Syllabus
Course description
For individuals and organizations involved in political advocacy, cybersecurity threats are an increasingly common reality of operating in the digital world. Civil society has always been under attack from ideological, political, and governmental opponents who seek to silence dissenting opinions, but the widespread adoption of connected technologies by the individuals and organizations that make up civil society creates a new class of vulnerabilities.
Citizen Clinic at the Center for Long-Term Cybersecurity provides students with real-world experience assisting politically vulnerable organizations and persons around the world to develop and implement sound cybersecurity practices. Clinic students will participate in both a classroom and clinic component. In the classroom, students will study the basic theories and practices of digital security, the intricacies of protecting largely under-resourced organizations, and the tools needed to manage risk in complex political, sociological, legal, and ethical contexts. In the clinic component, students will work in teams supervised by the Clinic staff to provide direct cybersecurity assistance to civil society organizations. Studentsâ clinic responsibilities will include learning about an organizationâs mission and context, assessing its vulnerabilities, and ultimately recommending and implementing mitigations to the identified security risks. The emphasis will be on pragmatic, workable solutions that take into account the unique operational needs of each partner organization. Weekly lectures will provide students with the background information and tools they will need to engage with partners. Coursework will focus on partner-facing, hands-on projects. Students will be expected to work an average of 10 hours per week, although the distribution of this workload may fluctuate based upon the availability and needs of the partner.
Schedule
In the first half of the semester, class meetings will be a mix of lectures & discussions with project-oriented workshops. In the second half of the semester, these class times will be reserved for work with the teaching team and check-ins tailored to the specific needs of your partner organization.
Most assignments (some exceptions) are listed with a due date on the Sunday at 11:59 PM (Pacific). Readings are to be completed by the end of the week in preparation for the next weekâs lectures.
Note: This schedule is tentative and may be adjusted - assignment dates may change, additional readings may be assigned, speakers/lectures may be shuffled, etc. The teaching team will announce when changes are made.
Week 1: Introduction / What is Public-Interest Cybersecurity?
5/2 Lecture Week 1A:
â Introduction to Public Interest Cybersecurity
o Introductions
o Content and methods of the course
o What is Public Interest Cybersecurity?
Assignments Due (by Tuesday 11:59PM Pacific):
â (Review) Code of conduct: Posted in âfilesâ section on 2U. [Individual]
â (Read) pages 7 - 21 & 48 - 52 of âAn Introduction to Cybersecurity Ethicsâ (Shannon Vallor, The Markkula Center for Applied Ethics)
Prepare answers to questions on pages 13-15 and page 53 for in-class discussion (donât submit anything).
â (Read) Sandro Contento, Toronto Star, âHow these Toronto sleuths are exposing the worldâs digital spies while risking their own livesâ
â (Explore & use) Citizen Labâs Security Planner.
â (Skim) Tactical Tech's Annual Report
5/3 Assignments Due (by Wednesday 11:59PM Pacific):
â (Submit) Signed code of conduct: [Individual]
5/4 Lecture Week 1B:
â Ethical Considerations.
â Citizen Clinic âRules of the Roadâ
o Citizen Clinic Code of Conduct.
o Personal Risk of Citizen Clinic.
o How to talk about Citizen Clinic.
o Security Response Plan.
Read (by next week):
â Citizen Lab. âBittersweet: Supporters of Mexicoâs soda tax targeted with NSO exploit linksâ
â Access Now. âSpyware in Mexico: an interview with Luis Fernando GarcĂa of R3D Mexicoâ
â Silver & Elgin. âTorture in Bahrain Becomes Routine With Help From Nokia Siemensâ
â Arthur Turner. âConsulting Is More Than Giving Advice.â
â Thomas Wedell-Wedellsborg. âAre You Solving the Right Problems?â
â (Optional) Joseph Cox. âI Gave a Bounty Hunter $300. Then He Located Our Phoneâ
â (Optional) Stephen Arnold. âTelestrategies - An Interview with Dr. Jerry Lucasâ
Week 2: Threats to Civil Societyâs Cybersecurity
5/9 Lecture Week 2A:
â Problem Diagnosis and Reframing
5/11 Lecture Week 2B:
â Guest Speaker: âHow to inventory cyber security assetsâ
Read:
â Electronic Frontier Foundation, âSurveillance Self-Defense: Your Security Planâ - know the definitions of underlined terms.
â Jorge Luis Sierra âDigital and Mobile Security for Mexican Journalists and Bloggersâ
â Le Blond et al. âA look at targeted attacks through the lense of an NGOâ
â SAFETAG Guide. Skim to Section 2.2, then read Section 2.2 and Section 2.3.
â (Read and Explore Examples) About PESTLE (use an ad-blocker!)
â (Optionally Watch) CLTC / TechSoup. Webinar. âCybersecurity in Low-Risk Organizations: Understanding Your Risk and Making Practical Improvements.â
Week 3: Meet the First Client and Threats to Civil Societyâs Cybersecurity
5/16: Meet the first client
â Guest Speaker: Client
Week 4: Threats to Civil Societyâs Cybersecurity
5/18 Lecture Week 4A:
â Current Event Brief
â Contextual Brief
o SAFETAG
o PESTLE
Read:
â NIST SP 800-37 âRisk Management Framework for Information Systems and Organizations.â Chapter 2 only.
â (Skim) NIST SP 800-39 âManaging Information Security Risk.â Chapter 2 only.
â (Skim) NISTIR 8062 âAn Introduction to Privacy Engineering and Risk Management in Federal Systems.â
â Example Risk Assessment shared via email.
â Julian Cohen. âPlaybook Based Testing.â
â MSFTâs STRIDE and related blog posts.
â Bill Marczak and John Scott-Railton. âKeep Calm and (Donât) Enable Macros: A New Threat Actor Targets UAE Dissidentsâ
Week 4: Risk Assessment
5/23 Assignments Due (by Tuesday, 11:59PM Pacific):
â Communication Plan and Collaboration Plan (Break-out Groups) [Team]
o In Class Collaborative Plan [Team]
o Due After Class (11:59pm Pacific) Communication Plan [Team]
5/25 Lecture Week 4B:
â Current Event Brief
â Contextual Brief
â Bounding Risk Assessments â Alexâs presentation
o Review Teamsâ Communication Plans [Team]
Read:
â Amnesty International. âDigitally dissecting atrocities â Amnesty Internationalâs open source investigations.â
â Sarah Jeong, Charlie Warzel, Brianna Wu, Joan Donovan. New York Times. âEverything is GamerGateâ - Read all of the four essays.
â Angela Chen. The Verge. âModerating content doesnât have to be so traumaticâ
â Sam Dubberley & Michele Grant. First Draft. âJournalism and Vicarious Traumaâ
â (Explore) The EFFâs Security Education Companion.
Week 5: Digital Security Training & Recognizing PTSD (post-traumatic stress disorder)
5/30 Week 8A:
â Contextual Brief
â Current Event Brief
â Social Engineering & Phishing Simulations
6/1 Week 8B:
â Contextual Brief
â Current Event Brief
Read:
â Protective Intelligence. âPart I: An Introduction To OSINT Research For Protective Intelligence Professionalsâ
â Protective Intelligence. âPart 2: An Introduction To OSINT Research For Protective Intelligence Professionalsâ
â Ian Barwise. âOpen-Source Intelligence (OSINT) Reconnaissanceâ
â (Explore) OSINT Framework
â (Explore) OSINT.link
â (Explore) Awesome OSINT
â (Try) SECALERTS - Automated Security Audit
Week 6: Information Gathering and Analysis
6/6: Lecture Week 5A:
â Current Event Brief
â Contextual Brief
o Adversary Persona Development
â Threat Scenario Development
â Open Source Research Methods, Safety, and Tools
o Virtual Machines, Networks, & Identities
o Manual Searches & Google Hacking
o Automated Tools
6/8 Lecture Week 5B: continued
Read:
â Netgain âDigital Security and Grantcraft Guideâ
â The Engine Room. âTies That Bind: Organizational Security for Civil Societyâ - read Full Report.
â APF et al. âImproving SSL Warnings: Comprehension and Adherenceâ
â Abu-Salma et al. âObstacles to the Adoption of Secure Communication Toolsâ
Week 7: Improving Baseline Digital Security (Part 1)
6/12 Assignments Due (by Sunday, 11:59PM Pacific):
â Draft Midterm Report and Work Plan [Team]
6/13 Lecture Week 6A:
â Contextual Brief
â Legal and Policy Factors For Non-Profitsâ Cybersecurity
6/15: Lecture Week 6B:
â Misinformation & Harassment
o Definitions & Risks
Read:
â Micah Lee. âItâs Impossible To Prove Your Laptop Hasnât Been Hacked. I Spent Two Years Finding Out.â
â (Watch) Rachel Tobac. âHow I would Hack You: Social Engineering Step-by-Stepâ
â Weidinger et al. âHow To Give A Digital Security Trainingâ
â EFF. âAm I the Right Person?â
â EFF. âHow to Teach Adultsâ
â (Skim) Weidinger et al. âDigital Security Training Resources for Security Trainers, Fall 2019 Editionâ
Week 8: Improving Baseline Digital Security (Part 2)
6/19Assignments Due (by Sunday, 11:59PM Pacific):
â Work Plan Updated & Finalized [Team]
â Slides for Midterm Class Presentation [Team]
6
6/20 Lecture Week 7A:
No class â holiday
6/22 Lecture Week 7B:
â MIDTERM PRESENTATION
Read:
â IFTF âState-Sponsored Trolling: How Governments Are Deploying Disinformation as Part of Broader Digital Harassment Campaignsâ. Read pages 3 to 21 & 45 to 51.
â Cindy Otis. USA Today. âAmericans could be a bigger fake news threat than Russians in the 2020 presidential campaignâ
â InterAction âDisinformation Toolkit.â
â Reply All podcast. â#112 The Prophetâ Listen to or read transcript.
â (Optional) Tahmina Ansari. First Draft. âThis Muslim journalist embraced social media until it âruinedâ his lifeâ
Week 9: Disinformation & Harassment
6/26 Assignments Due (by Sunday, 11:59PM Pacific):
â Team Evaluation 1 [Individual]
6/27 Week 9A:
â Briefings
6/29 Week 9B:
â Briefings
Week 10:
7/4 Holiday
7/6 Week 10A: Clinic Core Hours / Team Check-in
âClinic Core Hoursâ refers to the required student attendance of official class meeting hours that will be reserved for instruction specific to partner needs, feedback and guidance from the teaching team, and ad-hoc lectures. Each team member will provide a ~5 minute update on the progress of their assigned partner work.
Week 11:
7/11 Week 11A: Clinic Core Hours / Team Check-in
7/13 Week 11B: Clinic Core Hours / Team Check-in
Week 12:
7/18 Week 12A: Clinic Core Hours / Team Check-in
7/20 Week 12B: Clinic Core Hours / Team Check-in
Week 13:
7/24 Assignments Due (by (by Sunday, 11:59PM Pacific):
â Final Partner Report (for Teaching Team Review) [Team]
7/25 Week 13A: Physical and Electronic Security demo
7/27 Week 13B: Cell Phone cybersecurity
Week 14: Wrap-up & Project Presentations
7/31 Assignments Due (by Tuesday, 11:59PM Pacific):
â Project Presentations to the class [Team]
8/1 Assignments Due (by Friday, 6:00PM Pacific):
â Team Evaluation 2 [Individual]
8/3 Week 14A:
Presentation to Client
Course policies
Workload.
This is a 3-unit, 14-week class. Coursework will primarily focus on partner-facing projects while weekly lectures will be used to inform and engage with studentsâ hands-on experiences. Students are expected to work an average of 10 hours per week on this course; however, the distribution of this workload may fluctuate based on the availability and needs of the partner.
Evaluation.
Assignments will largely be evaluated on the following rubric that emphasizes (1) sound rationale in assessments, recommendations, and reflections, (2) âpartner-readyâ work products which reflect professional quality, and (3) completing the instructions of the assignment or the requirements agreed upon work plan with the partner.
General Grading Rubric*
Component
0 points
5 points
10 points
Rationale
Does not meet partner needs, introduces serious harms to partner, shows limited or inappropriate consideration for context
Addresses most of partner needs, some oversight of potential harms to partner, mostly appropriate for given context.
All partner needs are met, feasible & effective rationale that addresses all major threats, appropriate for given context.
Professionalism
Hard to understand, full of jargon, serious writing/format errors present, tone / design unsuitable for its audience
Writing is mostly understandable; minor writing/format errors (typos), mostly appropriate tone / design
âPartner-ready,â clear and concise writing, almost no writing/formatting errors, appropriate tone & design for its audience
Requirements
Some requirements in assignment or work plan not met; no insights or connections to readings/lectures; for group work: no evidence of group work
Most requirements met, some evidence for connections with readings/lectures; for group work: some evidence of group work
All requirements met, with clear, thoughtful insights and multiple cited connections to relevant readings/lectures; for group work: full evidence of strong, equitable collaboration
*Note: Students taking the course for P/NP or S/U are expected to participate in classes and complete all work to the same level of quality as students taking the course for a letter grade.
Assignments.
1. Partner Deliverables - 60%
The largest portion of graded evaluation will be based upon your teamâs work and support for its assigned partner. These deliverables may include assessments, recommendations, and guides, each tailored towards the partnerâs needs. Each team will also deliver a final report summarizing work performed with their partner.
2. Individual Assignments - 10%
Two individual assignments will be given:
Current Event Discussion Lead (5%): Each student will sign up to lead one 15 minute discussion at the beginning of most lectures. Students will be expected to locate and share about a recent, current event relevant to the dayâs lecture topic. Topic leaders will emphasize interesting or relevant points while other students are expected to ask questions and comment.
Contextual Briefs (5%): Each student is expected to share findings of their contextual research in one 10 + 5 minute presentation (no more than 10 minutes of content saving at least 5 minutes for Q&A) during the first half of the semester. Students will share relevant, up-to-date, sourced information on one or more PESTLE factors and, importantly, provide an analysis on those factorsâ impact on their partnerâs security. Briefers will emphasize why their research is relevant to their partner organization while other students are expected to ask questions and comment.
3. Team Case Study - 10%
We want students to be able to discuss and share their experience in the course with others, including future employers. We also want our partners to remain confidential and protected. This being said, each student team will submit a write-up of work performed and takeaways with sensitive information removed. The teaching team will review to ensure your experience is captured in an effective & safe manner.
4. Participation - 10%
We consider âparticipationâ in two major components: participating in regular class discussions and participating in team & partner meetings outside of class hours.
a. You are expected to attend each official class meeting and contribute substantially to class discussions. The teaching team should be notified in advance of absences from class meetings (including Clinic Core Hours). You do not need to share the reason for the absence. Not showing up to team check-ins will also negatively impact this grade.
b. As a rule, two people from your team must attend any partner meeting or call. While you may not be able to attend every team meeting and partner engagement outside of normal class hours, you are expected to attend and contribute to your teamâs effort as often as possible.
5. Team Evaluations - 10%
Throughout the course, you will submit confidential evaluation forms which ask you to evaluate the contributions of each team member including yourself. Your final course grade will be adjusted, higher or lower, if you are contributing more or less than those within your group. If there are difficulties with any team member, discuss the matter within your team and seek resolution. If you cannot resolve the problem, immediately contact any faculty member, so that we can make an appointment to discuss the situation individually or with the entire group as needed.
Late assignments.
As we want to respect the time of our partners and ensure a high level of quality control (the teaching team will review deliverables before it reaches the partner), we expect students to adhere to timelines and due dates. Each day an assignment is late will result in a letter grade deduction. Recognizing that emergencies arise and partners may require schedule adjustments, exceptions will be made on a case-by-case basis.
Code of Conduct.
Each student enrolled in the course must agree in writing to the Citizen Clinicâs Code of Conduct (to be distributed) for maintaining a safe and secure learning experience and partner relationship. This Code of Conduct will be respected by all students, the teaching team, and CLTC staff and it is the responsibility of all personnel to report possible violations of the Code of Conduct to the teaching team.
Additionally, we expect all students to abide by the Berkeley Student Code of Conduct (see https://sa.berkeley.edu/student-code-of-conduct) and act with honesty, integrity, and respect for others. (See also https://diversity.berkeley.edu/principles-community). The consequences for failing to act within these standards may include failing an assignment, a referral to the Center for Student Conduct and Community Standards, a failed grade in the course, and even immediate expulsion. A note on plagiarism: even in the scope of providing a partner with a walkthrough for securing a certain account or system, you are expected not to copy material from another guide, website, article or book (word-for-word or paraphrased) without citing the source - itâs a small community and we should give credit where it is due. Other examples of unacceptable conduct include turning in deliverables created by students not currently in the course, work found on the Internet, or created by a commercial service.
Disability Accommodation.
If you need disability-related accommodations in this class, if you have emergency medical information you wish to share with us, or if you need special arrangements in case the building must be evacuated, please inform us as soon as possible.
Last updated