Key Takeaways
- The 2019 Baltimore ransomware attack crippled municipal services and highlighted the growing threat to local governments.
- MIT’s Cybersecurity Clinic, launched in 2019 by Jungwoo Chun and Lawrence Susskind, provides free vulnerability assessments to underserved public agencies while training students in real‑world cybersecurity practice.
- The clinic blends technical instruction with a “defensive social engineering” approach that stresses human behavior, organizational capacity, and low‑cost, high‑impact safeguards.
- Student teams produce actionable reports that clients often use as blueprints for budget requests and long‑term security planning.
- To spread its model, MIT offers a free MITx MOOC, has created a growing consortium of over 60 institutions, and continuously updates course content with guest experts from industry and government.
The Baltimore Ransomware Incident and Its Lessons
In May 2019, Baltimore, Maryland, suffered a devastating ransomware attack that locked the city out of critical files and demanded payment for decryption. The city refused to pay, leaving services such as real‑estate transactions, bill payment, and public records inaccessible for weeks. Recovery costs climbed into the millions, illustrating how a single cyber incident can cascade across finance, administration, and public safety. This case became a cornerstone example in MIT’s Cybersecurity Clinic curriculum, underscoring the urgent need for municipalities to strengthen defenses before attackers strike.
Founding and Mission of the MIT Cybersecurity Clinic
Responding to the rising tide of ransomware against public agencies, Lecturer Jungwoo Chun and Ford Professor Lawrence Susskind launched the MIT Cybersecurity Clinic in 2019. Modeled after legal or medical clinics, the program pairs rigorous academic instruction with pro‑bono service: students conduct vulnerability assessments for at‑risk municipalities and health‑care organizations at no cost. Since its inception, the clinic has operated nearly every semester, delivering more than 40 confidential assessments primarily to New England communities.
Course Structure and Student Training
The semester‑long course begins with four weeks of online modules that cover the anatomy of cyberattacks, 23 high‑risk areas relevant to typical clients, and step‑by‑step guidance for conducting assessments. Students must pass a certification exam on their first attempt to earn a field assignment. Thereafter, they work in teams, coordinating with clients, gathering data, drafting reports, and receiving weekly faculty feedback. The curriculum balances technical knowledge with practical skills such as client communication, project management, and ethical handling of sensitive information.
Scope of Clinic’s Work
To date, the clinic has produced over 40 assessments for a diverse set of clients, ranging from small town governments to regional health‑care providers. While the majority of engagements are located in New England, the model is designed for scalability. Each assessment identifies weaknesses, prioritizes remediation steps, and delivers a confidential report that clients can use internally or share with leadership to justify security investments.
Rising Cyber Threat Landscape
The FBI’s Internet Crime Complaint Center recorded an average of 2,765 cyberattacks per day targeting Americans in 2025. When such attacks hit local governments, they can disrupt water treatment, 911 dispatch, police communications, and expose personal data. Many small municipalities and hospitals lack dedicated cybersecurity staff, and public‑sector budgets cannot compete with private‑sector salaries for skilled professionals. This mismatch leaves critical infrastructure vulnerable, reinforcing the clinic’s focus on affordable, organization‑wide defenses rather than reliance on expensive technology alone.
Defensive Social Engineering Approach
Chun and Susskind coined the term “defensive social engineering” to capture their belief that cybersecurity is fundamentally a human challenge. While the course covers technical topics—patch management, multi‑factor authentication, AI‑driven threat detection—it emphasizes that the most common attack vector remains human error. By teaching clients to cultivate security‑aware cultures, to validate positive practices, and to embed cyber responsibilities across all roles, the clinic aims to reduce reliance on any single tool and create resilient, adaptive defenses.
Interdisciplinary Learning and Guest Speakers
The clinic deliberately welcomes students from computer science, urban planning, social sciences, economics, and other fields. This diversity mirrors the reality that cyber risk management requires both technical expertise and insight into organizational dynamics, budgeting, and stakeholder engagement. Each semester, the curriculum features at least six guest speakers—industry leaders, representatives from agencies such as the MassCyberCenter and CISA, and academics—who discuss emerging topics like AI‑enabled attacks, operational‑technology security, and cyber law. These sessions ensure that course content stays current despite the field’s rapid evolution.
Pre‑Field Preparation and Practical Simulations
Before engaging with clients, students complete a rigorous preparatory phase. Online modules walk them through threat landscapes, risk‑area checklists, and assessment methodologies, supplemented by class discussions that explore real‑world dilemmas—such as clients who doubt student credibility or who request overly optimistic reports. Simulated interactions teach teams how to navigate pushback, clarify scope, and maintain professional rapport. Passing the initial certification exam is a gatekeeping step that ensures all teams possess a common baseline before fieldwork begins.
Core Recommendations from Clinic Reports
Across dozens of assessments, several low‑cost, high‑impact recommendations recur. Clients are advised to: (1) inventory all hardware and software on their network and document access rights; (2) apply patches promptly and maintain regular, offline data backups; (3) enforce multi‑factor authentication and frequent password updates; (4) conduct ongoing employee training to avoid phishing attachments and suspicious links; (5) develop a clear incident‑response plan that defines authority lines, communication protocols, and a stance on ransom payments; and (6) vet third‑party vendors for strong cybersecurity hygiene. Susskind notes that implementing these measures together can avert 80 % or more of potential attack costs and damage.
Impact and Sustainability of Clinic Reports
Clients frequently treat the clinic’s vulnerability assessment as a strategic blueprint. IT directors and chief technology officers share the reports with city councils or hospital boards to secure additional budget lines or staff positions. The external validation provided by an MIT‑affiliated team often convinces leadership that investments are warranted. Moreover, some former clients return after equipment upgrades or personnel changes, requesting a repeat assessment to ensure their evolving environment remains secure—a testament to the lasting value of the clinic’s work.
Scaling the Model: Open Resources and Consortium
To amplify its reach, MIT released the preparatory modules as a free massive open online course (MITx) titled Cybersecurity for Critical Urban Infrastructure, which has attracted tens of thousands of learners worldwide. In 2021, MIT co‑founded a consortium with the University of California Berkeley, Indiana University, and the University of Alabama; the group now includes over 60 member institutions that share materials, best practices, and jointly host clinics. This network facilitates the rapid diffusion of the clinic’s methodology, allowing more communities to benefit from student‑driven, pro‑bono cybersecurity assistance.
Conclusion: The Clinic’s Role in Strengthening Public Cyber Resilience
The MIT Cybersecurity Clinic exemplifies how academic institutions can bridge theory and practice to address pressing societal challenges. By turning a high‑profile ransomware incident into a teaching opportunity, the clinic equips students with interdisciplinary skills while delivering tangible, no‑cost security improvements to vulnerable public agencies. Its defensive social engineering framework—balancing technical controls with human‑centric organizational practices—offers a replicable roadmap for municipalities seeking to bolster cyber resilience without breaking the bank. As cyber threats continue to evolve, initiatives like this will be essential in safeguarding the essential services that underpin daily life.

