How MIT students help prevent cyber attacks | MIT News

In May 2019, the government of Baltimore, Maryland, was in chaos. Cybercriminals had locked the city out of many of its important files and demanded payment to remove them. The city refused to pay the ransom. The attack disrupted dozens of services, including real estate transactions and debt payments, and recovery costs ran into the millions.
The syllabus for class 11.074/11.274 (Cybersecurity Clinic), a course in the MIT Department of Urban Studies and Planning (DUSP), includes a case study about the Baltimore situation as an example of the increasingly common ransomware attacks on municipal governments and other public entities. To counter such threats, Lecturer Jungwoo Chun and Ford Professor of Urban and Environmental Planning Lawrence Susskind established the MIT Cybersecurity Clinic in 2019. They have offered courses in almost every semester since then.
Like a legal or medical clinic, the course doubles as practical training for students and pro-bono service in vulnerable communities. After completing the teaching modules and passing the certification exam, students are assigned to groups at the client. At the end of the semester, each team creates a report that assesses the client’s vulnerability to cyber attacks and recommends measures to improve protection. To date, the clinic has provided more than 40 tests, private and free, mainly to New England municipalities and health care organizations.
By 2025, the FBI’s Internet Crime Complaint Center documented an average of 2,765 cyberattacks targeting Americans every day. When these attacks hit cities and towns, the fallout goes beyond finances, says Chun: “It has a terrible, terrible impact on every aspect of our lives.”
In recent years, cyberattacks targeting the types of client communities served by the MIT Clinic have compromised water, disrupted 911 and police services, and exposed citizens’ personal information.
Despite being gateways to critical infrastructure, many small municipalities and hospitals do not have in-house staff trained in cyber security. The demand for such professionals far outstrips the supply in today’s labor market, and public sector budgets rarely match the high salaries private companies offer qualified individuals.
According to Comparitech, from 2018 to 2024, there were 525 ransomware attacks on US government agencies, roughly one every five days, resulting in an estimated $1.09 billion in downtime costs.
“Underfunded community organizations and nonprofits need to follow a self-help approach,” Susskind said. “There are many cost-effective measures these organizations can implement with a little training from a free clinic.”
Protective civil engineering
Some would be surprised to find a university’s cybersecurity program housed outside of a computer science department. Chun is an applied social scientist with expertise in public policy and planning, and Susskind is a leading expert in conflict resolution and consensus building. They call their clinical approach “defensive social engineering” to emphasize that cyber security is not just a technical challenge.
Chun admits that the rapid development of artificial intelligence has created alarming new tools for hackers – “now AI can not only identify vulnerabilities, but carry out attacks itself, which is really scary” – and an ever-evolving menu of software that claims to monitor these attacks. Therefore, the course spends a lot of time on the technical aspects of cybersecurity. “But at the end of the day,” Chun said, “the biggest attack vector is still people.”
The term “social engineering” generally refers to the methods by which victims of cybercrime are used to compromise security (for example, by sending money to a fraudster, by downloading malicious code, or by disclosing sensitive information). Susskind and Chun’s concept of protective social engineering is similarly based on human psychology. This approach emphasizes that cyber security should be part of everyone’s job, technical or otherwise.
“It’s about people knowing what to do, people making the right choices,” Chun said. “It helps them use the resources and budget they have now on things that will last longer, rather than spending money on the latest anti-virus program.”
“Students with computer science backgrounds are amazed at the importance we attach to helping clients build organizational capabilities,” Susskind said. “Students need to understand the dynamics of leadership in their client communities. The IT director can’t just do what he wants. They depend on local government for their budgets. They need approval to hire new staff.”
On the other hand, Susskind says, students from programming or social science backgrounds often learn new things about the smart city without learning much about the technology needed to manage the associated risks. And there are aspects of AI and advanced system design — as well as cyber law and other topics important to cybersecurity — that engineering students may not learn in their other courses. The Cybersecurity Clinic aims to consolidate students’ knowledge in all fields. The course aims to increase the knowledge of those students, too, by inviting at least half a dozen guest speakers each semester from industry, other universities and MIT academic departments, industry, and/or relevant public institutions.
This past spring, for example, the list of lecturers included Dan Ricci, founder of Industrial Data Works, on risk modeling in energy systems within budgeted environments; Gus Serino, president of I&C Secure Inc., in operational-technology cybersecurity for industrial control systems; and representatives from the MassCyberCenter and the Center for Cybersecurity Infrastructure provide briefs on their programs and programs for federal and state level organizations.
“There are special things that we need to learn, especially in the ways that AI is changing cybersecurity, that we need help teaching,” Susskind said. “The rate at which the cybersecurity field is changing means that many academics will have a very difficult time.”
Development roadmap
Clinical students spend the first four weeks of the semester preparing for fieldwork. A series of online modules, supplemented by classroom discussion, reveal the scope and nature of cyber-attacks against critical urban infrastructure; review 23 risk areas that are most relevant to their customer type; and provide guidance through each step of the evaluation process. This includes simulating deceptive client interactions. What if clients do not take students seriously, or fail to provide the necessary information? What if they argue to get a fair test rather than a fact check?
“I’ve never had a class that prepared us for situations like this before,” said Diego Contreras, a rising computer science and engineering major who graduated this spring.
Modules culminating in a student assessment must pass their first attempt at a field assignment. For the rest of the semester, they will receive ongoing support through weekly class meetings and receive instructor feedback on their written reports, but the onus is on the students to coordinate their group activities and build client trust.
“You represent MIT, and that’s a responsibility,” Contreras said. “This course has given me people skills that I could not have developed in any other context.”
“The most critical aspect of the project was quantifying our findings,” said Zev Moore ’26, who took the class last fall as a senior studying economics and finance. “Our approach was to provide valuable feedback while at the same time validating the security measures our customer already had, which ensured that our report felt like an interactive road map for improvement.”
Some important recommendations emerge from several reports. For example, clients are advised to consolidate all hardware and software connected to their network and track who has access; patch software and back up data regularly; require multi-factor authentication and frequent password updates; train employees not to open attachments from unknown groups; prepare an attack response plan that clarifies lines of authority and includes the organization’s position on paying ransoms; and only use vendors with a good cybersecurity record.
“None of these things are expensive,” said Susskind. “Together, they will likely avoid 80 percent or more of the costs and risks of cyber attacks.”
Distributing the model
To date, more than 120 students have completed full-time studies at MIT. Online modules that prepare students for certification are freely available to the public as a large open online course MITx called Cybersecurity for Critical Urban Infrastructure, which has attracted tens of thousands of students. The modules are also used by universities with their own cybersecurity clinics – a growing group, thanks in part to the consortium (with 61 member institutions and counting) jointly established by MIT in 2021 with the University of California at Berkeley, Indiana University, and the University of Alabama.
Most student groups finish client work after finalizing their recommendations; a few volunteered on an ongoing basis after the end of the semester for career counseling. In any case, Susskind and Chun check in periodically with clients for at least two years following each engagement.
“We often hear about a risk assessment report that serves as an organization’s blueprint for their short-, medium-, and long-term agenda to better prepare for future attacks,” Chun said. “We work a lot with IT directors or chief technology officers, and many of them were telling us that they shared the MIT report with city or town leadership and were able to convince them that they needed more budget or something. They were using the student report as a way to say, ‘It’s not just me saying it.
“It’s a really humbling experience,” adds Chun, “when some of our past customers contact us again after some time saying: ‘Now we have different people, we just bought new equipment.



