The Cybersecurity Clinics Model: Cyber Volunteering to Safeguard Community Organizations

hi everyone um thank you so much for coming today um it's so good to be back in Washington state um I uh went to udub uh and I lived in Seattle for five wonderful years I have so much love for the Pacific Northwest so being able to come up here right now I'm currently in the Bay Area but being able to come back is uh so special to me especially in the spring um and it's also wonderful to be back at Microsoft um I know that when I was an undergrad Microsoft created so many opportunities for me to get uh mentorship to come up here every month or so to meet with the mentor to kind of

get a perspective on like the security space um as well as to do Consulting projects with the Microsoft defending democracy program uh which can you hear me no nobody in no one can hear me is the microphone on for the camera oh okay sorry I'll I'll talk louder um uh so super super excited to be back at Microsoft um so grateful for the mentorship that I received here it helped me kind of get into um the public interest uh technology and public interest cyber security space uh and speaking of student opportunities today we're going to talk about a very um unique and impactful cyber volunteering program uh that is kind of taking rote across the country uh where students

students are getting the opportunity to help low resourced organizations uh bolster up their cyber security um through pro bono services so before I tell you more I'd like to introduce myself um my name is Shannon Pearson I uh work at the center for long-term cyber security at UC Berkeley uh we are a policy incubator um housed within UC Berkeley and we produce policy research that helps illuminate the implications of emerging technology for policy makers and for businesses uh our work focuses on a lot of different areas uh fostering techn sorry fostering uh transparency and accountability and AI Technologies um also establishing like International Norms uh in cyers space for uh uh different state actors as well as like

developing public private Partnerships uh to increase our understanding of the Cyber secur challenges faced by public interest Orcs um and to reallocate government resources to kind of closing those gaps um before joining UC Berkeley uh I spent a lot of time in trust and safety uh I was really uh where I kind of spent most of my time was helping social media platforms uh basically get the bad guys off of their platform terrorist organizations um also uh State and nation state actors kind of trying to influence users on the platform and uh I spent a stint at meta and prior to that I've also spent a lot of uh time in like the DC policymaking space a variety

of different think tanks so that's a little bit about me uh at cltc where we where my work kind of focuses is on public interest cyber security and our public interest cyber security initiative uh basically our mission in this initiative is to ensure that organizations that are serving the public good have access to cyber security um ensuring that they have the Ser like the the resources that they need to improve their cyber hygiene and to improve like their cyber Readiness um as they conduct their very important work to societies so uh who are the public interest ORS that I'm actually talking about uh who do we focus on uh we kind of focus on the

organizations that are like the backbone that build up the backbone of our communities and kind of blur into the background so like the small utilities that make sure that the lights stay on or uh the Water keeps running uh the healthcare organizations and like the Emergency Medical Services that ensure that you get life-saving care when you need it also the nonprofits that provide like food shelter drug treatment um job opportunities to like the unhoused members of our communities uh these organizations play indispensable indispensible roles in our societies and uh but however they don't often have the cyber security protections that they desperately need they have they they face the same kinds of threats as like businesses and other

organizations uh however they have fewer resources to defend themselves and when things go wrong uh it can be particularly uh devastating for the people who rely on the services that they provide so these organizations often operate on shoestring budgets most of the money that they have they put into fulfilling their Mission some don't even pay their employees they operate off of uh like volunteers that are volunteering their time uh so they definitely don't have a lot of money to invest in cyber security uh this makes these organizations very easy targets for cyber criminals they don't have a lot of it or cyber Security Professionals like employed by them so there's like often times zero knowledge of how this could

like be relevant to their organization so there often very vulnerable to scams different kinds of cyber attacks um which can disrupt their operations for long periods of time and there are just some organizations where downtime is simply not an option uh so especially for like hospitals um if they experience a uh like a cyber incident or like a ransomware attack um it can disrupt like their emergency services so they may have to start like diverting ambulances to other hospitals which results in like longer wait times and can have an impact on patient mortality uh they also have to like cancel surgeries they have to um uh it just results in delayed and degraded patient care so there are huge

implications for these organizations not having the resources that they need so suffice it to say um there's an urgent need for cyber security uh support for these public interest organizations so today I'm going to tell you about who is making a difference in this area uh fortunately there is a uh growing number of universities and an army of students that are stepping up to help bridge this cyber security resource Gap um and it and it's called cyber security clinics so uh for those who are familiar um medical schools for decades have operated clinics for their students so students who are PR like preparing to become doctors offer pro bono services to people who can't afford healthc care

so that they can receive treatment while they build up their skills and uh like basically gain experience uh in their Clinic uh clinician discipline so five years ago Berkeley decided to take this Clinic model and apply it to the field of cyber security uh this was like the first of its kinds creating a cyber security like help Clinic um it had never been done before and basically students are uh join a class and they provide pro bono cyber security services to different uh nonprofits so the goal is twofold uh it's to help students get experience working with clients uh and to that they can like sell after graduation to help get jobs and then also to help these

organizations that don't have the budgets uh to afford this kind of like Hands-On assistance uh help them have a better cyber security posture so it's a 12-week course at UC Berkeley um for the first six weeks students receive like technical cyber security training uh it's kind of a crash course because many of uh these students uh are coming from our like Masters in cyber security program but also it involves people from uh public policy as well as like political science it's kind of like multi multidisciplinary so they undergo like a big uh like they they basically get a crash course in cyber security uh where they like learn how to perform threat modeling um they learn how to design like security

training and also the organizations that Berkeley focuses on uh it's basically a lot of our students focus on uh doing like open source intelligence research to gain information to see like what information is online about the people who work there so they also like learn how to like hide online how to like cover their tracks create aliases all that kind of thing so citizen Clinic is what it's called at UC Berkeley uh they focus on helping a particular type of nonprofit so usually it's the organizations that are facing like politically motivated threats so they're engaged in work that uh is uh politically sensitive they may be targeted by state and non-state actors that may be very powerful so um

we have we've helped organizations that document like war crimes uh assist refugees who are fleeing um also notably we the the students once helped a uh like a nonprofit that focused it focused on investigating like transnational human trafficking rings and it just put in danger the volunteers there as they're kind of trying to like investigate um so trying to figure out how to uh improve their cyber SEC practices to protect those individuals uh is very important and one example that I'd like to highlight for you just because it's very timely is UC Berkeley has also helped women's Reproductive Rights work organizations so uh a group of students helped um I won't give a name just to preserve the privacy but uh

one of these organizations in the Berkeley area this organization had received a lot of harassment um understandably so a lot of threats of like data breaches of patient data of individuals of like uh the clinicians who work their data um different kinds of medical records were being threatened to be released um and in this legal environment that could be extremely uh from a harassment perspective but also from a legal perspective could be very bad for the for the patients and also for the doctors who work there so um students basically oh sorry uh students basically uh met with the uh with the organizers of this group uh for six weeks um in person and like virtual

meetings trying to understand uh their their mission first of all also the assets that they have their information management practices um and uh to basically provide tailored advice in the form of a report on how they can improve uh their uh just like their cyber security posture so the students identified like vulnerabilities and um like how they in their data storage platform um and they like this organization didn't even have MFA implemented so it's like very basic stuff but it's also very helpful because this organization is not thinking about cyber security and needs a group of people to like kind of hold their hand offer tailored advice for free um to close those vulnerabilities so thankfully UC

Berkeley is not the only organization doing this um we have kind of started a movement started at UC Berkeley but now it's kind of growing across the country um different universities have gotten very excited about the the opportunity to host a clinic um and it's just created some really interesting Dynamic spaces some cases student LED so uh at the University of uh Nevada Las Vegas uh this is probably my favorite Clinic because uh it's entirely student L um as you know like small businesses often don't invest in cyber security often are the target uh targets of attacks and uh it could be really financially devastating if they get hit right uh they could they could no longer be able

to like run their business so UNLV focuses on it and they operate a year-long club so it's not like a class it's like a club that um students are running and this enables them to work with multiple clients over the course of many years and to slowly but surely build their experiences um working with clients understanding what the issues that they have they kind of provide the same stuff that cyber that uh that UC Berkeley provides in its Clinic um they're a little bit more like keyboard heavy um and it's it's mostly like people who are in cyber security PHD programs and things like that um but students get a lot from this like they get cert cyber security

certifications they conduct site visits and like really get to know like the the owners of these businesses uh to understand their cyber security problems and uh this is uh one of the clients that they helped was uh a Guam like a Guam native Guam native Guam restaurant uh called red rice uh it's a family-run business and this uh this student Christian basically was like in the entrepreneurship at unlb heard about these Services knew that his parents had never thought about like the cybercity vulnerabilities in their business uh reached out to the clinic and they identified a lot of vulnerabilities in the POS system and kind of walked them through how to close those vulnerabilities and gave them like cyber

security tailored education and what I love about this Clinic is that the students are so involved like they've created like an internal portal um that helps students track their hours they've developed their own cyber security trainings that like they make for their um for the people who are part of the club they have a podcast they're amazing um and this is the last Clinic I'll show you this is at Indiana University this Clinic focuses on um helping organizations that are a part of like critical infrastructure uh in the midwest uh bolster their cyber security so they focus on like towns counties cities uh and some of the students focused on helping the fire department local to uh their school

this was interesting because basically the fire department was interested in like understanding like what do we do if our communication systems fail um and that can have an impact on their ability to quickly get to uh like to dispatch to a fire uh minutes really matter for their work so uh basically the team helped them develop like a a comprehensive plan for communication when systems fail to like Implement multiple backups of the dispatch tracking system and they conducted like a risk assessment of all of the different um like uh all of the Departments like systems and who has access because this was something the fire department like never thought about before so sorry I'm talking very fast uh

these University based clinics are a part of a larger Network as I said before known as the Consortium so all of these clinics uh meet online monthly and they talk about what they're doing how they develop their curriculum they talk about uh how do you find clients like how do you get people how do you like build trust and like actually find the organizations in the community to like one care about this issue and then two be that vulnerable to like share all this information with people who are learning so uh it's a great um movement and it's really growing um over the past five years uh over the past 5 years it's grown to Encompass 15 different Clinic

uh uh locations across nine different States uh we're hoping to have 20 clinics uh in uh by 2025 and the ultimate goal is to have a clinic in every single state notably there is uh no clinic in Washington State uh I I think that there the communities here would definitely benefit from having a clinic and definitely the students as well um and who are these clinics helping every different uh Clinic has a different focus and helps different people um largely like over half of who we help are nonprofits but we also help local government um Local Schools uh Healthcare organizations and small businesses and 880 students have benefited from this program Nationwide um it's growing exponentially um we had

we've trained we trained 150% more students like we bumped up our participation by 150% uh last year which was huge for us um it's also super exciting because clinics are expanding internationally so uh Google gave us a large Grant um to we gave different clinics a large Grant to start launch clinics at European universities that are like doing the same thing in like the native language of the countries uh so it's growing internationally too which is very exciting so to take it a step further um the like the leaders the like the academics that are leading these clinics are uh kind of taking it a step further because now they have a really good like data set and understanding of

like the the problems that these like uh public interest organizations are struggling with and they want to kind of take it into the policy realm so that at the government level uh we can get them more resources that like actually address their needs so that they can improve their cyber security posture so I'm going to highlight to you just two uh different kinds of research initiatives that are happening from the academics leading the clinics so for the for the clinic that was helping the fire department Indiana University um they now are since they focus on like counties and cities and towns they have decided to do uh cyber security assessments for basically like cities counties and

towns all across the state so they basically have developed like a they they conduct like interviews they also have developed like a uh like a like a questionnaire that is very comprehensive and they spend about 30 hours kind of developing a report that's tailored to like what are those cybercity vulnerabilities of that specific uh city or town um and they are now doing that for they're trying to do over 300 by 2026 and what that enables them to do is to write to basically like identify Trends across all these different organizations uh to understand what the vulnerability are and like what government can do in terms of funding in terms of like mandating different cyber

security requirements it kind of gives them a high level overview of where are the gaps especially for like cities and towns often don't hire like don't have a ton of tech Talent there um and don't have a lot of knowledge of why this is important they're very analog often times so uh definitely uh is a helpful thing and then at UC Berkeley we launched a project called uh cyber can cyber security for cities and nonprofits basically uh since we focus on nonprofits at UC Berkeley uh we were curious about like what are the problems that nonprofits in San Francisco what like what what are they struggling with uh so we hosted a workshop and invited

these nonprofits to come and we asked them like what kinds of like what are your experiences like what are you struggling with do you think about cyber security and we were really surprised to see that many of them um like are victims of like it it's always very financially devastating for them they like especially like with GI gifts gift card scams fishing scams very basic stuff but they came to this meeting saying like we just what we can't invest in cyber security also we found out through those conversations that um with City Grants um they cannot use City Grants to pay for cyber security so that was kind of really interesting to the city and we're like oh like we should

learn more so we worked with the city to develop a survey to ask them like why like first of all like what incidents are you experiencing what would be helpful and some people say funding but other people say like just like an IT helpline would be helpful or Hands-On cyber security like Consulting Services kind of like what's offered at the clinics um things like that uh and to understand their preferences uh so that the city and we're going to help the city create a report so that they understand how to like allocate different resources and how to change their policies to assist so that was a mouthful but I want to kind of bring it back to like why does

this matter for uh like industry professionals such as yourselves like what can you do to help public interest cyber security how can you help the cyber security clinics um I understand that many of you work at companies and that have employee giving programs where you're able to give your time or you're able to uh like get a match for phones uh funds donated or you're able to donate equipment I would just say that the cyber security clinics are really unique because you can kind of kill two birds with one stone you can help the train up the next generation of uh like of cyber civil Defenders you can also uh help the organizations in your community

that are struggling um so one way that you can support kind of the growth of clinics is reaching out to your Alma modders uh and asking like why don't you have a cyber security Clinic maybe also reaching out to your old mentors um in the cyber security um like programs that you guys receive training in uh to ask if they would be interested in maybe starting one up uh if you're interested also in like teaching I know that uh at some of these organizations or sorry at some of these clinics uh while it often is faculty-led or student Le um having industry professionals like help teach the course or come and like give their expertise

and kind of like share with the students as an option um so there are a lot of opportunities here for uh for you guys to get involved if you're interested and if you're thinking about like monetary donations um the Consortium has received a lot of generous support from uh the likes of Craig Newark um through Craig Newark philanthropies like the founder of Craigslist as well as Google that has enabled us to fund the creation and the expansion of clinics uh across the country and I'm super happy to talk with anybody else who uh is interested in learning more about that and how you can give or how you can give your time um but I really

appreciate your attention today and I'm super uh willing to answer any questions that you may have so thank [Applause] you uh so this is something I've always wanted to do just volunteer my time every or every employer I've ever worked for has almost a a very restrictive I guess protect for intellectual property about what I can do outside of work um have you run into that where people want to volunteer but they can't because you know their their company claims no you can't do anything technical outside of work because we're terrified and if you have strategies around that because that's something I've run into for years multiple employers yeah that's a great question um I think that this might operate as

like a workaround because you're helping students be able to volunteer um there's at least for the cybercity clinics if you're not a it's usually for students to do the volunteering but if you're teaching a course that might be a way for you to kind of make the argument of like I'm not really doing anything Hands-On I'm just managing the relationship between the client and the students and the students are doing the work not me and then you're just kind of like evaluating what the students did so that might be an like a helpful workaround um for you uh with that yeah uh just add on to this um I think there's some bills being passed that are

going to get rid of non for private so work for a company and you're not at executive level I think the requirements are to be executive you got to get paid more than 150 and actually a policy maker if we don't fit within um having those two requirements then organizations are not allowed to p so it might get hopefully how do you me liability liability yes so if something's not taken care of it should have been taken care of the first time or if you actually introduce more vulnerabilities into enironment how is that yeah um the it depends on the framework of the different clinics so like at UC Berkeley's it's more of a we we aren't

really implementing anything on their behalf we're producing like a big uh report of recommendations that the organization can uh decide whether or not to implement uh in terms of like creating new vulnerabilities by suggesting Solutions a lot of these clinics are like uh I guess for like quality assurance purposes like uh are run by cyber security professors that are helping students kind of think about uh the potential implications of what they're suggesting it's not just a student being like I think this is a good idea putting it into paper it's like it goes through a lot of different revisions and a lot of different uh uh like approval processes I I'm sure that it's not uh

foolproof but that is kind of our process for ensuring that liability uh like we aren't making things worse I guess thank you so much I am that jerk that's going to interrupt the question because I want to make sure that I don't get in trouble by keeping this running so Shannon amazing talk [Applause]