The UC Berkeley Center for Long-Term Cybersecurity's Consortium of Cybersecurity Clinics gives students hands-on experience that will help them land jobs, while at the same time bolstering the cyber readiness of small organizations with limited budgets. This type of volunteer program is important to reducing chances of damaging cyber attacks, while policymakers seek long-term solutions for making the overall digital landscape safer, panelists said during the 2024 RSA Conference.
The Consortium of Cybersecurity Clinics launched in 2021 and coordinates and shares best practices among 15 university-based clinics across the U.S., which support entities like local governments, critical infrastructure, small businesses and nonprofits.
Nonprofits have traditionally thought their humanitarian visions put them out of harm’s way, but the 2022 hack on the Red Cross dispelled that hope, said Adrien Ogée, chief operations officer at the CyberPeace Institute. And even when criminals aren’t specifically targeting nongovernmental organizations, they seem to be willing to extort any they happen to hit in mass and indiscriminate attacks. Ideologically motivated attackers also pursue certain nonprofits, like those focused on refugee assistance, LGBT advocacy or women’s health care, said Sarah Powazek, program director of Public Interest Cybersecurity at the Center for Long-Term Cybersecurity.
In the cyber clinic initiative, faculty oversee computer science and cybersecurity students in providing certain cyber supports. They might advise on matters like patching and multifactor authentication, or they may translate advice from respected organizations like the National Institute of Standards and Technology and Center for Internet Security, which otherwise may be too complicated for the average part-time IT person to easily parse, Powazek said.
While the Consortium of Cybersecurity Clinics shares its best ideas, each clinic also charts a localized approach, Powazek said. One at Indiana University has been helping the local fire department, for example, she said. Meanwhile, per the consortium’s website, the Massachusetts Institute of Technology’s clinic offers public agencies and elected officials consultation about their cyber vulnerabilities with low-cost ways to improve. Clinics also increasingly have been putting focus on small utilities like wastewater treatment plants and electric co-ops, Powazek said.
The Consortium of Cybersecurity Clinics is also working to build up its network of volunteer program contacts, so that if a clinic does not itself provide a service, the consortium can direct organizations to someone who does, Powazek said.
Some non-consortium initiatives have explored similar tactics, also having students train while supporting local entities. For example, nonprofit CyberTrust Massachusetts oversees an initiative in which students at participating community colleges and state universities work in security operations centers and cyber ranges to provide low-cost cyber services to municipalities, small businesses and nonprofits.
And overseas, Ogée’s Switzerland-based CyberPeace Institute acts as a matchmaker to pair nonprofits around the world with industry professionals who can help with short-term jobs for free. This benefit works both ways: Volunteers get to build their skills and reputations, while companies can burnish their public image by helping with cybersecurity, which is often seen as a noncontroversial social good, Ogée said.
Small organizations sometimes don’t know how to get started on cybersecurity, and many say they try calling police or city counselors for advice, Powazek said. But those figures usually aren’t prepared to field the questions. So, in another initiative, the Center for Long-Term Cybersecurity's Public Interest Cybersecurity program is collaborating with San Francisco to survey local nonprofits and learn what needs they have, so the program and the city can consider how to help meet needs.
While Powazek and Ogée celebrated volunteer initiatives that help to fill cybersecurity service gaps for small entities, they also cautioned that more needs to be done, and that programs like cyber clinics shouldn’t be depended on as a long-term fix.
“[These programs] need to continue, they need to be well-funded,” Ogée said. “They need to be able to protect those that are not being protected until policymakers are able to find the systemic solution.”
Powazek similarly said that while cyber clinics are helpful, they shouldn’t be the main source of cybersecurity.
“In the long term … how do we shift the responsibility away so that our programs are helpful, but not where the buck stops for these organizations?” Powazek said. “When we're talking about critical infrastructure — like wastewater, like energy — we really should not be where the buck stops.”
