace in great need of skilled cyber talent, the greater Washington D.C. area offers an excellent venue to use the cyber clinic model to address the growing national deficit in experienced cyber professionals.