Rachael Cornejo was an undergraduate studying social sciences at UC Berkeley when she enrolled in Citizen Clinic, a course in the School of Information that trains students to provide digital security support to non-profit organizations. Today, Cornejo is a cybersecurity professional at a major company, helping global client organizations defend their networks against adversaries. “I would not have the career I have today if not for Citizen Clinic,” Cornejo says.
Cornejo is an example of how Citizen Clinic and other cybersecurity clinics are helping to bring diverse talent — including women and people of color — into the cybersecurity workforce. Following two semesters of helping clients — including a non-profit that supports reproductive rights — Cornejo wrote her thesis on cybersecurity for human rights defenders, and she built a cybersecurity tool — Security Evaluation Framework for OSINT Tools — that aims to help investigators understand their security needs. She also co-founded Rated Resilient (Rated R), a website that aims to “maximize resilience & self-care in the age of social media activism” and provides toolkits on viewing graphic content, mental health resources, and more.
On Monday, July 25, Cornejo spoke on a Virtual See Jane Salon, “How Media Can Influence Cybersafety and Open Careers for Women and Girls,” an event presented by the Geena Davis Institute on Gender in Media and funded by Craig Newmark Philanthropies that explored opportunities to elevate more girls and women into technology fields. Cornejo shared her experience at Citizen Clinic and her passion for supporting the digital security of nonprofits and human rights defenders pushing for social change.
“We live in a digital age, and digital security is (or should be) a human right,” Cornejo said. “Especially since we can be tracked and surveilled in real life and in the digital sphere. For example, journalists need to keep safe and secure while exposing injustices and traveling into conflict zones, so they are not tracked. The Center for Long-Term Cybersecurity is looking to build cybersecurity tools specifically for journalists, which requires a very different skillset from cyber practitioners than building tools for companies. I have been fortunate to participate in this important work.”
We spoke with Cornejo to hear more about her experience. (Responses have been edited for length and content.)
How did you get involved with Citizen Clinic?
My friend worked for both the Citizen Clinic and the Human Rights Center, and she gave a presentation about the importance of digital security as a woman and how we need to have more women and people of color during security. She encouraged me to join the Citizen Clinic, even though I was an undergraduate working in the social sciences. She said, “You can do it anyway.”
I was working at the UC Berkeley Human Rights Center on digital investigations into human rights abuses, and I was teaching students how to do digital investigations of really sensitive topics, like bombings around the world. I thought, I can’t with good conscience do that without teaching them basic cybersecurity skills — so how do I then go and learn those cyber skills? It was through needing to deal with my own digital safety and wanting to be in a position where I could do that for others.
I went to an info session for Citizen Clinic and met the instructors, who were incredibly helpful and supportive. I was in interdisciplinary studies major, and because of the clinic, I ended up becoming a public-interest cybersecurity major. I wrote my thesis on designing security tools for human rights researchers.
What did you do with Citizen Clinic?
I was fortunate to work with a woman’s reproductive rights client, which is incredible, given what’s happening right now. Citizen Clinic gave me a good understanding of the variety of threats that such organizations are facing, and I know that these threats are likely increasing. I feel lucky that I got an early look into that threat landscape and an understanding of it.
I worked in a team with two other women on a consulting team helping these organizations. We talked to their head of IT and did interviews with their staff members, and we did a risk assessment, figuring out what technical systems they were working with and thinking through the top threats affecting their organization as an abortion rights provider. We ran a whole bunch of threat scenarios. What are common cyberattacks that they might experience? Which attacks are likely, and which would have high business impact? We also prioritized all the different risks that we thought that they faced. We created scenarios and used adversary personas to think through who an adversary of this organization would be, what motives they could have, and how they could attack.
Then we crafted a series of recommendations for this organization to implement and wrote up a final report that included our assessment. Our final report was a prioritized set of recommendations to the IT department for them to improve their security. We wrote an organization-wide information security policy from scratch, with different policies for different roles in their organization. We turned our recommendations into a policy that they implemented, and we conducted a training for employees of the organization to teach them the security policies.
Citizen Clinic allowed me to work with a series of women mentors, one of whom was very strong in cybersecurity. Getting to talk one-on-one with her and having her give me feedback — and telling me that she came from liberal arts to and that I can do it because she did — was incredibly empowering, and I am so grateful.
In the second semester of Citizen Clinic, I participated in the advanced class, working with a smaller team to design a security tool for human rights researchers. It was a tool that evaluates the different risks of different security tools that human rights investigators use, and we created a prototype of a tool. We presented that at Rights Con, which is the world’s leading conference on human rights and technology, so we got real-time feedback on the tool from human rights defenders. The tool is still on the Citizen Clinic Cybersecurity Education website (citizenclinic.io).
What are the benefits of the Citizen Clinic’s work for the clients you worked with?
We were providing things that they were not able to access on their own. There’s a lot of fear that goes along with cybersecurity, especially if you’re dealing with a really emotional situation, like having extremists contacting you because you are an abortion rights provider. It can be really hard for organizations to figure out what protections are necessary versus what fear makes you do.
People think that cyber is much more technical than it is. I was surprised how just sitting down with an organization and helping them systematically prioritize their risks can get rid of so much of the fear and free up organizational capacity to actually address the issues. That’s why it’s really essential for people to go out and do the kind of pro bono cyber consulting work that Citizen Clinic is doing, because someone really needs to take the time to walk organizational leadership through that prioritization process, and help address the fear and help action to take place.
What were the benefits to you personally?
I would not have the career I have today if not for the Citizen Clinic. I would not have majored in public interest cybersecurity and gone on to have a cybersecurity career without the Citizen Clinic. It’s what got me interested in cyber. After Citizen Clinic, I got a cyber fellowship at an NGO, working on public-private partnerships between private industry and government. I would not have done that without the Clinic. The Clinic has completely defined the trajectory of my career.
I work in enterprise cybersecurity right now, with very large clients, and the entire process of what I do for work for these clients – who have websites with millions of users — is the same process that I used for Citizen Clinic, without any differences. That is amazing, because I came into the world of professional, enterprise-level cybersecurity already knowing how to do it. People at work told me, you’ve clearly done this before, you’re performing like someone who’s done this for three or four years. And all it took was a year at Citizen Clinic doing exactly the same work. Citizen Clinic has built a curriculum that truly mirrors the professional world and has been able to give us the professional skills to go out into the world and get it done.
What would you tell someone who’s curious about the Citizen Clinic what they can expect to get out of it?
First, if you don’t have technical skills, it will teach you technical skills in a non-intimidating way, which I appreciated. The research fellows who ran the program were incredibly helpful and provided so many resources, and they took time to explain when I was asking the most basic questions. If you are someone like me who had been interested in how technical systems worked, but was always too intimidated by the classes at UC Berkeley that teach them, it was a really great way to learn some of that in a really inviting, collaborative atmosphere.
Second, I was not prepared for the lessons that I learned about the professional world. Because Citizen Clinic participants are consultants, they put a lot of emphasis on clients first. One of our first lectures was a consulting team coming in from PWC and explaining to us, this is how you run a meeting. This is how you show up professionally. This is how you do all the reporting and status updates in a professional environment. They put together a professional networking panel for us to meet a bunch of different cyber professionals who are associated with CLTC so we could learn about the field. Citizen Clinic really helped me delve into learning about the professional world, and I still use those skills every single day in my professional role.
Third, they do everything in a way that emphasizes intersectionality, and bringing in people who have historically been marginalized, melding cybersecurity with public service. We had lectures about the specific cyber threats facing marginalized communities, and we did a unit on resiliency and mental health and how to maintain your own mental health as you’re doing cybersecurity work, and also how to use your role as a cybersecurity consultant to ensure mental health for others.
I have given presentations on mental health and cyber, and I founded an organization called Rated Resilient that did a lot of resiliency and mental health and cyber work. We have resources on our website. I gave a lecture to cybersecurity professionals with 20 years of experience, and some of them said, wow, we have never encountered any discussion of mental health and cybersecurity, which was wild to me, because when I started learning about cyber, it was baked into the curriculum. That’s something Citizen Clinic is doing really amazing work on.
Tell us more about Rated Resilient.
It was started during the pandemic to give mental health resiliency advice to digital activists. I refer to the security triangle of physical security, digital security, and psychosocial security (or mental health), with the idea that you can’t have any of them without the others. Psychosocial security needs to be treated as an aspect of cyber in order for a cyber program to truly be helpful. Especially for the types of nonprofit clients that the clinic is taking on, it’s often about paranoia and fear and the constant threat of cyber attack, or the guilt if there is a cyber attack.
UC Berkeley students are invited to enroll in the Citizen Clinic Practicum, which is planning to work with a reproductive rights organization (and other clients) in Fall 2022.