In Could 2019, the federal government in Baltimore, Maryland was in turmoil. Cybercriminals had locked the town out of a lot of its delicate information and demanded cost to decrypt them. Town refused to pay the ransom. The assault disrupted a variety of companies, together with actual property transactions and invoice funds, and price tens of millions of {dollars} in restoration prices.
Syllabus for the MIT College of City Research and Planning course, class 11.074/11.274 (Cybersecurity Clinic) (dasp) features a case research on the state of affairs in Baltimore for example of how ransomware assaults towards native governments and different public establishments have gotten more and more frequent. To counter these threats, Lecturer Jeong-woo Chun and Ford Professor of City Environmental Planning Lawrence Susskind MIT Cybersecurity Clinic Since then, I’ve supplied this course virtually each semester.
Just like regulation corporations and medical clinics, this course combines hands-on coaching for college kids and a professional bono service to at-risk communities. After finishing the academic modules and passing the certification examination, college students are divided into groups and assigned to purchasers. By the top of the semester, every staff will produce a report assessing their consumer’s vulnerability to cyber-attacks and recommending steps to enhance safety. To this point, the clinic has offered greater than 40 confidential and free evaluations, primarily to native governments and well being care suppliers in New England.
In 2025, the FBI’s Web Crime Grievance Heart recorded a mean of two,765 cyberattacks focusing on Individuals every day. When these assaults hit a metropolis or city, Chung mentioned, the influence goes past the monetary: “It has a terrifying knock-on impact on each side of our lives.”
In recent times, cyberattacks focusing on the shopper communities served by MIT clinics have compromised water provides, disrupted 911 and police companies, and compromised the general public’s private knowledge.
Many small municipalities and hospitals lack in-house workers skilled in cybersecurity, although they’re the gateway to vital infrastructure. In in the present day’s labor market, the demand for such professionals far exceeds the provision, and public sector budgets hardly ever match the excessive salaries supplied by non-public corporations to certified candidates.
In response to Comparitech, from 2018 to 2024, there have been 525 ransomware assaults towards U.S. authorities businesses, roughly one each 5 days, leading to an estimated $1.09 billion in downtime prices.
“Underfunded public businesses and nonprofits have to take a self-help path,” Susskind mentioned. “There are numerous low-cost initiatives these organizations can implement with just a little steering from free-of-charge clinics.”
Defensive social engineering
Some could also be stunned to be taught that college cybersecurity applications are positioned outdoors of laptop science departments. Chung is an utilized social scientist with experience in public coverage and planning, and Susskind is a number one knowledgeable on battle decision and consensus constructing. They name the method they developed for the clinic “defensive social engineering” to emphasise that cybersecurity isn’t just a technical problem.
Chun acknowledged that the fast improvement of synthetic intelligence has created worrying new instruments for criminals. “AI is now capable of not solely determine vulnerabilities, however execute the assaults themselves, which is actually scary.” And the menu of software program that claims to guard towards these assaults continues to evolve. Subsequently, this course will spend a big period of time on the technical elements of cybersecurity. “However on the finish of the day, the largest assault vector continues to be by people,” Chung mentioned.
The time period “social engineering” usually refers to how cybercrime victims are manipulated into compromising their safety (for instance, by sending cash to scammers, downloading malicious code, or disclosing delicate info). Susskind and Chung’s idea of defensive social engineering is equally primarily based on human psychology. This method emphasizes that cybersecurity, whether or not technical or in any other case, must be a part of everybody’s job.
“It is essential that folks know what to do and make the fitting decisions,” Chun says. “As an alternative of simply spending on the most recent antivirus software program, it helps you leverage the assets and funds you’ve got now into one thing you should utilize for the long run.”
“College students with laptop science backgrounds are stunned by our deal with serving to our purchasers construct organizational capability,” says Susskind. “College students want to grasp the dynamics of management in buyer communities. IT administrators cannot simply do what they need. They depend on native governments for his or her budgets. Hiring new workers requires approval.”
Then again, college students with planning or social science backgrounds typically research sensible metropolis innovation with out studying a lot in regards to the know-how wanted to handle the related dangers, Susskind says. Moreover, there are elements of AI and superior techniques design that engineering college students can not be taught in different programs, together with different matters essential to cyber regulation and cybersecurity. The Cybersecurity Clinic goals to finish the data of scholars in all fields. The course additionally goals to develop college students’ data by inviting at the least six visitor audio system every semester from trade, different universities, MIT departments, trade, and/or related public establishments.
For instance, this spring’s lecturers included Dan Ricci, founding father of Industrial Knowledge Works, on modeling vitality system danger in budget-constrained environments; Gus Serino, President of I&C Safe Inc., talks about operational know-how cybersecurity for industrial management techniques. Moreover, representatives from MassCyberCenter and the Cybersecurity Infrastructure Safety Company will present an summary of their respective state and federal organizations’ applications and efforts.
“There are extremely specialised issues to be taught, particularly about how AI adjustments cybersecurity, and we’d like assist instructing it,” Susskind mentioned. “The pace of change within the cybersecurity subject implies that most teachers could have a really exhausting time maintaining.”
Roadmap for enchancment
Clinic college students spend the primary 4 weeks of the semester making ready for subject assignments. A collection of on-line modules, supplemented by class discussions, define the scope and nature of cyberattacks on vital city infrastructure. Evaluation the 23 danger areas most related to your kind of consumer. Present steering by every step of the analysis course of. This contains simulating difficult consumer interactions. What occurs if the consumer does not take the scholar severely or does not present the mandatory info? What in the event that they insist on receiving a extra constructive analysis than the details warrant?
“I’ve by no means taken a category that ready me for such a practical state of affairs,” says Diego Contreras, a rising senior majoring in laptop science and engineering who accomplished the course this spring.
The module culminates in an examination, which college students should move on their first try to take the sphere task. For the rest of the semester, college students obtain ongoing help by weekly class conferences and obtain college enter on the experiences they write, however they continue to be answerable for coordinating staff actions and constructing buyer belief.
“You characterize MIT, and that is an enormous duty,” Contreras says. “This course offered me with interpersonal abilities that I might not have been capable of develop in every other setting.”
“Probably the most delicate a part of this challenge was balancing the analysis outcomes,” says Zeb Moore, ’26, who took the category final fall as a senior learning mathematical economics and finance. “Our method was to supply vital suggestions whereas validating the proactive safety measures our purchasers had been already implementing. This made our report really feel like a collaborative roadmap for enchancment.”
Sure key suggestions are included in most experiences. For instance, we suggest that purchasers stock all of the {hardware} and software program linked to their community and observe who has entry to it. Patch your software program and again up your knowledge usually. Requires multi-factor authentication and frequent password updates. Practice workers to not open attachments from unknown events. Clear strains of authority and create an assault response plan that features your group’s stance on ransom funds. Solely use distributors with good cybersecurity hygiene.
“None of these things are costly,” Susskind mentioned. “Mixed, we are able to in all probability keep away from greater than 80 p.c of the potential price and danger of cyberattacks.”
Popularization of the mannequin
To this point, greater than 120 college students have accomplished all programs at MIT. The web modules that put together college students to earn certifications can be found to the general public at no cost as huge open on-line programs. MITx known as Cybersecurity of critical city infrastructurewhich has attracted tens of hundreds of learners. This module can be utilized by universities which have their very own cybersecurity clinics. consortium (61 member establishments, with extra to come back) MIT co-founded in 2021 with the College of California, Berkeley, Indiana College, and the College of Alabama.
Most pupil groups finish their work with a consumer after finalizing their suggestions. A few of them volunteer to remain after the semester ends to advise on implementation. In all circumstances, Mr. Susskind and Mr. Chun usually examine in with their purchasers for at the least two years after every engagement.
“We regularly hear that vulnerability evaluation experiences function a blueprint for short-, medium-, and long-term planning to assist organizations higher put together for future assaults,” says Chun. “We primarily work with IT administrators and chief know-how officers, and lots of of them have advised us post-contract that they shared the MIT report with metropolis and city leaders and had been capable of persuade them that they wanted further funding or particular objects. They used the scholar report as leverage to say, “It is not simply me saying this. We have now a trusted staff that has devoted their time, and these are the findings.”
“It is a actually humbling expertise,” Chun added. “A few of our previous purchasers contact us once more after some time and say, ‘We have now another person now and we simply purchased new gear. Can we attempt once more?'”

