Fall 2019
Info 289. Public Interest Cybersecurity: The Citizen Clinic Practicum.
Fall 2019.

Course Description.

For individuals and organizations involved in political advocacy, cybersecurity threats are an increasingly common reality of operating in the digital world. Civil society has always been under attack from ideological, political, and governmental opponents who seek to silence dissenting opinions, but the widespread adoption of connected technologies by the individuals and organizations that make up civil society creates a new class of vulnerabilities.
Citizen Clinic at the Center for Long-Term Cybersecurity provides students with real-world experience assisting politically vulnerable organizations and persons around the world to develop and implement sound cybersecurity practices. Clinic students will participate in both a classroom and clinic component. In the classroom, students will study the basic theories and practices of digital security, the intricacies of protecting largely under-resourced organizations, and the tools needed to manage risk in complex political, sociological, legal, and ethical contexts. In the clinic component, students will work in teams supervised by the Clinic staff to provide direct cybersecurity assistance to civil society organizations. Students’ clinic responsibilities will include learning about an organization’s mission and context, assessing its vulnerabilities, and ultimately recommending and implementing mitigations to the identified security risks. The emphasis will be on pragmatic, workable solutions that take into account the unique operational needs of each partner organization.Weekly lectures will provide students with the background information and tools they will need to engage with partners. Coursework will focus on partner-facing, hands-on projects. Students will be expected to work an average of 12 hours per week, although the distribution of this workload may fluctuate based upon the availability and needs of the partner.
In the first half of the semester, class meetings will be a mix of lectures & discussions with more technical & project-oriented labs. In the second half of the semester, these class times will be reserved for work with the teaching team and check-ins tailored to the specific needs of your partner organization.
Note: This schedule is tentative and may be adjusted - assignment dates may change, additional readings may be assigned, speakers/lectures may be shuffled, etc. The teaching team will announce when changes are made.

Week 1: Introduction / What is Public-Interest Cybersecurity?

Wednesday 8/28:
Introduction to Public Interest Cybersecurity: We will introduce the content and methods of the course, answer your questions, and everyone will introduce themselves to one another.
  • Due Friday 8/30 11:59PM: Submit application materials to enroll in this course. You will be notified of your enrollment status prior to the next class meeting on September 4th.
  • Due Wednesday 9/4 before class: Read pages 7 - 21 & 48 - 52 of “An Introduction to Cybersecurity Ethics” (Shannon Vallor, The Markkula Center for Applied Ethics) [https://www.scu.edu/media/ethics-center/technology-ethics/IntroToCybersecurityEthics.pdf] Prepare answers to questions on pages 15 - 17 and page 53 for in-class discussion.
Read (by end of week):

Week 2: Code of Conduct and Ethics in Cybersecurity

Monday 9/2: No class.
Wednesday 9/4:
Ethics and “Rules of the Road”:
  • Citizen Clinic Code of Conduct.
  • Ethical Considerations.
  • Security Response Plan.
  • Partner Overview
  • Personal Communications setup and equipment issue
  • Due 9/4 before class: Prepare answers to questions on pages 15 - 17 and page 53 of “Intro to Cybersecurity Ethics” for in-class discussion. [Individual]
  • Due 9/4 In-Class: Code of Conduct Signed [Individual]
Read (by end of week):

Week 3: Integrating Outside Expertise within Civil Society Organizations

Monday 9/9:
  • Problem diagnosis and reframing - Deloitte
Wednesday 9/11:
  • Strategies for effective meetings - PWC
  • Due 9/8 11:59PM: Equipment Setup & Partner Preference Submitted [Individual]
  • Due 9/15 11:59PM: Collaborative Plan [Team]
  • Due 9/13 6:00PM: Partner Communications Established [Team]
Read (by end of week):

Week 4: Understanding Threats to Civil Society Organizations

Monday 9/16:
Threat Modeling & Bounding Risk Assessments
Wednesday 9/18:
  • Bill Marczak, “Digital Surveillance of PVOs - The Threat Landscape”
Read (by end of week):

Week 5: Contextual Research and OSINT Collection

Monday 9/23:
  • Contextual Factors and Frameworks
Wednesday 9/25:
  • Open Source Research Methods, Safety, and Tools
  • Burner Profiles w/ Raj
Read (by end of week):

Week 6: Threat Scenario Development

Monday 9/30:
  • Adversary Persona Development
Wednesday 10/2:
  • Threat Scenario Development
  • “How to Hack”: Capture the Flag Activity
Read (by end of week):

Week 7: Changing Security Behaviors

Monday 10/7:
  • Phishing from Context; Phishing Simulators (Raj)
Wednesday 10/9:
  • Steve Weber, “Changing Behaviors within PVOs” (Cancelled to Power Outage)
  • Due 10/11 6:00PM Draft Work Plan and Partner Report [Team]
  • Due 10/13 11:59PM Team Evaluation 1 [Individual]
Read (by end of week):

Week 8: Threat Tactics and Techniques

Monday, 10/14:
  • Bill Marczak, “Technical Investigations and Techniques”
Wednesday, 10/16:
  • Midterm Project Presentations
  • 10/18 6:00 PM: Work Plan and Partner Report to Partner [Team]
  • 10/20 11:59 PM: Phishing Simulation Plan and Test
Read (by end of week):

Week 9: Beyond Hacking -- Disinformation and Harassment

Monday, 10/21:
  • Organizational Risks of Harmful Information
Wednesday, 10/23:
  • Mitigations for the Risks of Harmful Information
Read (by end of week):

Week 10: Security Control Selection

Monday, 10/28:
  • Studying and Evaluating Security Tools
Wednesday, 10/30:
  • “Being a Good Security Educator” (Cancelled due to Power Outage)
Read (by end of week):

Week 11: Additional Topics

Monday, 11/4: Clinic Core Hours
  • “Clinic Core Hours” refers to the required student attendance of official class meeting hours between 1:30PM and 3:30PM that will be reserved for instruction specific to partner needs, feedback and guidance from the teaching team, and ad-hoc lectures. Every Monday (unless there’s a holiday), each team will have a 20-minute check-in with the teaching team. Each team member will provide a ~5 minute update on the progress of their assigned partner work.
Wednesday, 11/6:
  • Psychosocial Resiliency & Trauma, Andrea Lampros & Gisela Perez de Acha
  • 11/5 11:59PM: Phishing / OSINT Analysis Report [Team] (Optional)

Week 12: Clinic Work

Monday, 11/11: No class.
Wednesday, 11/13: Clinic Core Hours / Team Check-in

Week 13: Clinic Work

Monday, 11/18: Clinic Core Hours / Team Check-in
Wednesday, 11/20: Clinic Core Hours

Week 14: Clinic Work

Monday, 11/25: Clinic Core Hours / Team Check-in
Wednesday, 11/27: No Class
  • 12/1 11:59PM: Final Partner Report (for Teaching Team Review) [Team]

Week 15: Clinic Work

Monday, 12/2: Clinic Core Hours / Team Check-in
Wednesday, 12/4: Clinic Core Hours / Final Report Feedback

Week 16 (RRR): Wrap-up & Project Presentations

Monday, 12/9 - Course Wrap-up:
  • Feedback on deliverables, submit all final deliverables.
Wednesday, 12/11 - Project Presentations:
  • 12/9 6:00PM: Final Partner Report (to Partner) [Team]
  • 12/10 11:59PM: Project Presentations [Team]
  • 12/15 11:59PM: Final Individual Write-up [Individual]
  • 12/15 11:59PM: Team Evaluation 2 [Individual]

Course policies

This is a 4-unit class. Coursework will primarily focus on partner-facing projects while weekly lectures will be used to inform and engage with students’ hands-on experiences. Students are expected to work an average of 12 hours per week on this course, however the distribution of this workload may fluctuate based on the availability and needs of the partner.
Assignments will largely be evaluated on the following rubric that emphasizes (1) sound rationale in assessments, recommendations, and reflections, (2) “partner-ready” work products which reflect professional quality, and (3) completing the instructions of the assignment or the requirements agreed upon work plan with the partner.
General Grading Rubric.
0 points
5 points
10 points
Does not meet partner needs, introduces serious harms to partner, shows limited or inappropriate consideration for context
Addresses most of partner needs, some oversight of potential harms to partner, mostly appropriate for given context.
All partner needs are met, feasible & effective rationale that addresses all major threats, appropriate for given context.
Hard to understand, full of jargon, serious writing/format errors present, tone / design unsuitable for its audience
Writing is mostly understandable; minor writing/format errors (typos), mostly appropriate tone / design
“partner-ready,” clear and concise writing, almost no writing/formatting errors, appropriate tone & design for its audience
Some requirements in assignment or work plan not met; no insights or connections to readings/lectures; for group work: no evidence of group work
Most requirements met, some evidence for connections with readings/lectures; for group work: some evidence of group work
All requirements met, with clear, thoughtful insights and multiple cited connections to relevant readings/lectures; for group work: full evidence of strong, equitable collaboration
Note: Students taking the course for P/NP or S/U are expected to participate in classes and complete all work to the same level of quality as students taking the course for a letter grade.
1. Partner Deliverables - 60%
The largest portion of graded evaluation will be based upon your team’s work and support for its assigned partner. These deliverables may include assessments, recommendations, and guides, each tailored towards the partner’s needs. Each team will also deliver a final report summarizing work performed with their partner.
2. Individual Assignments - 10%
Two individual assignments will be given:
  • Discussion Topic Leader (5%): Each student will sign up to be a discussion leader for select lectures. That student will be expected to generate interesting questions and guide class conversation around that week’s assigned readings and lecture topic. You will also be expected to locate and share at least one news article about a recent, current event relevant to that discussion.
  • Community Office Hours (5%): Students, in pairs, will sign up to hold a single two hour-block of “office hours” to advise and assist the security practice of various cross-campus partners conducting politically-sensitive work. Those students will consider the partner’s needs and threat model, make recommendations, and reachback for support as needed.
3. Final Individual Write-Up - 10%
We want students to be able to discuss and share their experience in the course with others, including future employers. We also want our partners to remain confidential and protected. This being said, each student will submit a write-up of work performed and takeaways with sensitive information removed. The teaching team will review to ensure your experience is captured in an effective & safe manner.
4. Participation - 10%
You are expected to attend each official class meeting and contribute substantially to class discussions. While you may not be able to attend every team meeting and partner engagement outside of normal class hours, you are expected to attend and contribute to your team’s effort as often as possible. Absences from class meetings (including Clinic Core Hours) should be excused by the teaching team in advance. Not showing up to team check-ins will also negatively impact this grade. As a rule, two people from your team must attend any partner meeting or call.
5. Team Evaluations - 10%
If there are difficulties with any team member, discuss the matter within your team and seek resolution. If you cannot resolve the problem, immediately contact any faculty member, so that we can make an appointment to discuss the situation individually or with the entire group as needed. Throughout the course, you will submit confidential evaluation forms which ask you to evaluate the contributions of each team member including yourself. Your final course grade will be adjusted, higher or lower, if you are contributing more or less than those within your group.
Late assignments.
As we want to respect the time of our partners and ensure a high level of quality control (the teaching team will review deliverables before it reaches the partner), we expect students to adhere to timelines and due dates. Each day an assignment is late will result in a letter grade deduction. Recognizing that emergencies arise and partners may require schedule adjustments, exceptions will be made on a case-by-case basis.
Code of Conduct.
Each student enrolled in the course must agree in writing to the Citizen Clinic’s Code of Conduct (to be distributed) for maintaining a safe and secure learning experience and partner relationship. This Code of Conduct will be respected by all students, the teaching team, and CLTC staff and it is the responsibility of all personnel to report possible violations of the Code of Conduct to the teaching team.
Additionally, we expect all students to abide by the Berkeley Student Code of Conduct (see https://sa.berkeley.edu/student-code-of-conduct) and act with honesty, integrity, and respect for others. (See also https://diversity.berkeley.edu/principles-community). The consequences for failing to act within these standards may include failing an assignment, a referral to the Center for Student Conduct and Community Standards, a failed grade in the course, and even immediate expulsion. A note on plagiarism: even in the scope of providing a partner with a walkthrough for securing a certain account or system, you are expected not to copy material from another guide, website, article or book (word-for-word or paraphrased) without citing the source - it’s a small community and we should give credit where it is due. Other examples of unacceptable conduct include turning in deliverables created by students not currently in the course, work found on the Internet, or created by a commercial service.
Disability Accommodation.
If you need disability-related accommodations in this class, if you have emergency medical information you wish to share with us, or if you need special arrangements in case the building must be evacuated, please inform us as soon as possible.
Copy link