These students work to keep nonprofits safe from hackers

Imagine you are running a small nonprofit and learn hackers have hit an organization just like yours. You might be next. What do you do? You can’t afford to hire cybersecurity experts, but you need help.

Luckily, now you can turn to Tufts computer science students working with the Cybersecurity Clinic. Part of the new Cybersecurity Center for the Public Good, it offers free help to nonprofit organizations in and around Boston and nationally. At the same time, it provides valuable experience to students looking to break into the cybersecurity field.

For almost a decade, the student-led group JumboCode has been helping nonprofits with technology issues, but there’s also been a need for assistance focused on cybersecurity, says Ming Chow, associate teaching professor of computer science.

Chow proposed a cybersecurity clinic several years ago and this spring tested the waters with a pilot program. He recruited computer science students—graduate and undergraduate, online and in person—who were interested in more than just coding. “Cybersecurity is an interdisciplinary field,” he says. “We want students to have a broad range of interests and experiences.”

Thanks to publicity about the new effort from JumboCode and Tisch College, which have connections to local community organizations, plenty of nonprofit clients stepped up to take advantage of the program.

One student involved from the beginning was Austin Brower, who is working toward a master’s in cybersecurity and public policy through The Fletcher School and the School of Engineering. “I was really interested, because I love the conceptual model of trialing new things with students,” he says.

He was one of five students working with a small, all-volunteer nonprofit that had many overseas members. They had a shared email system with two-factor authentication (sending a text to a phone to verify the user)—but every time someone logged in from another country, the main person here would have to approve it—at all hours. “That leads to exhaustion and frustration—very common challenges for that kind of enterprise,” Brower says. 

The answer? “We put together plans around the email problem by enrolling the client in Google’s free-for-nonprofits email system, to spread out the email so it was not just one mailbox and still secure,” he says.

“Cybersecurity is an interdisciplinary field,” Ming Chow says. “We want students to have a broad range of interests and experiences.” Photo: Alonso Nichols

Sarah Abowitz, a doctoral student in computer science, worked with an organization that had seen nonprofits like theirs be hacked for political reasons, and needed help to prevent it happening to them. “This was a preemptive measure on their part, asking us to assess what they’re doing, how they’re doing it, and making sure that it is as secure as it can be,” she says. 

While going through the organization’s online presence, she found a vulnerability—an old WordPress blog—that needed fixing. “It’s nice to be able to make that change happen," she says. 

Her team also developed a comprehensive security plan for the organization. “We worked hard on it during the summer,” she says. “It became a labor of love, more than just this thing that had to be done.”

Real-World Experience

That is exactly kind of work that the clinic—overseen by Chow as part of the Cybersecurity Center for the Public Good—was set up to do. Officially launched in September with a new cohort of students, it is now part of a global consortium of about two dozen university-based cybersecurity clinics. 

Students commit to working about 10 hours per week on clinic work during the semester—pro-rated for part-time students. “We have a no-brainer rule: you really can’t miss a deadline,” says Greg Fox, an online master’s in computer science student. “If you commit to something with the client, then you’re going to manage your time and you’re going to deliver it. And if there are hiccups, very early on you say, this is going to be a problem.”

It’s also good training for the students looking to break into cybersecurity; most employers want experience beyond the classroom, Fox says. “The clinic exposes you to the real world and lets you say, yes, I worked on projects in the industry.”

One of the things that students learn early on is to make time to listen to the client. “It’s almost a no-brainer, but to a nonprofit, security isn’t always at the forefront,” Fox says. “The biggest thing is that each client is different, with different capacities. So you really have to listen to what they want, instead of just going in and saying, hey, we’re going to go do this.”

Learning how to communicate with non-technical people was important, too. “We learned really well and quickly how to tune to where the client was,” adds Brower. “When we got too technical, you could see it and feel it, and we could coach each other. We would talk about the topic internally first and then think about how the client would react, what kind of questions she would have, and then how we would frame the language.” 

The experience with the clinic can be transformative. “It’s so focused on real problems, real people, real organizations. You can’t get that easily elsewhere,” says Brower. Fox agrees. “It’s a really cool experience to be able to say you actually worked on projects in the industry,” he says.