Author: Cyb3ars

Peter W. Singer and Allan Friedman’s Cybersecurity and Cyberwar: What Everyone Needs to Know, is a great place to start. Although already a bit dated, the National Academies’ report At the Nexus of Cybersecurity and Public Policy explains why cybersecurity is important, why it is a wicked problem, and the public policy issues in cybersecurity. And it’s free. A more recent, advanced, and law and policy focused self-study can be pursued by working through UT-Austin Professor Bobby Chesney’s cybersecurity ecasebook.

In September 2024, Chris Hoofnagle and Golden Richard’s Cybersecurity in Context will be available from Wiley.

In addition to the standard tools provided by your career services department, we recommend a direct-approach strategy. That is, if you find a cybersecurity company that deeply interests you, directly approach them and ask about opportunities. Many startups and smaller companies are too busy to run formal externship programs. They’ll be delighted to hear from you if you explain your interest and if it is well matched to the company.

Now, where to start? Crunchbase lists over 450 Bay Area cybersecurity companies. You can also start with a resource like Momentum Partner’s Cyberscape to understand the ecosystem of companies.

The I School also offers an internship grant for MIMS students who pursue internships with non-profit organizations. 

Here are other starting points for research:

• Aspen Institute Tech Fellowship
• Center for Democracy & Technology
• Coding it Forward
• Electronic Frontier Foundation
• Princeton’s Center for Information Technology Policy Summer Fellowship 
• TechCongress
• Technology and National Security Fellowship

Everyone now has a stake in the healthy functioning of communications and control networks, in the devices and services dependent on these networks, and by implication, in all the complicated infrastructure required to keep networks, devices, and services operating.

There is no simple answer to the question of what cybersecurity is. This is because both cyber and security can implicate different concepts and values.

“Cyberspace” is an artificial, complex, constantly changing creation. In a sense, every time one connects a new device to the Internet, that act changes the contours of cyberspace. As we grow dependent on the Internet, more of our activities can be affected by cyberspace vulnerabilities. 

Traditional cybersecurity focused on the confidentiality, integrity, and availability (the “CIA” triad) of computers, data, and networks. But today a larger set of interests are often included in the concept of cybersecurity. Security can come from many efforts, ranging from traditional technical interventions to procedural ones, policies, design, and social norms. Cybersecurity is a social and political field as much as a technical one.

Privacy is a separate, related interest to security. It, too, is contested and difficult to define.  To begin, we suggest reading about the six high-level attributes of privacy that  Professor Dan Solove identifies in Conceptualizing Privacy. 

Privacy and security relate to one another both as concepts and as practices. Security is necessary for privacy, but at the same time, we can imagine forms of security, such as the panopticon of the prison or the surveillance apparatus of an authoritarian state, that are privacy-denying. 

Security is not evenly distributed. We have to ask the questions “security by whom” and “security for whom” when making cybersecurity policy decisions. As discussed further below, the cybersecurity field has long lacked diversity and placed barriers in front of women and underrepresented minorities who seek to join the field. This undermines security conceptually and in practice, because decisions to promote security can simply be an exercise in risk shifting, with some parties better, and others worse protected. 

Security is a privileged value. That is, in policy circles, actors assume that security is a valid social interest worth protecting. But as noted above, “security” is a contested concept; people may be talking of different things when they advocate for investing in it. Further, as the internet grows, cybersecurity’s scope increases. This might cause us to see more human activities through a security lens. As the word security has attached to concepts such as the homeland, security takes on a charged political meaning. Professor Helen Nissenbaum, in the classic article Where Computer Security Meets National Security, explains why we might not want to see the world through a security lens. Nissenbaum explains that the security lens colors our perception of policy issues. The security lens might obscure the moral worth of the underlying activities we are securing, it might cause us to accept unreasonable costs of that security, and it might cause us to accept less democratic political processes, because after all, matters of security are often entrusted to government executives–through militaries and police–instead of more democratic political structures.   

Cybersecurity’s moral basis frays as actors stretch the concept from the protection from corporeal harm to economic protectionism, the protection of intellectual property, or the promotion of societal interests in stability or “harmony.” 

Taken together, these issues show why we do not see cybersecurity as a good in itself, but rather as an instrument that is increasingly important to secure the values we most cherish in society. The struggle is to recognize cybersecurity in context: liberal societies must promote the forms and applications of security that are freedom enhancing while identifying and rejecting those that are not.

Cybersecurity in Context is a three-credit course housed in the School of Law and Information. As such, it is open to law and graduate students, and undergraduates by permission. 

Based on a course in the I School’s online Masters of Information and Cybersecurity (MICS) program, Cybersecurity in Context is a podium lecture course (with discussion) that explores the broad range of social-political-economic-legal-ethical-military and other considerations that characterize the cybersecurity landscape. Thus, it is a wide-ranging introduction to cybersecurity that explains why cybersecurity is such a difficult policy challenge. One needs no technical background or background in law to take it. The course has modules to introduce non-technical students to core internet technologies such as routing and BGP.

Most recent syllabus: Fall 2020

Many faculty members at Berkeley teach privacy and cybersecurity related courses. Because there is no one single source for course information, you may have to do some digging to find the right match for you. We recommend that you focus on faculty members and investigate their webpages. Keep in mind that in addition to their courses, these professors may also have opportunities in their labs.

School of Information

The School of Information offers a perfect intersection between technology and human factors, with identified concentrations in security and privacy. Known as the I School, it offers an online masters degree in cybersecurity, and some of that degree’s courses have migrated to offline, on-campus versions. For instance, Daniel Aranki offers his Introduction to Privacy Engineering on campus. Jennifer Urban and Chris Hoofnagle offer Cybersecurity in Context. Andrew Reddie teaches a number of security courses, including New Domains of Competition: Cybersecurity and Public Policy. These and other faculty often have open research projects in privacy and security.

The School of Information is also home to the Center for Long Term Cybersecurity (CLTC), which sponsors programming and research with an explicit focus on future security issues. CLTC offers the Cybersecurity Citizen Clinic, which provides direct advice to NGOs and other organizations to anticipate security risks and mitigate them. Enrollment is open to all students (there is an application process). Also fascinating are CLTC’s AI Security Initiative and Daylight Security Research Lab.

Individual faculty also have research agenda on security issues. For instance, Professor Hany Farid performs cutting edge research in digital forensics technologies. Professor Deirdre Mulligan is author of Doctrine for Cybersecurity, a classic article proposing a public health approach to security challenges. Professor Steven Weber is the executive director of CLTC and leads research projects on technology, international relations, and cybersecurity.  Professor Doug Tygar, a pioneer in usable security, machine learning, and computer science, passed away unexpectedly in 2020. Tygar’s 1999 article with Alma Whitten, Why Johnny Can’t Encrypt, is widely regarded as one of the most important papers in computer science; it is perhaps the most important paper on human factors and security.

Public Policy

The Goldman School for Public Policy’s Professor Janet Napolitano and History Professor Daniel Sargent teach a popular security course. Goldman’s international relations group and security experts have expertise in cybersecurity.

EECS

UC Berkeley’s Electrical Engineering and Computer Science department has the leading technical security research group in the country. The SEC group’s website lists seven lead faculty focusing on security, over a dozen secondary leads, relevant courses, and relevant research centers.

The International Computer Science Institute is a Berkeley-affiliated research center with many ties to EECS faculty. Many Berkeley students have had excellent research experiences with ICSI, particularly in the network security and usable privacy groups. ICSI has too many security projects to list, but one you might find immediately relevant is Teaching Security, a set of lesson plans for high school students.

Law

The Law School’s Berkeley Center for Law & Technology offers a suite of courses on privacy and security, taught by Ken Bamberger, Chris Hoofnagle, Paul Schwartz, and Jennifer Urban. The Future of Cybersecurity Reading Group and Cybersecurity in Context are both housed at the Law School. The School’s Samuelson Law, Technology & Public Policy Clinic provides among the richest opportunities to engage with clients on technology matters. Note that undergraduates may not take law courses, and graduate students need special approval. Graduate students should plan ahead to request access if you are interested in a law class.

UC Berkeley’s Human Rights Center is affiliated with the law school and undergraduates may participate in its programs. HRC’s Technology & Human Rights Program, specifically its Human Rights Investigations Lab, is directly relevant to cybersecurity (open source investigations and digital forensics), and there are often opportunities for grad students to contribute to HRC research projects for law school credit – some of these projects intersect with digital security. 

Division of Computing, Data Science, and Society

CDSS’s innovative, popular Data8 plays a key role in introducing data science to students. This course is now available on EdX.

Political Science

Berkeley’s political science department offers courses in security and international relations and has many faculty experts focused on different dimensions of security. We suggest that you do a search for security on their site.

Public Affairs

The Public Affairs department offers a course on policy making in the fourth industrial revolution.

Lawrence Berkeley National Laboratory 

Lawrence Berkeley National Laboratory (LBNL) is among the most important cybersecurity actors in history. Clifford Stoll’s The Cuckoo’s Egg, a classic cybersecurity text (article here), was based on Stoll’s careful investigation of computer intrusions while he was a LBNL scientist. Cybersecurity efforts are coordinated through the Cybersecurity R&D for Science and Energy at the Berkeley Lab.

UC Berkeley Extension

Extension offers a cybersecurity bootcamp.

There are so many. Here are just a few of our favorites that have a focus on policy: Lawfare, Just Security, Krebs on Security, CSO Online, and Schneier on Security.

Luckily for you, dear Berkeley student, the campus has several fantastic resources for learning many of the skills we recommend that you develop. 

• LinkedIn Learning (formerly Lynda.com) is available to the entire Berkeley community and it has good quality online, go-at-your-own-pace courses in the Bash command line, in cybersecurity management, the technical domains of cybersecurity (computer networking, endpoint, application, cloud, operating system), security testing, penetration testing, machine learning, python, statistics, and statistical management software, such as R.
• D-Lab is another valuable resource. D-Lab regularly teaches bootcamps in technical fields such as Bash, R, and Python. Courses are free but they fill quickly.
• Berkeley’s “DeCals” can also be a source of skill building. These are courses organized by students (and with faculty oversight, for credit, on a P/NP basis) on specific topics.

That’s great. Berkeley has fantastic resources for your intellectual journey and career. This FAQ offers three pieces of high-level advice, and links to many resources and ideas. 

First, keep in mind that “cybersecurity” is a relatively ill-defined and quickly changing field. This means that you’ll have to  think creatively in order to best develop your skills, work to keep abreast of developments, and supplement these materials with your own research. 

Second, make your course decisions with care. Cybersecurity and privacy are social and political fields as well as technical ones. Depending on your background, you’ll want to consider expanding your understanding of aspects of the field that are less familiar. 

• You can develop deep cybersecurity expertise and insight by studying traditional social sciences such as law, international relations, and economics. 
• If you have a CS/STEM background and are looking for an entrypoint into the law and policy aspects of cybersecurity, we recommend our courses, Cybersecurity in Context and the Future of Cybersecurity Reading Group. But there are many more resources listed below, particularly the blogs, books, and podcasts that have a policy focus.
• If you are a humanities student and wish to improve your technical skills, there are many campus resources to do so detailed here. Signing up for a computer science class might not be the best first step. In addition to the technical difficulty of those courses, they may not be a good fit for developing cybersecurity knowledge. There are alternative approaches more well suited to the kinds of challenges privacy and security experts face. 
• Employers often complain about job candidates’ skills. It’s important to know that colleges and universities may teach some skills, but our purpose is to impart foundational knowledge that will enrich your life. Skills are often developed on-the-job, but we identify many resources on this site to get you started.

Third, find your cybersecurity and privacy community. This FAQ provides some initial information about departments, organizations, classes, and events, both on the Berkeley campus and outside, to get you started.

If you work in a security role in the private sector, particularly if you work in one of the 17 areas designated as critical infrastructure, you can join one of the many public-private cybersecurity partnerships. These partnerships are a key place where knowledge transfer happens in cybersecurity. Many of these groups are coordinated by law enforcement agencies, and joining such a group generally requires a background check and a commitment to treating information acquired confidentially. This is a serious commitment and you should not join unless you can honor it. 

As Berkley alum Ashwin Mathew explains, knowledge networks in cybersecurity depend on interpersonal social trust that takes time, patience, and reciprocity to build. Professor Mathew’s report for CLTC is an important read for those who are considering a career in cybersecurity. In it, he explains how cybersecurity knowledge flows, and how its structure contributes to continued inequities in the profession. Selecting the right mentor is important, but so is making efforts to bridge the gender and race gaps that interpersonal networks can create.

FBI’s Infragard is a great place to start. Infragard has thousands of members and a nationwide presence. Infragard welcomes individual memberships. 

You are likely to find smaller, regional or local groups most useful. However, these groups usually require a referral from a current member to join. One group to consider is the U.S. Secret Service’s Electronic Crimes Task Force, which meets quarterly. Another option to consider is your industry’s Information Sharing and Analysis Center (ISAC). Many ISACs can be found here.

Outside the law enforcement context, the National Institute for Standards and Technology operates many working groups of interest that are easy to join, have good networking, and are not necessarily centered around policing. For instance, NIST’s National Initiative for Cybersecurity Education (NICE) has a working group that meets monthly to discuss ways to articulate and advance cybersecurity education. Check out the apprenticeship, collegiate, and training and certification groups. There are also opportunities to engage NIST on its seminal Cybersecurity Framework and its nascent Privacy Framework.

Established cybersecurity experts may be eligible for membership in smaller, carefully vetted programs, such as M3AAWG and Ops-T.

The Future of Cybersecurity Reading Group (FCRG) is a discussion seminar that examines contemporary scholarship and policy entrepreneurship in cybersecurity. Hosted by the Law and Information Schools, FCRG is open to enrollment for all law, graduate, and undergraduate students. In our weekly discussions, students explore cybersecurity from different disciplinary perspectives, and with different depths of policy and technical knowledge. FCRG is flexible enough to both accommodate cybersecurity beginners as well as those highly focused on the topic.

We’re beginning to build a community of cybersecurity-interested students through FCRG. Over time, we would like FCRG to evolve into a formal working group that incubates campus research in cybersecurity, that makes connections across policy and technical fields, and that helps students conceive of and pursue fulfilling careers in privacy and security.

Pedagogically, FCRG helps students engage with cybersecurity through critical lenses, including the power dimensions of security, the confusing, blurred contours of public/private governance, and with the human factors elements of security. We also care a great deal about developing your skills. If you sign up for FCRG, you will write response pieces to the literature we read, and you will lead a discussion session among your peers. We think the discussion leadership in particular is a valuable experience that teaches just how much care, restraint, and preparation is necessary to lead an intellectually-engaging discussion.

To get an idea of our previous discussions, you can see past syllabi:

• Fall 2021: Focusing on the history of disinformation and the merits/demerits of it being framed as a cybersecurity issue (Thomas Rid’s Active Measures) and on developments in policing where predictive technologies enable law enforcement to act more like intelligence agencies (Sarah Brayne’s Predict and Surveil).
• Spring 2021: Focusing on cybersecurity and nation-state hacking through the lens of International Relations theory (Ben Buchanan’s Hacker and the State) and cybersecurity and the concept of anti-racism (Benjamin’s Race After Technology).
• Spring 2020: Focusing on the intersections of a heavily national-security focused work, Clarke & Knake’s Fifth Domain, and Laura DeNardis’ careful exploration of how technology governance shapes the policy landscape.
• Spring 2019: This was the darkest semester of FCRG thus far, with a focus on cyber conflict. We read David Sanger’s The Perfect Weapon and the Klimburg’s The Darkening Web.
• Spring 2018: We spent the semester thinking about the parallels between internet security and the security of the telephone network. We read Phil Lapsley’s Exploding the Phone: The Untold Story of the Teenagers and Outlaws who Hacked Ma Bell. We also read George Perkovich & Ariel Levite’s, Understanding Cyber Conflict, a book that examines cyber offense and defense through a series of physical-world metaphors.
• Fall 2017: We read the classic 1990 text The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage by Cliff Stoll, and Stoll, who lives in Berkeley, even came to class to participate in a discussion. We also read Singer and Friedman’s introductory work, Cybersecurity and Cyberwar: What Everyone Needs to Know.
• Spring 2017: The readings in this FCRG formed the basis for Urban & Hoofnagle’s Cybersecurity in Context course.