This piece was originally featured in Berkeley News on February 7, 2024. The original article can be found here.
Like many nonprofits, the Traverse Project, a Houston, Texas-based organization that conducts transnational investigations to identify perpetrators of sex trafficking and child exploitation, has limited resources for digital security. Unfortunately, its volunteers operate almost entirely online and face a constant threat of retribution from the criminals they investigate.
“I’m like a startup CEO,” said Austin Shamlin, the project’s founder and chief executive officer. “I wear about 10 different hats, and we have to have policies in place to ensure that the investigations don’t get corrupted and that my volunteers don’t get identified. I don’t really have time to sit down and create those kinds of policies.”
Enter Citizen Clinic, UC Berkeley’s cybersecurity clinic, a semester-long course offered in both fall and spring at the School of Information that’s open to students across campus. Like Berkeley’s clinics in law and medicine, Citizen Clinic gives students hands-on training and experience as they deliver pro bono digital security assistance to nonprofits and other public interest organizations.
Last semester, a team of seven students assisted the Traverse Project, including by helping the organization’s volunteers remain anonymous to protect themselves and their families from sex traffickers, who in some cases are powerful and well-connected criminals.
“The farther we go up the chain of command in tracking a trafficking network, the more we’re likely to get to wealthy people or corrupt governments who have access to intelligence tools or products that they could use to start tracking my analysts,” Shamlin said. “These folks are very powerful in a lot of countries, so it’s important for our volunteers to stay very anonymous.
“The Berkeley students are helping us come up with policies and tools that we can use to mitigate some of that risk. They’re taking a huge task off my plate. To have these super-intelligent young professionals come in and provide their assistance to our nonprofit, it’s game-changing.”
Cybersecurity in the public interest
Supporting small, vulnerable organizations like the Traverse Project is directly in line with the mission of Citizen Clinic, launched in 2018 by the UC Berkeley Center for Long-Term Cybersecurity (CLTC) at the School of Information. Nearly every semester since the program’s inception, the clinic’s student teams have provided digital security assistance to diverse nonprofits in the U.S. and around the world that range from a Central American organization that helps migrants fleeing members of organized crime enterprises to a nonprofit supporting Indigenous communities in Asia threatened by powerful Chinese fishing conglomerates. These nonprofit clients all depend on electronic tools and devices to carry out their work, but have limited staffing or financial resources to protect themselves from digital threats, whether from armies of online harassers or powerful governments.
This semester, the Citizen Clinic course comprises two sections: one online, the other in-person. While clients for this group of students have yet to be determined, they will be underresourced organizations with vital social missions.
“Many nonprofits provide critical community services, but often don’t have the staff, knowledge or time to protect themselves from common cyberthreats,” said Sarah Powazek, program director of public interest cybersecurity at CLTC. “Students at the Citizen Clinic help them understand and prioritize their digital needs in a very human, one-on-one capacity.”
Berkeley pioneered the cybersecurity clinic concept and has helped lead the expansion of the model to other universities, including by co-founding the Consortium of Cybersecurity Clinics, which provides support resources to help other institutions get their cybersecurity clinics off the ground. Such clinics were part of the recently-released Biden administration’s 2023 National Cyber Workforce and Education Strategy, and the cybersecurity clinic model has caught the attention of a growing number of philanthropists who recognize the importance of securing civil infrastructure and public interest organizations from cyberattacks.
Craig Newmark Philanthropies, the grant-making organization launched by the founder of craigslist, has pledged more than $2 million to date to support both Berkeley’s clinic and the formation of the consortium. In June, Google established a $20 million-plus Cybersecurity Clinics Fund that will help develop or launch 20 clinics nationwide by 2025, partnering with the consortium to grow the consortium’s membership, mentor new clinics, engage minority-serving institutions and community colleges, share teaching resources, and conduct research across the clinic network on best practices.
Google announced a first round of 10 grants to founding members of the consortium last October, including one that will support Berkeley’s Citizen Clinic program and double the number of its students participating over the next three years. Google’s second open call for cybersecurity clinic funds is currently accepting applications from colleges and universities nationwide for 10 $1 million grants to be made for new clinics that will launch in 2024 and 2025.
Doing more with less
Cybersecurity clinics are a win-win because students have an opportunity to gain real-world experience while serving the public. “A course like Citizen Clinic brings a dedicated focus to organizations that are the bulwark of our civil society, but whose expertise is never going to be cybersecurity, so they’re very vulnerable,” said Saba Deyhim, a student who participated in the clinic while in the School of Information’s Master of Information and Cybersecurity program. “It’s an exciting way to engage my passion and also make practical what we’re learning. We help these organizations accomplish their mission.”
Given the sensitive nature of the work, the clinic’s leaders put in place strict protocols to protect the class and its clients. Approximately 30 students per semester receive weeks of training prior to engaging with clients; they learn to use privacy-focused web browsers like Tor and Brave and to hold conversations over encrypted messaging app Signal or by using Jitsi, an anonymous alternative to Zoom. The course also includes a unit on prioritizing mental health, an acknowledgment that the work can be emotionally taxing.
Students and their clients are anonymous in their interactions and never share their names or faces with each other. “We assume that many of our clients already have an adversary in their system,” said Berkeley lecturer Tiffany Rad, Citizen Clinic’s lead instructor.
Citizen Clinic teams do not directly work with their client organizations’ digital networks; rather, they conduct risk assessments to identify potential vulnerabilities, then provide basic training and make recommendations for low- or zero-cost solutions.
“Cybersecurity is expensive, and our clients often don’t have a budget to hire consultants,” Rad said. “We fill that niche and give them a plan that they can build upon over time. The students gain an understanding that a cybersecurity fix does not always have to be an expensive tool. It’s a lot more about training and policy, and more about listening than speaking. The students really learn how to communicate.”
This semester, the course’s in-person section — with about equal numbers of undergraduate and graduate students — is taught by a new instructor, Elijah Baucom, founder of Everyday Security, a company that provides cybersecurity assistance to nonprofits and social justice organizations.
“At the beginning of the semester, we’re teaching the students to develop personal risk assessments so they can see where they are out of alignment with best practices,” Baucom said. “We go over topics like password hygiene, multi-factor authentication and VPNs. We also talk about the differences between working with corporations and nonprofits, where you have to be able to connect with the mission at a deeper level.”
To date, Citizen Clinic has trained more than 165 students from over a dozen academic fields and served 17 nonprofit clients. Many of the program’s alumni now apply the skills they have learned in other sectors. Jonathan Layman works for a state government, where he helps counties with election security. These counties’ offices often have limited resources, but face the potential for both U.S.-based and international cyberattackers to disrupt their election systems.
“A big thing with Citizen Clinic is that we’re not taking over the client’s cybersecurity, we’re teaching them how to manage it themselves,” Layman said. “The small counties don’t necessarily want the state government coming over and taking over their operation. They need somebody who can teach them how to have a higher security posture and keep the mindset of security as part of their operations.”
Alumna Suprapti McTaggart, a cybersecurity professional, has chosen to continue her public interest work by often volunteering to help nonprofit organizations with digital security. “I can easily bill this type of work with a high hourly rate as a consultant, but these organizations don’t have that kind of funding,” McTaggart said. “Building my skills through Citizen Clinic was fulfilling and rewarding because the mission is helping people and organizations that are underfunded. We need more volunteers in cybersecurity.”
Cybersecurity clinics also are helping to fill the pipeline for cybersecurity talent: The 2023 (ISC)2 Cybersecurity Workforce Study identified that, while there are currently 5.5 million cybersecurity professionals worldwide, roughly 4 million more are needed worldwide to meet demand. These clinics are also helping to bring more students from diverse backgrounds into the field of cybersecurity, which currently is 21% female. Nearly half of Citizen Clinic’s roughly 170 alumni are women.
These clinics “are a powerful solution because they bring more people into cybersecurity — including women and people of color, who aren’t yet well-represented in the field — and develop both their technological know-how along with social, client-facing skills,” said Michael Makstman, the city of San Francisco’s chief information security officer, who learned about Berkeley’s clinic through its work with local nonprofits and now is working with CLTC on new research for those organizations’ cybersecurity needs. “I’m enthusiastic about sharing the successful model of cybersecurity clinics with CISOs (chief information security officers) in other cities and states across the counties across California.”
A sector under attack
The cybersecurity clinic model is expanding at an ideal time, as public interest organizations increasingly find themselves vulnerable to cyberattack. Ransomware attacks have crippled municipalities, school districts and hospitals across the country. For example, 80% of lower education providers and 79% of higher education providers reported that they were hit by ransomware in the last year, according to a survey by Sophos, a cybersecurity firm, and NGOs and think tanks are the second-most targeted sector globally for cyberattacks by national governments, according to Microsoft — second only to government-to-government cyber aggression.
“Threat actors are increasing in knowledge every day, because that’s what they do,” Baucom said. “But everyday people aren’t as focused on this, so the threat vectors are widening, and people are more susceptible to attacks.”
While other university clinics focus on helping local governments or other civic institutions, Berkeley’s clinic was designed to aid underresourced nonprofits and health care organizations at risk of politically-motivated cyberattack. For example, the clinic has worked with several reproductive rights organizations, including the Women’s Options Center, a family planning clinic at San Francisco General Hospital that provides first- and second-trimester abortion care.
“We don’t have the time to be experts in IT, as well as experts in medicine and nursing,” said Alissa Perrucci, the center’s clinic manager. “The communities that want abortion to be illegal want patients to feel threatened, and they will throw resources at this, while we’re trying to serve clients and patients who come to us.”
During the fall 2022 semester, Berkeley students provided an array of services to the center’s staff. These included a pamphlet for patients on choosing which messaging apps, web browsers and menstrual period-tracking apps are most effective at protecting patients’ privacy — and which ones share users’ data with third parties that could be legally searched, if patients are coming from a state that outlaws abortion.
“We have to be on our toes, knowing all the tactics that the anti-abortion movement is willing to use to deprive people of their right to abortion,” Perrucci said. “What’s to stop authorities in a place where abortion has been banned from sucking up everyone’s data to see who has missed their period?”
Reproductive rights organizations realize the importance of digital security, but “have anxiety that they have to do it on top of their direct services work,” said Kate Bertash, director of the Digital Defense Fund, which helps support the digital security and technology needs of the American abortion access movement. “Medical providers are often targeted by phishing attacks and malware, and all nonprofits tend to be targeted by scams and financially motivated threats. But the vast majority of the organizations we work with do not have anyone on staff designated for IT services.”
The Citizen Clinic student team also conducted a risk assessment to help Women’s Options Center staff members identify their potential exposure online. One student scoured the internet, including the deep web, or invisible web, which are parts of World Wide Web not indexed by standard web search engine programs, to document what personal information could be found about the health clinic’s staff members and their families. She found one of the physician’s details on a forum dedicated to exposing abortion providers. “It was a wake-up call,” Perrucci said.
In the end, the students’ efforts brought peace of mind to the health clinic’s staff. “Prior to the intervention, one of the center’s staff had always used a flip phone, assuming that using a smartphone would put her too much at risk,” Deyhim said. “After helping her understand all the issues and the risks, she ended up getting a smartphone. She understood what was within her control and how to manage her own safety in the digital space.”