Cyber Win: NSA Selects LSU to Build Cybersecurity Clinic to Support Small Businesses in Louisiana
$1.5 million award from the National Security Agency will establish the LSU Cybersecurity Clinic to help small businesses in Louisiana prevent, detect and respond to cyberattacks. LSU was chosen among more than 400 eligible institutions of higher education in the United States.
LSU has been selected by the National Security Agency, or NSA, as the first university in the nation to create and pilot a cyber clinic to help protect small businesses, which are increasingly frequent targets for cyberattacks. The LSU Cybersecurity Clinic, or LCC, will provide free services through the Louisiana Small Business and Development Center at LSU while giving students in the LSU College of Engineering and LSU E. J. Ourso College of Business opportunities to advance their cybersecurity education, gain real-world experience and earn professional certifications.
“LSU researchers seek to translate research into applied solutions and technical support,” LSU President William F. Tate IV said. “This award from the NSA signals our faculty’s ability to deliver on this aim. It recognizes LSU’s growing leadership in cyber as we pursue our mission and Scholarship First Agenda to protect and secure Louisiana and the nation.”
The initial $1.5 million award from the NSA will establish the LCC, with services offered through three collaborative sub-clinics operated by LSU students and faculty advisors. Each sub-clinic has a unique mission and technical thrust. Together, they will provide Louisiana small businesses with a streamlined way to access solutions to highly technical challenges. The first sub-clinic, focused on threat and vulnerability assessment, will be open to computer science majors and put students on the offensive as they pretend to be malicious hackers to help companies find security flaws. Cyber defense, also for computer science majors, will provide recommendations and solutions. Cyber risk assessment, open to business majors, will focus on the particular assets, information and operations of a company to develop workable and effective mitigation strategies.
“Business owners need new and trusted allies and resources in the worsening cyber fight,” said Aisha Ali-Gombe, LCC director, principal investigator on the grant and associate professor of computer science and engineering at LSU with a joint appointment in the LSU Center for Computation & Technology. “We want to enable Louisiana businesses to reach a minimum cybersecurity posture in a convenient, trustworthy and scalable way. We also want our students to gain core technical skills and ability to apply them, similar to an internship. This will put our students on a whole new level in terms of jobs after graduation, while small businesses in Louisiana will be able to access excellent, community-focused and meaningful cybersecurity services through LSU.”
The LCC will be an essential complement to the Louisiana Small Business and Development Center, or SBDC, at LSU. The SBDC, which is funded by the U.S. Economic Development Administration, offers technical assistance to start-ups, existing businesses and entrepreneurs. LSU’s Office of Innovation & Technology Commercialization was designated as Louisiana’s SBDC coordinator this past January and manages 10 regional offices for small businesses throughout the state.
“The Louisiana SBDC works every day to understand the threats and challenges our small businesses face,” said Adam McCloskey, director of the Louisiana SBDC at LSU. “Over the last several years, the risks in securing files, managing customer information and processing payments have only grown. Meanwhile, we have a statewide mandate to help businesses with technology and can’t wait to show the community how to access the world-class talent at the LSU Cybersecurity Clinic, which will help us in our mission to provide 360-degree support to entrepreneurs.”
LSU is one of 403 Centers of Academic Excellence designated by the NSA and one of only 22 schools nationally that are designated as a highly technical NSA Center of Academic Excellence in Cyber Operations. While all 403 schools were eligible to apply for NSA support to create a cyber clinic, the NSA offered a maximum of two awards, with the first going to LSU.
“This grant reflects very positively on the confidence people have in LSU and the ability of the university to deliver quality education and services,” said Glenn Sumners, professor and director of the LSU Center for Internal Auditing & Cybersecurity Risk Management, part of the E. J. Ourso College of Business. “The LCC will serve the state and our local businesses as we continue to work on the frontier of emerging issues.”
While LSU students and faculty will collaborate to provide training, counseling and risk assessment for Louisiana small businesses through the LCC, experts at the LSU Paul M. Hebert Law Center will provide legal advising to protect both the companies and the students who participate in clinic activities.
“LSU students will get first-hand experience in how the technological challenges of cybersecurity intersect with the real-world commercial concerns of clients and the legal and ethical boundaries governing emerging technologies,” said LSU Professor of Law Scott Sullivan. “Cyber clinic students will simultaneously protect the local business community while preparing themselves for a technological landscape that promises to become increasingly regulated and complex.”
The cybersecurity clinic idea is modeled on similar services provided by medical and law schools where clinics serve the needs of the community at no or low cost, such as the LSU Law Clinic.
“Like the Law Clinic, the LCC is like an emergency room, but for cybersecurity,” said Anas “Nash” Mahmoud, software engineer and associate professor of computer science and engineering at LSU. “My role on the project will be to develop the LCC interface where businesses can learn, test their knowledge and communicate with our team. We’ll also develop educational games with purpose to help everyone learn how to be smart online and to anticipate and defend against cyberattacks.”
The clinic will engage 45 LSU students in its first two years—five per sub-clinic per semester starting in the spring of 2024—potentially expanding to 75 students by year three. All will have the opportunity to become highly competitive by earning respected and frequently required professional certifications in areas ranging from penetration testing to offensive and defensive cybersecurity. The GPEN certification for offensive cybersecurity and GSOC for defensive cybersecurity will be provided by leading security training provider SANS in partnership with LSU. While such certifications tend to be costly, eligible students can earn them through the LCC for free. Ali-Gombe and Professor Golden G. Richard III, LSU faculty lead for cybersecurity and director of the LSU Applied Cybersecurity Lab in the LSU Center for Computation & Technology, will also expand LSU’s computer science course offerings to prepare students to work in the clinic and help organizations recognize and respond to cyber threats. All computer science majors interested in earning additional credit hours by working in the LCC will have to be enrolled in the cybersecurity concentration currently offered at LSU, which, since its inception in 2019, has grown from about 20 students to almost 200 students.
Additional LSU collaborators on the project are Executive Associate Dean and Ourso Family Distinguished Professor of Information Systems Helmut Schneider in the E. J. Ourso College and Rudy Hirschheim, professor in the Ourso College and in the LSU Center for Computation & Technology, where the LCC will be located. Both will act as advisors and evaluators for the project. Further, industry advisor Andrew Case is a core developer of the Volatility memory forensics framework at the Volatility Foundation and a senior cybersecurity consultant at LSU. He will ensure students gain the cybersecurity skills most needed by industry. Finally, LSU’s Director of Economic Development Greg Trahan, who serves in a special advisory role to the LSU President on cybersecurity, will support LCC sustainability and growth by connecting prospective companies with LCC capabilities and students.
Nearly half of the U.S. workforce is employed by small businesses. Meanwhile, small businesses often lack resources to detect and fight cyber threats, thus risking severe financial, operational and reputational damage. While technology has enabled many smaller companies to be more competitive and grow by reaching and serving more customers—including through automation, online sales platforms and accounting and inventory management software to save time and money—technology has also brought risk, including beyond the organizations themselves. As small businesses frequently function as service providers to larger businesses, vulnerabilities in their networks and computer systems are often used as “stepping stones” to attack bigger organizations.
The benefits of helping small businesses in Louisiana become more secure reach far beyond the individual companies. In 2021, the Louisiana State Police Cyber Crime Unit conducted 56 investigations into cyberattacks that caused at least $550 million in losses for Louisiana organizations. By complementing these efforts, the LCC will help offset the burden on the state to conduct incident response for resource-constrained organizations.
The LCC will use LSU’s FIREStarter, a forensic and incident response environment and immersive cyber teaching lab designed to simulate real-world, real-time cyberattacks. The environment will be expanded to include point-of-sale and financial systems frequently used by Louisiana companies.
“At LSU, we’ve been provided with unmatched resources for cybersecurity and charged by LSU President William F. Tate IV to become the number-one cyber school in the United States,” Richard said. “With our rapidly expanding Scholarships for Service program funded by the National Science Foundation, our recent designation as a Center of Academic Excellence in Cyber Operations by the NSA, additional world-class cybersecurity faculty joining us this fall and now an NSA-funded cyber clinic, we’re well on the way to making it happen.”