Introduction to Public Interest Cybersecurity
Module 1, Introduction to Public Interest Cybersecurity, illuminates core themes of the course such as access to cybersecurity, the threat landscape, and the role of ethical considerations in guiding public-interest cybersecurity work. Ultimately, students should emerge from this module with a greater contextual understanding of what public interest cybersecurity work looks like and the implications of engaging in this work. Students should also understand the time commitment and responsibilities associated with successfully completing this course.
- Understand and explain public interest cybersecurity work
- Identify and understand barriers of civil society’s access to cybersecurity
- Understand and explain how Citizen Clinic supports politically targeted communities
- Identify how public interest cybersecurity has value to individuals, organizations, and society
- See readings for “Introduction to Public Interest Cybersecurity”
- Icebreaker activity. As this module will start off any clinic iteration, it is important that instructors establish an inclusive environment and the class starts to learn about one another. Icebreakers that avoid putting students “on the spot” or excluding them due to ability is key. While there are many good activities, we suggest achieving these goals:
- Learning preferred pronouns. (Note: Do not make this mandatory: if someone skips listing their pronouns, there may be a personal reason. Also, reassure the class that you realize that the pronouns shared on the first day may change and that students may prefer to use different pronouns in this context versus outside of the program.)
- Learning preferred names.
- Learning proper pronunciation of names.
- As an instructor, it is important that you model your requests for information. Share your pronouns and your reasons for teaching the course. Participate in any fun activities that you want your students to do - this exemplifies the nature of clinical learning.
Ask your students:
- What does work in the “public interest” mean? Who does it impact?
- What is “cybersecurity”?
- What about trolling, harassment, and disinformation?
- What is the “public interest”?
- Describe types of work or professions associated as public interest work.
- Describe how that work may be distinct from private sector or government work.
- Define civil society.
- Describe the history of public interest clinics in law and medicine, and the impact they’ve had on the field long term.
- Who has access to cybersecurity?
- Provide examples of enterprise expenses and other security costs:
- Examples from industry reports: “The average large enterprise spends $16.7 million annually on security software and the people who run it.”
- $160,000 per year on advanced threat protection (ATP) software.
- $44,000 per year on traditional or next-gen antivirus software.
- $30,000 per year on whitelisting/blacklisting solutions.
- $112,200 per year on detonation environments” (Source: Bromnum report: https://learn.bromium.com/rprt-hidden-costs.html)
- Security keys can be $50 a piece
- What about organizations that are “low risk”? IT investments will likely be lower priority than direct mission/impact expenses regardless of risk.
- Why do even “low risk” organizations need cybersecurity assistance?
- Who does public-interest cybersecurity work?
- Is this just a technical field? Why or why not?
- Why can’t governments do this work? Aren’t they responsible for citizen security?
- Provide diverse examples of practitioners in the field.
- What role does Citizen Clinic and other cybersecurity clinic programs have?
- Build greater capacity for technical assistance over long-term versus simply providing training.
- Much of civil society’s digital protection needs are not highly sophisticated but require time, people, and understanding of context.
- What Citizen Clinic is not: * Not a penetration testing lab. * Not a software development lab. * Not a cybersecurity law clinic.
- Program goals for students:
- Broadening: Introduced to broader aspects of cybersecurity.
- Deepening: Gain a deeper understanding of the digital safety needs and challenges for under-resourced civil society.
- Hands-on: Gain hands-on experience uncovering practical solutions to those cybersecurity challenges.
- Impact: Create positive change in the real-world by protecting civil society.
- Break students into small groups and discuss the similarities and differences of a public interest law clinic or a medical clinic program from a technology / cybersecurity clinic.
- Discussion groups should have students from different departments to engender cross-program conversations and illuminate key differences between fields. Depending on the size of the class, assign groups to compare or contrast either public interest law clinics or medical clinics with your clinic program.
- After some time in groups, have those groups share with the rest of the class.
- Key points to discuss:
- The creation of “public interest” professions
- Supervision by licensed, active professionals from outside the clinic
- Experiential learning
- Elements of scale: clients, students, workforce
- Institutional appreciation
- Prestige
- Long-term engagements
- High-impact cases versus student growth
- How does public-interest cybersecurity work have value for...
- Individuals?
- Organizations?
- Society?
- Students submit a brief explanation [no more than 1 page;] of (1) why they want to learn about public interest cybersecurity and (2) how they might apply their prior experience, skills, or past coursework to protect politically vulnerable organizations as defined in this report https://cltc.berkeley.edu/defendingpvos/ (Note: Our students do not learn about the identity of their partner organization until they have agreed to the Clinic Code of Conduct (see Module 2))