Sarah Powazek, Program Director of Public Interest Cybersecurity at UC Berkeley Center for Long-Term Cybersecurity (CLTC), where she leads flagship research on defending low-resource organizations like nonprofits, municipalities, and schools from cyber attacks.
Sara is a Senior Advisor for the Consortium of Cybersecurity Clinics, and advocates for the expansion of clinical cyber education around the world. Sarah also hosts the Cyber Civil Defense Summit, an annual mission-based gathering of cyber defenders to protect the nation’s most vulnerable public infrastructure.
Sarah previously worked at CrowdStrike Strategic Advisory Services, and as the Program Manager of the Ransomware Task Force. She is an active member of the hacker community, and helps organize Hackers On The Hill and DEF CON Policy.
Summary of the episode
In this episode of the Cybersecurity Guide Podcast, host Steve Bowcut interviews Sarah Powazek, the program director of Public Interest Cybersecurity at UC Berkeley Center for Long-Term Cybersecurity.
They discuss the concept of cybersecurity clinics, which are educational programs where students work with real-world clients to apply their cybersecurity knowledge and skills for the betterment of their community. These clinics focus on helping low-resource organizations, such as nonprofits, municipalities, and schools, defend against cyber attacks.
Powazek explains that public interest cybersecurity is about protecting community-level organizations that are essential to public life but may not have the resources to hire professional cybersecurity services. She also highlights the importance of interdisciplinary skills in cybersecurity and the need for soft skills, such as communication and persuasion, to convince organizations to prioritize cybersecurity. Powazek shares an example of a clinic working with a voting rights organization to improve their cybersecurity practices.
She encourages students interested in public interest cybersecurity to consider their personal passions and find ways to apply cybersecurity to further those goals. Powazek also mentions the CyberPeace Builders program and the consortium of cybersecurity clinics as resources for getting involved in public interest cybersecurity. Finally, she discusses the emerging trend of clean energy cybersecurity and the need to integrate cybersecurity into the design of distributed energy grids.
Listen to the episode
Read the full transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. Today, our guest is Sarah Powazek, program director of Public Interest Cybersecurity at UC Berkeley Center for Long-Term Cybersecurity or CLTC for short. We’re going to be discussing cybersecurity education in a little bit different perspective than we normally do on this show, but I think the audience is really going to like this. I’m finding this very fascinating. So let me tell you a little bit about our guest before I bring her in. At the CLTC, Sarah leads flagship research on defending low resource organizations like nonprofits, municipalities, and schools from cyber attacks. She’s a senior advisor for the Consortium of Cybersecurity Clinics and advocates for the expansion of clinical cyber education around the world.
Sarah also hosts the Cyber Civil Defense Summit, an annual mission-based gathering of cyber defenders to protect the nation’s most vulnerable public infrastructure. Sarah previously worked at CrowdStrike Strategic Advisory Services and as the program manager of Ransomware Task Force. She’s an active member of the hacker community and helps organize Hacker on the Hill and DEFCON policy. With that, welcome Sarah. Thank you for joining me today.
Sarah Powazek:
Thanks, Steve. I’m glad to be here.
Steve Bowcut:
This is going to be fun. As I was explaining, this is a little different than what we normally do and the audience will understand that as this unfolds a little bit, but it’s fascinating to me and I appreciate you taking the time to share your expertise with us.
Sarah Powazek:
Yeah, of course.
Steve Bowcut:
So let’s start and get you to lay out for us the mission and the work of the Citizens Clinic at the UC Berkeley’s Center for Long-Term Cybersecurity.
Sarah Powazek:
Yeah. Absolutely. I’d love to start by backing up a step and just talking about what a cybersecurity clinic is, because a lot of folks haven’t heard of it.
Steve Bowcut:
That’s a good place to start. Very good.
Sarah Powazek:
Yeah. What is the cyber clinic? So cyber clinics are a very simple concept. It’s actually a concept that we borrowed from other fields. So fields like the medical field and the law field, they have this element of clinical education in them where as a part of their education, students are taking a turn, actually working with a real world client and applying their education hands-on for free for the betterment of their community, similar to law school clinics where they’ll do pro bono legal advice or medical school clinic where they’ll see patients that can’t afford services in their free time and they’ll get course credit for it as a part of their education. So what we’ve done is that we’ve applied that to cybersecurity. So we have students getting course credit or internship or as a part of a student club working with real clients that really can’t afford professional services and helping them bolster their cyber resilience at the level that they need.
Steve Bowcut:
Okay. Awesome. All right. So now I’m getting this vision in my head. So we’ve got students who are in school, but they spend some of their free time at the Citizens Clinic helping nonprofits, municipalities, other organizations that may not have the resources to hire professional help. Okay. That’s a good place to start. The work that you do, how does that contribute to the field of public interest cybersecurity?
Sarah Powazek:
Yeah. Absolutely. I love talking about public interest cybersecurity because I think oftentimes when we hear public interest, we’re thinking about public interest technology. It hasn’t really been applied to the cybersecurity field as much. So the way that we like to talk about it is we’re thinking about community level, community cybersecurity versus national cybersecurity. So what are the sorts of organizations that are really holding up public life that if they were to disappear one day, a community would really suffer for the lack of it.
So in particular, we’re thinking about cities and towns, small hospitals, small utilities, nonprofits, small businesses, even the local dentist. These are really not going to rise to the level of a national security threat where the FBI is going to run in and try and fix everything. But their loss is really going to be felt by people who rely on them for regular services and care. So we’re really thinking from the bottom up. How do we protect all the organizations, the small ones, the ones that can’t really afford to resource themselves to hire a full-time cybersecurity professional, and how are we thinking in the longterm of making sure that these folks are able to protect themselves against very common cyber attacks like ransomware without needing to completely redo their business model?
Steve Bowcut:
Yeah. Interesting. That is such a fascinating idea. And any of us that have been in the industry for any number of years, we’ve seen the target or the bullseye from the threat actor’s perspective. The bullseye was on the big targets where the money was at or where the large cashes of personal information was at. But we’ve seen over the years that that’s dropped a little bit. And now you see small businesses and small cities, they get totally crippled in a small healthcare organizations to get totally crippled. And I’ve often worried a little bit that if we’re all as defenders, if we’re focused on that top tier, what is happening below us, who’s helping the people below. And that because they’re vulnerable, that poses a threat to everyone. I mean, you can’t isolate that. So that is fascinating. So as I understand it, there’s a consortium of these Citizen Clinics, if we can use that term. So how does that all work together? How are they related and how do they share information or do they? How does it work?
Sarah Powazek:
Yeah. Absolutely. So Berkeley started the Citizen Clinic five years ago. It was one of the first cybersecurity focus clinics in the country, if not the first. Around the same time, a number of other educational institutions, including MIT, Indiana University and the University of Alabama, all started very similar cybersecurity programs around the same time. So we had this explosion of a bunch of different higher education professors who were all trying to start up these new programs and they started meeting together. They started meeting every month to try and share lessons learned, to try and help each other improve their programs. And that quickly grew from four to over 15 higher education institutions that we now have in the consortium.
And the goal of the consortium, it’s hosted at Berkeley, I help advise it, but it really is just a collection of professors in higher education from community colleges all the way up to very large four year public institutions. How do we spread this model? How do we train as many students as we can? And most importantly, how do we make sure that we’re actually helping the organizations that need the most help? How do we improve our programs year over year so that we’re using the most recent cybersecurity advice so that we’re staying current on the sorts of threats that they’re most likely to face. So that we’re preparing students to go out into the workforce and continue the work that they’ve already started at the clinic.
Steve Bowcut:
Well, that’s fascinating. So maybe a best practices for these kinds of clinics and sharing those across, you said there were 15, 14, 15 organizations.
Sarah Powazek:
15, yeah.
Steve Bowcut:
15 organizations, and growing, I presume. That’s fascinating. Okay. See, and I had no idea, so I’m glad that you’re here to share that information with us. So let’s talk about the cybersecurity challenges that these types of public interest organizations are facing. So is it different than what in a large organizations with lots of resources or are they the same challenges and it’s just defending them is what become the challenge? Or how does that work?
Sarah Powazek:
Yeah. It’s a good question. I think it’s unfortunately a lot of the same basic cybersecurity hygiene problems that we’ve seen in the last five to 10 years are still the ones that seem to be plaguing these organizations the most at the lower level. It’s just an issue of scale. So having a bad password policy, allowing folks to create passwords that are very short or able to repeat or that aren’t very complicated, that makes it easier to guess, that could cripple a very large organization just as easily as a small organization. But the difference is that the small organization doesn’t have the same resources to try and make that better. They don’t have the money. They might not even know about cybersecurity. They might not know that that’s something they should be investing in. When you talk about a nonprofit, every single dollar that they don’t spend on their mission is called overhead, and it takes away from their mission. So they’re literally and thinking about a hospital. Every dollar that they don’t spend on patient care, they’re taking away value from their patients.
So when you talk to these sorts of organizations, it’s really difficult to ask them to give up what they think is their core mission for existing for cybersecurity, which is such an abstract concept to many people. They’re like, “Why would I invest in my computers when I could buy a new EKG machine?” That’s a really hard argument to make. So that’s I think a really key piece of what we’re doing at the clinics is it’s not just about the cyber hygiene. It’s how do you convince people to prioritize cybersecurity? How do you get students to train that soft skill of convincing someone, of helping them prioritize, of tying it to their business interests? That’s a really key part of what we’re doing at clinics is the prioritization.
Steve Bowcut:
Interesting. All right. So let’s shift our focus a little bit back now to the students through our working in these clinics across the country. Obviously I think it’s obvious to everyone that a hands-on experience is going to be a wonderful thing for students who need to learn this. Talk to us about that a little bit. How do you provide that hands-on experience? What kind of hands-on experience? If I’m a student at UC Berkeley, or any other university that’s a part of this consortium, what can I expect I’m going to be involved in if I participate in one of these clinics?
Sarah Powazek:
Yeah. You’d expect that these clinics would be mostly full of computer science students, but in fact they’re really interdisciplinary at their core. Most of them don’t have any pre-requirements. So there aren’t any classes that students have to take in advance for signing up for the clinic. And many of them are set up so that the first part of the class really is just to train the students about what they’re going to be talking with the organizations about. Really teaching them those top five, top 10 cybersecurity hygiene controls like multifactor authentication, like patching, like password policies, like incident response policies, really preparing them. So you can have students that come in from English majors, from journalism majors, we get some from law and business, and they’re all given the same baseline level of knowledge to be able to work with clients.
Steve Bowcut:
Okay. So there is a place for both skill sets. So I was going to ask you in a minute here about do I need to have a technical background. But this is probably a better place to talk about that. So if I’m a programmer type and I like sitting in front of a keyboard and writing code, is there a place for me in a clinic like you manage? And also if I’m a people person, what I really want to do is go in and teach people what cyber hygiene is and how to apply that in their application, is there a role for me regardless of the skillset?
Sarah Powazek:
Absolutely. And I’d go as far as to say the clinics wouldn’t be successful unless they allowed for both of those types of students to participate. A lot of the clinics, especially Berkeley Citizen Clinic, tries to pair up students that have more traditional computer science backgrounds with students who come from other majors. So you end up with these groups of students that work together as units and they’re able to break up the different pieces of the project for whoever is best suited to it. But as you and I both know, there are so many elements to cybersecurity that have nothing to do with computers. It’s about people, it’s about awareness training, it’s about budgets, it’s about leadership and C-suite awareness. There’s all these different elements of it that I don’t think that people realize that we really need those other skill sets for.
And I think that one thing that the clinics do really well is it’s not rah, rah computers. We’re saying we’re trying to accomplish a mission. We want to protect cities, or we want to protect the food banks. We want to protect the local fire department. That is a mission that really speaks to a much broader group of students than we just want people who are interested in computers. So you actually are attracting a whole new group of students to the field of cybersecurity that had never considered it before. I love talking about a student who went through the Citizen Clinic program who was majoring in human rights at Berkeley, and they were so excited about helping the sorts of nonprofits that Berkeley Citizen Clinic works with.
Berkeley Citizen Clinic works with nonprofits at risk of politically motivated cyber attack. So refugee organizations, women’s health organizations, LGBTQ advocacy organizations, folks that are really political targets. So this human rights student was so excited about that mission that she learned about cybersecurity. She went through the clinics program and she’s now a cybersecurity consultant. So we really are bringing in a whole new generation and a whole new majors of students into this really diverse field.
Steve Bowcut:
I love that. That’s very encouraging to me to realize that there is a group of organizations like this who recognize the value and the need, as you pointed out for these, you might turn them soft skills because many times I’ve seen organizations where the cybersecurity guy is a real techie type, and when he’s talking to the finance clerk that works in a back office somewhere, they are speaking two different languages and they have a really hard time understanding each other. And the finance clerk may not understand why he needs to do certain things. And if people don’t understand why they need to do the things that they’re told to do, they will find a way around that to make their job easier. It always works that way. So you to help them, the education piece, I guess I just can’t overemphasize that enough. The education piece, helping people understand why it is they need to do what they need to do to keep the organization safe and why their actions matter and the impact that it can have.
Let’s see if there’s any particularly impactful projects that you’ve been involved with that illustrate what this work can do.
Sarah Powazek:
Yeah. I have a great example. The Citizen Clinic in 2020, which was a big election year, obviously worked with a voting rights organization. And that was really tricky because this particular organization was being targeted by a lot of disinformation campaigns and they were trying to make sure that they could get accurate voting information out. So it was really important to them to be able to protect themselves from having, for example, their accounts hijacked and having the wrong information put out. So the clinic of students worked with this voting rights organization, and the first thing the students do is just interview. Just talk to the client, understand what they’re struggling with, where they’re coming from, and through those interviews, start to identify what they think are the most high risk behaviors. In a lot of cases, they only have a semester, part of that’s taken up by their training, so they don’t have time to boil the ocean. They’re really here to try and find a couple of high risk activities that they think the organization is doing and recommend a plan for remediation.
So throughout the engagement, they started to surface a couple of things that they were worried about. One was that a lot of the volunteers for this voting rights organization were sharing accounts. They would have one account and everybody would log into it. And I see that you’re nodding, that’s a no-no that we’re worried about that because if someone got the account credential, everybody’s sharing it around, it just increases the risk of someone being able to take over that account. So they realized that this was one of the most high risk behaviors, and what they decided to focus on for their evaluation was creating an organizational procedure for this voting rights org, teaching them how to create separate accounts and maintain them without increasing the complexity of their operations. So they really tried to figure out why they were sharing credentials, why that was causing such a barrier for the organization to create individual ones, and they were able to convince them to switch over in the election year, which is a really wonderful story.
Steve Bowcut:
That is awesome. Thank you for sharing that. I appreciate it. So let’s speak directly to our core audience, if you will. So if I’m a cybersecurity student, or maybe let’s not make it that specific. So I’m a student, and I’m trying to choose a career path and I’m interested in public interest organizations, social impact, and/or cybersecurity. So what kind of advice would you have for a person in that situation who might want to get involved in something like this?
Sarah Powazek:
Yeah. I love that there are students out there that are excited about this work. I was one of those students. I was actually a political science major. I was one of those people that was like, man, I really want to help cities. I want to help towns. I want to find some way that I can use my skillset to assist them. And what I really like about cybersecurity is a little bit about what I was talking about earlier. It’s a tool to accomplish a mission. And there are so many different missions that need it. There are so many missions within the nonprofit community, within the public sector, and you’re actually furthering their mission by helping them protect their assets. So I always like to think of it like that if you’re a student that’s considering cybersecurity and you don’t really know how to go about it or you’re thinking about what to specialize in, think about outside of cybersecurity, what really speaks to you in your life? What do you care about?
For a lot of people, they really care about getting people out to vote. So election cybersecurity is something that really speaks to them. For me, it was cities. So we do a lot of work with the City of San Francisco and with municipalities through the clinic programs. But everybody has a different tie in that really gets them out of bed in the morning. And I really truly believe that cybersecurity is actually a career path that is very wide and can accommodate a lot of people’s dreams and goals and missions because you’re essentially helping other people further their goals. So I think that’s where I would start. But I will say public interest cybersecurity is tricky. There aren’t a lot of jobs in this particular field.
I think my job as a director at an academic institution is to try and highlight pathways into the fields and also to try and make it part of every single cybersecurity job. Try and encourage corporations to allow their volunteers to do pro bono assessments to help the folks that really can’t afford their services. I think even if you don’t find a job that’s necessarily in cybersecurity policy or cybersecurity community building, I think in any corporate job, there’s a way to build in the public service mission into your work.
Steve Bowcut:
Excellent. Okay. So actionable advice then. Is there a website that we can put in the show notes, someplace where we can actually direct our audience so they could learn who these 15 organizations that are a part of the consortium, or if they’re in the Berkeley area, how they would get ahold of your organization? And do they need to be in the Berkeley area, or is it all just done virtually?
Sarah Powazek:
Yeah. Great question. Actually, a lot of clinics do take public sector volunteers. If you’re interested in getting involved, our website is cybersecurityclinics.org, and we can share it in the show notes for sure. There’s another organization that I’d recommend as well. The CyberPeace Institute runs a program called the CyberPeace Builders, and it allows you to sign up for very short engagements, just a couple of hours long, and they’ll pair you with a nonprofit that needs help on a very specific task. So for example, say a nonprofit needs help configuring its router and you have some experience configuring routers, it’ll match you up. You’ll find a time to meet. You’ll help them in a very short term engagement. So even if your organization doesn’t have a volunteer program where you’re allowed to take time off in your spare time, you could look at that, consider signing up and becoming a part-time volunteer.
Steve Bowcut:
Yeah. Okay. Excellent. So we will put those in the show notes. So we’re about out of time, and I think we’ve covered everything that I really wanted to cover, but I want this to be very open. If there’s anything else, I do want to end with a question asking you to look into the future and any emerging trends or technologies. But before we get to that last question, is there anything about policies or ways people get involved that you feel like I haven’t asked that I should have?
Sarah Powazek:
No. I think this is pretty good.
Steve Bowcut:
Yeah. I feel like you’ve given us a good insight into what your organization is about, what’s consortium is about, and how people can get involved, and that’s what I was hoping to accomplish. So I really appreciate that. Let’s end with this, emerging trends or technologies. And the question I’ve put together was about technologies, but I think we need to look at it broader than that. So emerging trends, technologies or paradigms. People wanting to get involved. What do you see in the future?
Sarah Powazek:
Yeah. I would say always follow where the attack surface is expanding. So in particular lately I’ve been really interested in the energy field, and in particular our transition to a very distributed energy grid that’s able to accommodate all kinds of clean energy, including small scale solar and wind power. What we’re thinking of really is this vastly expanding attack surface of smart meters, of small scale solar. People are putting solar on the houses. We have electric vehicles now where you’re able to charge up in your own home and store that power. And that’s just vastly expanding the number of devices that we have connected to the internet. And what that means is that there’s even more opportunities for bad actors to try and disrupt our everyday lives.
So I’m really interested in the field of clean energy cybersecurity. I think there’s a lot of public interest cybersecurity overlap in that field. And I think in particular, as we look five, 10 years ahead of time while we’re trying to meet our climate goals, how are we making sure that we bake in cybersecurity to the new grid that we’re designing? If it’s an afterthought, we’re not going to be able to fix it. We really need to be a part of the planning process. So I think in particular, trying to build bridges between the energy community and the cybersecurity community and making sure that those two are really in lockstep as we really transition from a one-directional grid to a bi-directional grid where people are both putting in energy and taking out energy is going to be really key over the next couple of decades. So I’m really energized about that.
Steve Bowcut:
Excellent. Thank you so much. And Sarah, thank you for being with us today. This has been very informative. I’ve learned a lot. I’m sure our audience has, and I just can’t thank you enough for taking some time out of your day to spend with us.
Sarah Powazek:
Thanks so much for having me on, Steve, and I can’t wait to see even more students join clinics in the future.
Steve Bowcut:
Me too. I’m with you on that one. A big thanks to our listeners for being with us as well. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.