In May 2019, the federal government of Baltimore, Maryland, fell into chaos. Cybercriminals had locked town out of lots of its critical files and demanded payment to decrypt them. The town refused to pay ransom. The attack incapacitated a swath of services, including real estate transactions and bill payment, and recovery costs soared into the tens of millions.
The syllabus of sophistication 11.074/11.274 (Cybersecurity Clinic), a course within the MIT Department of Urban Studies and Planning (DUSP), features a case study on Baltimore’s situation for instance of increasingly common ransomware attacks on municipal governments and other public agencies. To counter such threats, Lecturer Jungwoo Chun and Ford Professor of Urban and Environmental Planning Lawrence Susskind launched the MIT Cybersecurity Clinic in 2019. They’ve offered the course nearly every semester since.
Very like a legal or medical clinic, the course doubles as hands-on training for college kids and a pro-bono service to at-risk communities. After completing instructional modules and passing a certification exam, students are assigned in teams to a client. By the top of the semester, each team creates a report assessing the client’s vulnerabilities to cyberattack and recommending steps to enhance protection. Thus far, the clinic has provided greater than 40 assessments, confidential and freed from charge, primarily for Latest England municipalities and health-care organizations.
In 2025, the FBI’s Web Crime Grievance Center documented a median of two,765 cyberattacks targeting Americans on daily basis. When these attacks strike cities and towns, the fallout goes beyond funds, says Chun: “There’s a terrifying, cascading effect on every dimension of our lives.”
Lately, cyberattacks targeting the sorts of client communities served by MIT’s clinic have imperiled water supplies, impeded 911 and police services, and exposed residents’ personal data.
Despite being gateways to essential infrastructure, many small municipalities and hospitals lack in-house staff trained in cybersecurity. Demand for such experts far exceeds supply in today’s labor market, and public sector budgets rarely can match the high salaries private corporations offer qualified candidates.
In response to Comparitech, from 2018 to 2024, there have been 525 ransomware attacks on U.S. government entities, roughly one every five days, resulting in an estimated $1.09 billion in downtime costs.
“Underfunded public and not-for-profit bodies must follow a self-help pathway,” Susskind says. “There are lots of low-cost moves that these organizations can implement with slightly coaching from a free-service clinic.”
Defensive social engineering
Some is perhaps surprised to search out a university cybersecurity program housed outside the pc science department. Chun is an applied social scientist with expertise in public policy and planning, and Susskind is a number one scholar of conflict resolution and consensus constructing. They call the approach they’ve developed for the clinic “defensive social engineering” to emphasise that cybersecurity isn’t solely a technical challenge.
Chun acknowledges that the rapid development of artificial intelligence has created alarming recent tools for criminals — “now AI can’t only discover the vulnerability, but do the attack itself, which is actually scary” — and an ever-evolving menu of software claims to protect against these attacks. Accordingly, the course spends considerable time on the technical features of cybersecurity. “But at the top of the day,” Chun says, “the largest attack vector remains to be through humans.”
The term “social engineering” commonly refers to ways cybercrime victims are manipulated into compromising security (for instance, by sending money to a scammer, downloading malicious code, or disclosing sensitive information). Susskind and Chun’s concept of defensive social engineering is similarly grounded in human psychology. The approach emphasizes that cybersecurity have to be a part of everyone’s job, technical or otherwise.
“It’s about people knowing what to do, people making the fitting decisions,” says Chun. “It’s helping them use the resources and budget they’ve now on things that could be long-lasting, relatively than simply spending on the newest antivirus software.”
“Students with computer science backgrounds are surprised by the importance we attach to helping clients construct organizational capability,” says Susskind. “Students need to grasp the leadership dynamics of their client communities. The IT director can’t just do what he or she wants. They depend upon the local government for his or her budget. They need approval to rent recent staff.”
Alternatively, Susskind says, students from planning or social science backgrounds often study smart city innovations without learning much concerning the technologies needed to administer the associated risks. And there are features of AI and advanced system design — together with cyber law and other topics critical to cybersecurity — that engineering students may not learn of their other courses. The Cybersecurity Clinic goals to round out the knowledge of scholars from every discipline. The course goals to broaden those students’ knowledge, too, by inviting not less than half a dozen guest speakers each semester from industry, other universities and MIT academic departments, industry, and/or relevant public agencies.
This past spring, for instance, the lineup of lecturers included Dan Ricci, the founding father of Industrial Data Works, on the modeling of risk in energy systems inside budget-constrained environments; Gus Serino, president of I&C Secure Inc., on operational-technology cybersecurity for industrial control systems; and representatives from the MassCyberCenter and the Cybersecurity Infrastructure Security Agency providing overviews of their respective state- and federal-level organizations’ programs and initiatives.
“There are highly specialized things to learn, especially concerning the ways AI is changing cybersecurity, that we want help teaching,” Susskind says. “The speed at which the sector of cybersecurity is changing means that almost all academics can have a really hard time maintaining.”
A roadmap for improvement
Clinic students spend the primary 4 weeks of the semester preparing for field assignments. A series of online modules, supplemented by class discussion, outline the scope and nature of cyberattacks against critical urban infrastructure; review the 23 risk areas most relevant to their kind of clients; and supply guidance for every step of the assessment process. This includes simulations of tricky client interactions. What if clients don’t take students seriously, or fail to offer the needed information? What in the event that they argue to receive a more positive assessment than the facts warrant?
“I’ve never ever had a category that prepared us for such realistic scenarios before,” says Diego Contreras, a rising senior majoring in computer science and engineering who accomplished the course this spring.
The modules culminate in an exam students must pass on their first attempt to receive a field task. For the rest of the semester, they’ll receive continued support via weekly class meetings and get faculty input on their drafted reports, however the onus is on students to coordinate their team’s activities and construct client trust.
“You represent MIT, and that is sort of the responsibility,” Contreras says. “This course has given me people skills I wouldn’t have developed in another context.”
“Probably the most delicate aspect of the project was balancing our assessment findings,” says Zev Moore ’26, who took the category last fall as a senior studying mathematical economics and finance. “Our approach was to offer essential feedback while concurrently validating the positive security measures our client already had in place, which ensured our report felt like a collaborative roadmap for improvement.”
Certain key recommendations show up in nearly all of reports. For instance, clients are advised to inventory all hardware and software tied into their network and track who has access; patch software and back up data frequently; require multi-factor authentication and frequent password updates; train employees to not open attachments from unknown parties; prepare an attack response plan that clarifies lines of authority and includes the organization’s stance on paying ransoms; and only use vendors with good cybersecurity hygiene.
“None of these things is expensive,” Susskind says. “Together, they’ll probably avoid 80 percent or more of the possible cost and danger of cyberattacks.”
Spreading the model
So far, greater than 120 students have accomplished the complete course at MIT. The net modules that prepare students for certification are freely available to the general public as a large open online course on MITx called Cybersecurity for Critical Urban Infrastructure, which has attracted tens of 1000’s of learners. The modules are also utilized by universities with their very own cybersecurity clinics — a growing cohort, thanks partially to a consortium (with 61 member institutions and counting) co-founded by MIT in 2021 with the University of California at Berkeley, Indiana University, and the University of Alabama.
Most student teams wrap up client work after finalizing their recommendations; a couple of have volunteered to remain on after semester’s end to advise on implementation. In either case, Susskind and Chun check in periodically with clients for not less than two years following each engagement.
“We regularly hear of the vulnerability assessment report serving because the organization’s blueprint for his or her short-term, mid-term, and long-term agenda to be more prepared for future attacks,” says Chun. “We primarily work with IT directors or chief technology officers, and plenty of of them have been telling us post-engagement that they shared the MIT report with town or town leadership and were capable of persuade them they needed extra budget or a selected line item. They were using the coed report as leverage to say, ‘it’s not only me saying it. We now have a reputable team who dedicated their time and these are the findings.’
“It’s really a humbling experience,” Chun adds, “when a few of our past clients reach out to us again after a while to say: ‘Now now we have different people, we just purchased recent equipment. Can we do that all yet again?’”

