Introducing the Citizen Clinic Cybersecurity Education Center

Steve Trush
CLTC Bulletin
Published in
5 min readMay 27, 2020


Citizen Clinic is a public-interest cybersecurity clinic housed in the UC Berkeley Center for Long-Term Cybersecurity (CLTC). The clinic supports interdisciplinary teams of students to build the capacity of politically vulnerable organizations to defend themselves against online threats.

Today, Citizen Clinic published the Citizen Clinic Cybersecurity Education Center (, a GitHub site to share resources that can help others build on our model and establish security clinics in their respective institutions. The site includes past and current Citizen Clinic curricula, reading lists, and syllabi, as well as a link to our Baseline Organizational Security Guide.

Below is a Q&A with Steve Trush, deputy director of Citizen Clinic.

The Citizen Clinic Cybersecurity Education Center homepage
The Citizen Clinic Cybersecurity Education Center homepage

What is the Citizen Clinic Cybersecurity Education Center (

The Citizen Clinic Cybersecurity Education Center is an online resource documenting what Citizen Clinic — the world’s first public interest cybersecurity clinic — has learned over the course of our first two years. The site showcases three of the resources we’ve developed: our classroom curriculum, the technological infrastructure that we use to support student work, and guides for baseline security. We see it as a library of sorts: a place to share what we’ve learned for others to learn, repurpose, and critique.

Citizen Clinic learns so much about the challenges of securing politically targeted civil society groups that we want to have a single place to share our activities, outputs, and lessons learned.

This is not the first website that shares security training information. Electronic Frontier Foundation’s Security Education Companion comes to mind. Why does the world need another security training website?

Citizen Clinic is quite a bit different from other cybersecurity courses, as the main crux of our program is real-word, hands-on learning for improving an organization’s security. In teaching UC Berkeley students, we are educating novice digital security assistance providers to support small, politically targeted nonprofits. This requires a curriculum that incorporates skills such as building effective consulting relationships, using qualitative research methods, and understanding how contextual factors influence organizational change.

We envision the Citizen Clinic Cybersecurity Education Center as the home for materials to help others build their own public-interest security clinics. We’ve developed a model that is begging to be spread to other schools and nonprofits, since this sort of clinic work fills a dire public interest need for both training future technologists and making civil society safer.

What sorts of people do you envision using the site?

The first group of people are educators. We hope that, after reading some of our case studies, they become interested in creating a similar program at their own schools, maybe focusing on a specific issue like reproductive rights or environmental justice. While we’d love to hear from them to discuss their plans, they could simply use our lesson modules, reading list, or Code of Conduct as jumping off points for their own courses. Lowering the barriers to entry is key to building more clinic programs, and it’s important that educators can see how a program like ours is possible.

People outside of academia can also use the site to uncover how to keep their own organizations safe, for example by using our Baseline Organizational Security guide. They can also read about a range of threats and mitigations we’ve seen in civil society, and try out our suggestions for relatively low-cost security infrastructure.

We also hope security practitioners, especially in the organizational security “OrgSec” space, will benefit from the materials that we have assembled and tested. For instance, in many of our learning activities, we reference and build upon the great work of others, whether it’s EFF’s Security Education Companion for designing security workshops, Internew’s SAFETAG for contextual and capacity research, or CLTC’s own Daylight Security Research Lab’s work on adversary persona development.

Why did you decide to put the site on GitHub, and why are there edit buttons on each page?

We wanted a clean design to make it simple to search through and use the material. However, we also wanted to track recent changes and quickly integrate updates. We centered on using GitHub and a package called MkDocs so we could achieve both. The site is more usable for people unfamiliar with GitHub or HTML, but can leverage GitHub’s open-source affordances, such as copying the entire repository and tailoring it to one’s own needs, making minor changes that we can reintegrate into the site, or flagging issues or concerns for us.

Having a project in a public repository helps to communicate that this is a living project. We want security practitioners and members of civil society organizations to offer suggestions. Do you know of a great reading on social engineering that we should include? Should we include other home-brew VPN options? Let us know!

The edit buttons (the pencil icon on each page) take the user to the GitHub markdown so that they can fork the repo, submit pull requests, or create a new issue. If you don’t know what those terms mean, don’t worry: you can always send the Citizen Clinic team an email or Signal message.

Want to request a change? Start with the Edit button.

What’s next for the Cybersecurity Education Center?

This is our first public design iteration. That means we are gathering feedback from users. We will plan to incorporate changes so the site is easy to navigate for people of all backgrounds. For example, translating our resources into other languages is already on our list.

You might notice that there are still many lesson modules to come. We will continue to roll out modules with our lesson overviews, activities, as well as case studies and infrastructure over the course of the summer.

Finally, we’re currently reviewing data, interviewing stakeholders, and documenting lessons we’ve learned as a retrospective covering our first two years of public-interest security work. We’ll be writing and sharing more about some of the less technical nuts and bolts of our clinic, as well as describing our theories behind curriculum development, student recruitment, team dynamics, and relationships with partner organizations.

Visit the Citizen Clinic Cybersecurity Education Center



Steve Trush
CLTC Bulletin

This is my LiveJournal.