Community clinics have been a staple of professional education for decades: think of law students, with guidance from their professors, shepherding survivors of domestic abuse through the byzantine family law system or helping small businesses understand and navigate local zoning laws. Or dental students, under the watchful eye of their instructors, filling a child’s cavity or fitting a crown over the broken tooth of an unemployed adult.
The clinics help students develop practical knowledge and the skills they’ll need after earning their formal academic credentials, while providing vital services to people and organizations that need them—along the way helping their institutions serve their communities.
Welcome to a 21st-century incarnation of those offerings: cybersecurity clinics, in which students getting academic training in cybersecurity develop hands-on experience helping local businesses, nonprofit groups and government agencies prevent, defend against and respond to the growing threats of cybercrime and data breaches.
Centers have developed over the last few years at more than a dozen colleges and universities, and they joined forces in 2021 to form the Consortium of Cybersecurity Clinics. Last week, Google announced that it would provide $20 million to further the group’s goal of establishing at least one such clinic in all 50 states.
“These clinics are training the next generation of cybersecurity leaders,” Sundar Pichai, Google’s chief executive officer, said at an event last Thursday that featured U.S. representatives Joaquin Castro and Jay Obernolte, two college presidents, and students from several existing campus centers. “They provide hands-on cybersecurity training, propelling new talent into the profession, providing civic engagement and helping to defend underresourced organizations” from the growing threats that have roiled colleges, companies and major cities such as Baltimore and Dallas.
A Concept Emerges
Like many such collectives in higher education, the cybersecurity clinic movement developed initially through individual initiatives on campuses. The Citizen Clinic at the University of California, Berkeley, emerged out of the institution’s Center for Long-Term Cybersecurity, which sought to provide services for nonprofit groups at risk of politically motivated attacks (such as organizations that work on immigration, reproductive rights and the like).
At about the same time, a similar center arose at Massachusetts Institute of Technology out of its department of urban planning, focused on aiding small towns and municipalities. Over the next few years, numerous other centers cropped up on other campuses, often aimed at slightly different core constituents and missions.
They also had different reasons for getting started. Stillman College, a historically Black institution in Alabama, experienced a cyberattack in November 2017 that shut down the campus and forced it to operate manually for nearly nine months, Cynthia Warrick, its interim president, said at last week’s event.
The college did not have the technological resources to respond itself and could not afford the support offered by its insurer and the technology companies that provided its computing systems. Stillman ultimately rebuilt its technology systems with the help of the West Virginia Independent College Enterprise Consortium.
It started a cybersecurity program the following year with funding from the National Security Agency—“We couldn’t afford to be held hostage like that again in the future,” Warrick said—and has since started its own clinic to spread the wealth.
The Consortium Develops
Leaders of the various campus groups began meeting regularly to talk about their shared approaches and challenges—curricular approaches, prerequisites for student participants, how to structure their agreements with the organizations they help—and to encourage the creation of more such centers. In 2021, with support from the Public Interest Technology University Network, Newmark Philanthropies and others, they formed the Consortium of Cybersecurity Clinics.
The clinics in the consortium share many underlying practices, though they may approach them slightly differently, said Ann Cleaveland, director of Berkeley’s Center for Long-Term Cybersecurity and the consortium’s co-chair. All prequalify students to participate in the programs, perhaps by putting them through a four-week crash course (as at MIT) or by requiring them to pass an entry-level certification from the Computer Technology Industry Association (as at the University of Nevada at Las Vegas).
Students in the program typically spend the first third or half of a semester in classroom training. They get matched up with clients and typically work in teams to do threat modeling and vulnerability assessments, make recommendations on mitigating potential threats and patching systems, and conducting training.
Participants in the clinics typically have a mix of backgrounds, Cleaveland said. Many are technical, of course, but Berkeley’s clinic includes law students who can help a reproductive rights organization develop its privacy policy, for instance, while a student getting a degree in urban planning can bring subject-matter awareness to a city’s efforts to combat ransomware.
“Clinics are by nature interdisciplinary,” said Cleaveland, which is why working in teams is so important.
Corporate and Federal Fuel
Google’s announcement last week that it would pour $20 million into an effort to expand the reach of cybersecurity clinics represents a “transformative investment,” Cleaveland said. She said the Google funds should allow existing and new centers to strive for “academic independence” so they can “write their own destinies.”
Google’s investment is certainly self-interested; the company needs employees who are well trained in cybersecurity, and the many Google products depend on the safe and secure operation of the internet and the companies, organizations and individuals on the web.
But the funds are flowing through Google’s charitable arm, and the company is collaborating with colleges and universities on many fronts, including by offering its career certificates in numerous fields (including cybersecurity) through scores of colleges and universities.
“Google has been a longtime partner in helping us diversify the technology workforce and make sure our graduates are career-ready,” said James B. Milliken, chancellor of the University of Texas system, whose flagship campus in Austin has a cybersecurity clinic that is part of the national consortium. The UT system announced last year that its eight campuses would embed Google certificates into curricula to increase the career preparation of up to 10,000 students by 2030.
The Google funds will soon be complemented by what will be the first direct federal support for campus cybersecurity centers through the National Security Agency’s National Centers of Academic Excellence in Cybersecurity. “We’ve had so much momentum for these centers in the last few years,” said Cleaveland.