Could Cyber Clinics be Adapted to K-12?

from the PIT UNiverse Newsletter

Cybersecurity

March, 2024

by Francesca Lockhart and Sean McAfee

Imagine a nationwide network of cybersecurity clinics, modeled after medical and law school clinics that have been assisting underserved populations for decades. Here, students of all ages learn such foundational concepts as secure by design, vulnerability management, and incident response planning. Cybersecurity professionals from state and local government and experts from critical infrastructure companies, supported by dedicated educators, mentor students and share their real-world experiences.

No longer would cybersecurity be a theoretical concept; it would be a tangible skill honed through applied labs, simulated attacks, cybersecurity competitions, and ethical hacking exercises.

What is Public Interest Technology?

5 Keys to Institutionalizing PIT

What is PIT-UN?

Cybersecurity as a Trade Profession

Currently, university-based cybersecurity clinics provide free cyber risk assessments and other cyber hygiene services to target-rich, resource-challenged community organizations. As global cyber expert Kathy Liu notes, “Young people are at the forefront of advocating for causes ranging from climate action to gender equality and mental health. But they aren’t rallying around cybersecurity as a social issue.” Cyber clinics are addressing this gap by training multidisciplinary groups of students, offering exposure and hands-on experience for successful entry into the understaffed, in-demand cybersecurity workforce in the United States, while promoting a spirit of public service through their town-gown partnerships and community service models.

The cyber clinic model can instill passion for cybersecurity as a public good within educational institutions of all levels, not just higher education. The propagation of the cyber clinic model to other educational institutions is appealing for several reasons.

While cybersecurity has academic and theoretical elements, it is more of a trade profession, one that requires advanced training – though not from a four-year degree, thereby lowering the barriers to entry for people historically excluded from technology fields. Cybersecurity has clear standards (set in large part by vendor-neutral certifying bodies) that require no formal degree program to master.

What’s more, infrastructure is already in place in the form of career and technical education (CTE), through which educational institutions on all levels hire experts from academia, government, and the private sector to create curricula and work with students of all ages. CTE centers are vetted by departments of education, and are trustworthy partners in the existing training ecosystem.

Subscribe to the PIT UNiverse Newsletter

Local Pride & Cyber Resilience

Through CTE in K-12 schools, cybersecurity defense and education stakeholders have an opportunity to intervene earlier in students’ academic journeys to expose them to the cyber trade and strengthen a pipeline of diverse talent into cyber civil defense jobs. K-12 public schools already instill local pride and promote the value of community service. In K-12 cyber clinics, students would have the chance to protect their homes, families, and communities, and even to drive innovation and resilience for their state and region. Further, their cyber clinic participation would accelerate the cyber talent pipeline to new speeds, further removing degree barriers to entry and supplying local economies with highly skilled, local cybersecurity professionals.

Funding would involve a combination of federal grants, philanthropic investments, state government contributions, and strategic public-private partnerships. For example, the State and Local Cybersecurity Grant Program (SLCGP), jointly administered by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Administration (FEMA), enables government at any level to make targeted cybersecurity investments to support the security and resilience of critical infrastructure. As such, each state has a SLCGP Cybersecurity Planning Committee and could integrate the cyber clinics concept as a requirement for future funding opportunities.

Additionally, state governments could allocate funds to support the development and implementation of cyber clinics within their jurisdictions. This could include funding for teacher training and professional development, curriculum tailored to state education standards and specific state-level cybersecurity concerns, and technology to ensure that cyber clinics have adequate equipment and software. Lastly, partnerships with community colleges and private companies could provide scholarship opportunities for interested students to pursue further education and specialized certifications in cybersecurity. Regardless of the ultimate funding behind the expansion of the cyber clinic model, the specific mix of funding sources and the level of contribution from each sector can and should vary depending on the cyber needs and priorities of individual states and communities.

The future of cybersecurity rests on our ability to empower the next generation, especially young people from communities that have been historically excluded from technology design and deployment. By leveraging existing best practices and expanding the network of cyber clinics to educational institutions serving students of all ages and backgrounds – not just four-year colleges and universities – we can create a new, more diverse generation of digital defenders, while empowering local communities to safeguard our nation’s infrastructure.

For more resources and best practices on this topic:

Are you a K-12 practitioner who wants to respond to this piece? Let us know by filling out this form.

Francesca (Chessie) Lockhart is the founder and program lead of the Cybersecurity Clinic at the Strauss Center for International Security and Law at the University of Texas at Austin. Previously, she managed strategic analysis programs for the Homeland Security Unit at the Texas Department of Public Safety’s Intelligence and Counterterrorism Division.

Sean McAfee is the section chief for higher education at the Cybersecurity and Infrastructure Security Agency (CISA). He previously was the chief information security officer for the Ohio secretary of state and held various cyber roles at the U.S. Department of Homeland Security including attaché (UK), staff director, and deputy chief of assessments and technical services.