Syllabus

Course description

For individuals and organizations involved in political advocacy, cybersecurity threats are an increasingly common reality of operating in the digital world. Civil society has always been under attack from ideological, political, and governmental opponents who seek to silence dissenting opinions, but the widespread adoption of connected technologies by the individuals and organizations that make up civil society creates a new class of vulnerabilities.

Citizen Clinic at the Center for Long-Term Cybersecurity provides students with real-world experience assisting politically vulnerable organizations and persons around the world to develop and implement sound cybersecurity practices. Clinic students will participate in both a classroom and clinic component. In the classroom, students will study the basic theories and practices of digital security, the intricacies of protecting largely under-resourced organizations, and the tools needed to manage risk in complex political, sociological, legal, and ethical contexts. In the clinic component, students will work in teams supervised by the Clinic staff to provide direct cybersecurity assistance to civil society organizations. Students’ clinic responsibilities will include learning about an organization’s mission and context, assessing its vulnerabilities, and ultimately recommending and implementing mitigations to the identified security risks. The emphasis will be on pragmatic, workable solutions that take into account the unique operational needs of each partner organization. Weekly lectures will provide students with the background information and tools they will need to engage with partners. Coursework will focus on partner-facing, hands-on projects. Students will be expected to work an average of 10 hours per week, although the distribution of this workload may fluctuate based upon the availability and needs of the partner.

Schedule

In the first half of the semester, class meetings will be a mix of lectures & discussions with project-oriented workshops. In the second half of the semester, these class times will be reserved for work with the teaching team and check-ins tailored to the specific needs of your partner organization.

Most assignments (some exceptions) are listed with a due date on the Sunday at 11:59 PM (Pacific). Readings are to be completed by the end of the week in preparation for the next week’s lectures.

Note: This schedule is tentative and may be adjusted - assignment dates may change, additional readings may be assigned, speakers/lectures may be shuffled, etc. The teaching team will announce when changes are made.

Week 1: Introduction / What is Public-Interest Cybersecurity?

5/2 Lecture Week 1A:

● Introduction to Public Interest Cybersecurity

o Introductions

o Content and methods of the course

o What is Public Interest Cybersecurity?

Assignments Due (by Tuesday 11:59PM Pacific):

● (Review) Code of conduct: Posted in “files” section on 2U. [Individual]

● (Read) pages 7 - 21 & 48 - 52 of (Shannon Vallor, The Markkula Center for Applied Ethics)

Prepare answers to questions on pages 13-15 and page 53 for in-class discussion (don’t submit anything).

5/3 Assignments Due (by Wednesday 11:59PM Pacific):

● (Submit) Signed code of conduct: [Individual]

5/4 Lecture Week 1B:

● Ethical Considerations.

● Citizen Clinic “Rules of the Road”

o Citizen Clinic Code of Conduct.

o Personal Risk of Citizen Clinic.

o How to talk about Citizen Clinic.

o Security Response Plan.

Read (by next week):

Week 2: Threats to Civil Society’s Cybersecurity

5/9 Lecture Week 2A:

● Problem Diagnosis and Reframing

5/11 Lecture Week 2B:

● Guest Speaker: “How to inventory cyber security assets”

Read:

Week 3: Meet the First Client and Threats to Civil Society’s Cybersecurity

5/16: Meet the first client

● Guest Speaker: Client

Week 4: Threats to Civil Society’s Cybersecurity

5/18 Lecture Week 4A:

● Current Event Brief

● Contextual Brief

o SAFETAG

o PESTLE

Read:

● Example Risk Assessment shared via email.

Week 4: Risk Assessment

5/23 Assignments Due (by Tuesday, 11:59PM Pacific):

● Communication Plan and Collaboration Plan (Break-out Groups) [Team]

o In Class Collaborative Plan [Team]

o Due After Class (11:59pm Pacific) Communication Plan [Team]

5/25 Lecture Week 4B:

● Current Event Brief

● Contextual Brief

● Bounding Risk Assessments – Alex’s presentation

o Review Teams’ Communication Plans [Team]

Read:

Week 5: Digital Security Training & Recognizing PTSD (post-traumatic stress disorder)

5/30 Week 8A:

● Contextual Brief

● Current Event Brief

● Social Engineering & Phishing Simulations

6/1 Week 8B:

● Contextual Brief

● Current Event Brief

Read:

Week 6: Information Gathering and Analysis

6/6: Lecture Week 5A:

● Current Event Brief

● Contextual Brief

o Adversary Persona Development

● Threat Scenario Development

● Open Source Research Methods, Safety, and Tools

o Virtual Machines, Networks, & Identities

o Manual Searches & Google Hacking

o Automated Tools

6/8 Lecture Week 5B: continued

Read:

Week 7: Improving Baseline Digital Security (Part 1)

6/12 Assignments Due (by Sunday, 11:59PM Pacific):

● Draft Midterm Report and Work Plan [Team]

6/13 Lecture Week 6A:

● Contextual Brief

● Legal and Policy Factors For Non-Profits’ Cybersecurity

6/15: Lecture Week 6B:

● Misinformation & Harassment

o Definitions & Risks

Read:

Week 8: Improving Baseline Digital Security (Part 2)

6/19Assignments Due (by Sunday, 11:59PM Pacific):

● Work Plan Updated & Finalized [Team]

● Slides for Midterm Class Presentation [Team]

6

6/20 Lecture Week 7A:

No class – holiday

6/22 Lecture Week 7B:

● MIDTERM PRESENTATION

Read:

Week 9: Disinformation & Harassment

6/26 Assignments Due (by Sunday, 11:59PM Pacific):

● Team Evaluation 1 [Individual]

6/27 Week 9A:

● Briefings

6/29 Week 9B:

● Briefings

Week 10:

7/4 Holiday

7/6 Week 10A: Clinic Core Hours / Team Check-in

“Clinic Core Hours” refers to the required student attendance of official class meeting hours that will be reserved for instruction specific to partner needs, feedback and guidance from the teaching team, and ad-hoc lectures. Each team member will provide a ~5 minute update on the progress of their assigned partner work.

Week 11:

7/11 Week 11A: Clinic Core Hours / Team Check-in

7/13 Week 11B: Clinic Core Hours / Team Check-in

Week 12:

7/18 Week 12A: Clinic Core Hours / Team Check-in

7/20 Week 12B: Clinic Core Hours / Team Check-in

Week 13:

7/24 Assignments Due (by (by Sunday, 11:59PM Pacific):

● Final Partner Report (for Teaching Team Review) [Team]

7/25 Week 13A: Physical and Electronic Security demo

7/27 Week 13B: Cell Phone cybersecurity

Week 14: Wrap-up & Project Presentations

7/31 Assignments Due (by Tuesday, 11:59PM Pacific):

● Project Presentations to the class [Team]

8/1 Assignments Due (by Friday, 6:00PM Pacific):

● Team Evaluation 2 [Individual]

8/3 Week 14A:

Presentation to Client

Course policies

Workload.

This is a 3-unit, 14-week class. Coursework will primarily focus on partner-facing projects while weekly lectures will be used to inform and engage with students’ hands-on experiences. Students are expected to work an average of 10 hours per week on this course; however, the distribution of this workload may fluctuate based on the availability and needs of the partner.

Evaluation.

Assignments will largely be evaluated on the following rubric that emphasizes (1) sound rationale in assessments, recommendations, and reflections, (2) “partner-ready” work products which reflect professional quality, and (3) completing the instructions of the assignment or the requirements agreed upon work plan with the partner.

General Grading Rubric*

*Note: Students taking the course for P/NP or S/U are expected to participate in classes and complete all work to the same level of quality as students taking the course for a letter grade.

Assignments.

1. Partner Deliverables - 60%

The largest portion of graded evaluation will be based upon your team’s work and support for its assigned partner. These deliverables may include assessments, recommendations, and guides, each tailored towards the partner’s needs. Each team will also deliver a final report summarizing work performed with their partner.

2. Individual Assignments - 10%

Two individual assignments will be given:

Current Event Discussion Lead (5%): Each student will sign up to lead one 15 minute discussion at the beginning of most lectures. Students will be expected to locate and share about a recent, current event relevant to the day’s lecture topic. Topic leaders will emphasize interesting or relevant points while other students are expected to ask questions and comment.

Contextual Briefs (5%): Each student is expected to share findings of their contextual research in one 10 + 5 minute presentation (no more than 10 minutes of content saving at least 5 minutes for Q&A) during the first half of the semester. Students will share relevant, up-to-date, sourced information on one or more PESTLE factors and, importantly, provide an analysis on those factors’ impact on their partner’s security. Briefers will emphasize why their research is relevant to their partner organization while other students are expected to ask questions and comment.

3. Team Case Study - 10%

We want students to be able to discuss and share their experience in the course with others, including future employers. We also want our partners to remain confidential and protected. This being said, each student team will submit a write-up of work performed and takeaways with sensitive information removed. The teaching team will review to ensure your experience is captured in an effective & safe manner.

4. Participation - 10%

We consider “participation” in two major components: participating in regular class discussions and participating in team & partner meetings outside of class hours.

a. You are expected to attend each official class meeting and contribute substantially to class discussions. The teaching team should be notified in advance of absences from class meetings (including Clinic Core Hours). You do not need to share the reason for the absence. Not showing up to team check-ins will also negatively impact this grade.

b. As a rule, two people from your team must attend any partner meeting or call. While you may not be able to attend every team meeting and partner engagement outside of normal class hours, you are expected to attend and contribute to your team’s effort as often as possible.

5. Team Evaluations - 10%

Throughout the course, you will submit confidential evaluation forms which ask you to evaluate the contributions of each team member including yourself. Your final course grade will be adjusted, higher or lower, if you are contributing more or less than those within your group. If there are difficulties with any team member, discuss the matter within your team and seek resolution. If you cannot resolve the problem, immediately contact any faculty member, so that we can make an appointment to discuss the situation individually or with the entire group as needed.

Late assignments.

As we want to respect the time of our partners and ensure a high level of quality control (the teaching team will review deliverables before it reaches the partner), we expect students to adhere to timelines and due dates. Each day an assignment is late will result in a letter grade deduction. Recognizing that emergencies arise and partners may require schedule adjustments, exceptions will be made on a case-by-case basis.

Code of Conduct.

Each student enrolled in the course must agree in writing to the Citizen Clinic’s Code of Conduct (to be distributed) for maintaining a safe and secure learning experience and partner relationship. This Code of Conduct will be respected by all students, the teaching team, and CLTC staff and it is the responsibility of all personnel to report possible violations of the Code of Conduct to the teaching team.

Disability Accommodation.

If you need disability-related accommodations in this class, if you have emergency medical information you wish to share with us, or if you need special arrangements in case the building must be evacuated, please inform us as soon as possible.