Small businesses and community nonprofits are often sitting ducks for hackers. But across the United States, programs are springing up to connect these vulnerable organizations with fresh-faced defenders: college students.
Local businesses and other small organizations are facing an onslaught of cyberattacks, but federal agencies like the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are stretched too thin to help them all implement basic security measures. To fill this gap, public and private universities are launching cybersecurity centers modeled on law school legal clinics to train students as digital security consultants.
In a country besieged by endless hacking campaigns that disproportionately burden small, under-resourced businesses, and with national agencies focused on more serious threats to critical infrastructure, university clinics could be the future of cyber defense at the local level.
“There is a critical role for universities to play in community cyber defense,” says Sarah Powazek, the program director of public interest cybersecurity at the University of California, Berkeley's Center for Long-Term Cybersecurity. “Students are local, highly motivated, and able to provide a range of services pro bono for under-resourced organizations that otherwise couldn’t afford them.”
In just a few months, the newest of these clinics will launch as a pilot project at the University of Texas at Austin, joining other schools that have formed a consortium to share ideas and lessons learned. But UT-Austin’s pilot program has a unique origin story. It was born out of conversations within CISA’s outside advisory board about an even more ambitious idea: a cyber 311 service offering emergency help to local businesses, modeled on the municipal hotlines that residents call to report potholes and broken street lights.
Because sending college students to help companies recover from hacks raises a host of logistical and legal questions, UT-Austin’s clinic will first evaluate the simpler task of offering pre-attack guidance. But the program’s leaders say they’re still interested in the 311 concept that inspired the clinic—and if they can eventually make it work, it could help make colleges the cybersecurity backbones of their communities.
The US faces twin cyber crises: Companies often lack the resources and knowledge to effectively protect themselves from hackers, and there are too few trained professionals to fill the cyber field’s many open jobs. Small- and medium-size businesses fall below a “cyber poverty line,” struggling to achieve even basic resilience. The persistent talent shortage—there are an estimated 756,000 vacant cyber positions in the US—only makes things worse.
Enter the cyber clinic.
For decades, law schools have used clinics to train future lawyers and support their communities with pro bono work. “There’s no learning like the learning that involves an actual, real client,” says Robert Chesney, the dean of UT-Austin’s law school, head of the university’s cybersecurity program, and founder of the new cyber clinic. “Everybody says those experiences are the most impactful things that they do.”
In recent years, universities have begun using a similar model to tackle cyber threats. Schools in Alabama, California, Indiana, Massachusetts, and several other states now operate cyber clinics.
The idea for the UT-Austin project emerged from discussions in CISA’s Cybersecurity Advisory Committee, a group of experts from the private sector, academia, civil society, and local government. During conversations about a university running a municipal cyber helpline, Austin quickly emerged as the ideal candidate, thanks to its already popular 311 service and the support of two committee members: Steve Adler, who was then Austin’s mayor, and Chesney, an influential UT faculty member.
CISA director Jen Easterly has championed the project and recently told the advisory committee that her agency will consider launching a nationwide cyber 311 system after evaluating Austin’s new clinic and similar efforts.
“The UT-Austin pilot is helping us better understand how we can provide cybersecurity services for small and medium-size businesses across our nation,” Easterly says in a statement, adding that she is “truly excited” about it.
UT-Austin’s clinic will take the form of a two-semester course. In the fall, Francesca Lockhart, a former top Texas homeland security official Chesney recruited to lead the project, will teach students cybersecurity skills and partner them with local organizations and businesses, giving students time to learn how those organizations operate and what they need. In the spring, teams of students will then create and implement cybersecurity improvement plans for their clients.
Lockhart’s curriculum will cover lessons like inventorying the devices on a network, scanning for and fixing known vulnerabilities, configuring a firewall, conducting penetration testing, and understanding the Linux operating system and the Python programming language, which are widely used in diagnosing and fixing security issues.
The 20 people in the inaugural class include students majoring in business and computer science, but also those studying biochemistry and international relations. Lockhart is still evaluating a variety of potential clients, including small businesses; nonprofits serving vulnerable populations in Austin; neighboring school districts and city governments; and startups focused on fighting hunger, disease, and other social ills.
Lockhart says the clinic represents “a great opportunity to get students real-world career experience and fill the cybersecurity workforce gap while also serving the needs of some of these under-resourced organizations.”
Any expansion to a 311-type service is far off. “You need to walk before you run,” Chesney says.
To Steve Adler, Austin’s former mayor, a cyber helpline would be a natural extension of the UT-Austin project.
Austin’s 311 service already gets calls from people worried about phishing scams and other low-level cyberattacks. The next step would be to create a referral system so 311 operators could turn certain calls over to UT-Austin students trained to handle a wide range of common incidents. “It might expand the scope of what people think would be covered by a 311 call,” says Adler, who served as mayor from 2015 to 2023.
Another state is already forging ahead with this idea. Later this year, Bridgewater State University in Massachusetts will launch a security operations center (SOC) to answer emergency calls from the community. The 24/7 SOC, created in partnership with a state-funded consortium, will be staffed by professional cyber experts, but students will be able to observe and participate in their work.
Chesney finds the 311 idea very appealing. “It’d be really great if we could get to that stage,” he says, in part because it would deepen ties between the school and the surrounding community, a constant priority for colleges. “It brings the town and the gown together,” Chesney says. “And it may end up being very central over time.”
But many questions need to be answered first. What kinds of calls will the clinic be able to take? How will the increased call volume affect regular 311 operations? Will hacking victims even want to admit their problems and ask for help?
Then there are the legal issues. Responding to a cyber crisis could expose students and faculty to liability. Universities are “incredibly risk-averse,” says UC Berkeley’s Powazek, and many resist offering even traditional clinic services, fearing that clients will sue if they’re later hacked.
Before the clinic can evolve, Chesney and Lockhart have to launch it and see if it makes a difference.
Measuring success won’t be easy. The clinic can track how many students it trains, how many organizations it helps, and how much it all costs. But whether its clients actually emerge more secure will be tricky to determine. Chesney says the clinic will conduct “satisfaction surveys” and stay in touch with clients over time to see if its advice sticks. It will also track alumni’s career paths to see if it’s moving the needle on the workforce issue.
UT-Austin is already having “preliminary discussions” with other universities that want to launch similar clinics, according to Chesney. “All of this is meant to be replicated and copied and used elsewhere,” he says.
Not every school will be able to launch a cyber helpline for their community, but Chesney thinks large universities like his should be able to do so.
Whatever UT-Austin’s program ends up looking like, Chesney is clear about the ultimate goal: to “level up the difficulty, systematically across society, for the bad guys to get into the system.”
“The sooner we can get everyone doing basic blocking and tackling,” he says, “the better off we’re all going to be.”
Update 12:45 pm ET, June 7, 2023: Clarified Sarah Powazek's title at UC Berkeley.