{"id":242875,"date":"2026-07-13T15:10:00","date_gmt":"2026-07-13T19:10:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/13\/how-mit-students-are-helping-to-prevent-cyberattacks-mit-news\/"},"modified":"2026-07-13T17:10:17","modified_gmt":"2026-07-13T21:10:17","slug":"how-mit-students-are-helping-to-prevent-cyberattacks-mit-news","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/13\/how-mit-students-are-helping-to-prevent-cyberattacks-mit-news\/","title":{"rendered":"How MIT students are helping to prevent cyberattacks | MIT News"},"content":{"rendered":"<p><a href=\"https:\/\/news.mit.edu\/2026\/mit-cybersecurity-clinic-preventing-cyberattacks-0713\">How MIT students are helping to prevent cyberattacks | MIT News<\/a><\/p>\n<p><a href=\"https:\/\/news.mit.edu\/2026\/mit-cybersecurity-clinic-preventing-cyberattacks-0713\">https:\/\/news.mit.edu\/2026\/mit-cybersecurity-clinic-preventing-cyberattacks-0713<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-13 15:10:00<\/a><\/p>\n<p>Source Domain: <a href=\"news.mit.edu\">news.mit.edu<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>            In May 2019, the government of Baltimore, Maryland, fell into chaos. Cybercriminals had locked the city out of many of its critical files and demanded payment to decrypt them. The city refused to pay ransom. The attack incapacitated a swath of services, including real estate transactions and bill payment, and recovery costs soared into the millions.The syllabus of class 11.074\/11.274 (Cybersecurity Clinic), a course in the MIT Department of Urban Studies and Planning (DUSP), includes a case study on Baltimore\u2019s situation as an example of increasingly common ransomware attacks on municipal governments and other public agencies. To counter such threats, Lecturer Jungwoo Chun and Ford Professor of Urban and Environmental Planning Lawrence Susskind launched the\u00a0MIT Cybersecurity Clinic in 2019. They have offered the course nearly every semester since.Much like a legal or medical clinic, the course doubles as hands-on training for students and a pro-bono service to at-risk communities. After completing instructional modules and passing a certification exam, students are assigned in teams to a client. By the end of the semester, each team creates a report assessing the client\u2019s vulnerabilities to cyberattack and recommending steps to improve protection. So far, the clinic has provided more than 40 assessments, confidential and free of charge, primarily for New England municipalities and health-care organizations.In 2025, the FBI\u2019s Internet Crime Complaint Center documented an average of 2,765 cyberattacks targeting Americans every day. When these attacks strike cities and towns, the fallout goes beyond finances, says Chun: \u201cThere\u2019s a terrifying, cascading effect on every dimension of our lives.\u201d\u00a0In recent years, cyberattacks targeting the kinds of client communities served by MIT\u2019s clinic have imperiled water supplies, impeded 911 and police services, and exposed citizens\u2019 personal data.Despite being gateways to essential infrastructure, many small municipalities and hospitals lack in-house staff trained in cybersecurity. Demand for such experts far exceeds supply in today\u2019s labor market, and public sector budgets rarely can match the high salaries private companies offer qualified candidates.According to Comparitech, from 2018 to 2024, there have been 525 ransomware attacks on U.S. government entities, approximately one every five days, leading to an estimated $1.09 billion in downtime costs.\u00a0\u00a0\u201cUnderfunded public and not-for-profit bodies need to follow a self-help pathway,\u201d Susskind says. \u201cThere are many low-cost moves that these organizations can implement with a little coaching from a free-service clinic.\u201dDefensive social engineeringSome might be surprised to find a university cybersecurity program housed outside the computer science department. Chun is an applied social scientist with expertise in public policy and planning, and Susskind is a leading scholar of conflict resolution and consensus building. They call the approach they\u2019ve developed for the clinic \u201cdefensive social engineering\u201d to emphasize that cybersecurity isn\u2019t solely a technical challenge.Chun acknowledges that the rapid development of artificial intelligence has created alarming new tools for criminals \u2014 \u201cnow AI can not only identify the vulnerability, but do the attack itself, which is really scary\u201d \u2014 and an ever-evolving menu of software claims to guard against these attacks. Accordingly, the course spends considerable time on the technical aspects of cybersecurity. \u201cBut at the end of the day,\u201d Chun says, \u201cthe biggest attack vector is still through humans.\u201dThe term \u201csocial engineering\u201d commonly refers to ways cybercrime victims are manipulated into compromising security (for example, by sending money to a scammer, downloading malicious code, or disclosing sensitive information). Susskind and Chun\u2019s concept of defensive social engineering is similarly grounded in human psychology. The approach emphasizes that cybersecurity must be part of everyone\u2019s job, technical or otherwise.\u201cIt\u2019s about people knowing what to do, people making the right choices,\u201d says Chun. \u201cIt\u2019s helping them use the resources and budget they have now on things that can be long-lasting, rather than just spending on the latest antivirus software.\u201d\u201cStudents with computer science backgrounds are surprised by the importance we attach to helping clients build organizational capacity,\u201d says Susskind. \u201cStudents need to understand the leadership dynamics in their client communities. The IT director can\u2019t just do what she or he wants. They depend on the local government for their budget. They need approval to hire new staff.\u201dOn the other hand, Susskind says, students from planning or social science backgrounds often study smart city innovations without learning much about the technologies needed to manage the associated risks. And there are aspects of AI and advanced system design \u2014\u00a0along with cyber law and other topics critical to cybersecurity \u2014\u00a0that engineering students may not learn in their other courses. The Cybersecurity Clinic aims to round out the knowledge of students from every discipline. The course aims to broaden those students\u2019 knowledge, too, by inviting at least half a dozen guest speakers each semester from industry, other universities and MIT academic departments, industry, and\/or relevant public agencies.This past spring, for example, the lineup of lecturers included Dan Ricci, the founder of Industrial Data Works, on the modeling of risk in energy systems within budget-constrained environments; Gus Serino, president of I&#038;C Secure Inc., on operational-technology cybersecurity for industrial control systems; and representatives from the MassCyberCenter and the Cybersecurity Infrastructure Security Agency providing overviews of their respective state- and federal-level organizations\u2019 programs and initiatives.\u201cThere are highly specialized things to learn, especially about the ways AI is changing cybersecurity, that we need help teaching,\u201d Susskind says. \u201cThe rate at which the field of cybersecurity is changing means that most academics will have a very hard time keeping up.\u201dA roadmap for improvementClinic students spend the first four weeks of the semester preparing for field assignments. A series of online modules, supplemented by class discussion, outline the scope and nature of cyberattacks against critical urban infrastructure; review the 23 risk areas most relevant to their type of clients; and provide guidance for each step of the assessment process. This includes simulations of tricky client interactions. What if clients don\u2019t take students seriously, or fail to provide the necessary information? What if they argue to receive a more positive assessment than the facts warrant?\u201cI\u2019ve never ever had a class that prepared us for such realistic scenarios before,\u201d says Diego Contreras, a rising senior majoring in computer science and engineering who completed the course this spring.The modules culminate in an exam students must pass on their first try to receive a field assignment. For the remainder of the semester, they\u2019ll receive continued support via weekly class meetings and get faculty input on their drafted reports, but the onus is on students to coordinate their team\u2019s activities and build client trust.\u201cYou represent MIT, and that is quite the responsibility,\u201d Contreras says. \u201cThis course has given me people skills I wouldn\u2019t have developed in any other context.\u201d\u201cThe most delicate aspect of the project was balancing our assessment findings,\u201d says Zev Moore \u201926, who took the class last fall as a senior studying mathematical economics and finance. \u201cOur approach was to provide important feedback while simultaneously validating the positive security measures our client already had in place, which ensured our report felt like a collaborative roadmap for improvement.\u201dCertain key recommendations show up in the majority of reports. For example, clients are advised to inventory all hardware and software tied into their network and track who has access; patch software and back up data regularly; require multi-factor authentication and frequent password updates; train employees not to open attachments from unknown parties; prepare an attack response plan that clarifies lines of authority and includes the organization\u2019s stance on paying ransoms; and only use vendors with good cybersecurity hygiene.\u201cNone of these items is costly,\u201d Susskind says. \u201cTogether, they will probably avoid 80 percent or more of the possible cost and danger of cyberattacks.\u201dSpreading the modelTo date, more than 120 students have completed the full course at MIT. The online modules that prepare students for certification are freely available to the public as a massive open online course on MITx called\u00a0Cybersecurity for Critical Urban Infrastructure, which has attracted tens of thousands of learners. The modules are also used by universities with their own cybersecurity clinics \u2014\u00a0a growing cohort, thanks in part to a\u00a0consortium (with 61 member institutions and counting) co-founded by MIT in 2021 with the University of California at Berkeley, Indiana University, and the University of Alabama.Most student teams wrap up client work after finalizing their recommendations; a few have volunteered to stay on after semester\u2019s end to advise on implementation. In either case, Susskind and Chun check in periodically with clients for at least two years following each engagement.\u201cWe often hear of the vulnerability assessment report serving as the organization&#8217;s blueprint for their short-term, mid-term, and long-term agenda to be more prepared for future attacks,\u201d says Chun. \u201cWe primarily work with IT directors or chief technology officers, and many of them have been telling us post-engagement that they shared the MIT report with the city or town leadership and were able to convince them they needed extra budget or a specific line item. They were using the student report as leverage to say, \u2018it\u2019s not just me saying it. We have a credible team who dedicated their time and these are the findings.\u2019\u201cIt&#8217;s really a humbling experience,\u201d Chun adds, \u201cwhen some of our past clients reach out to us again after some time to say: \u2018Now we have different people, we just purchased new equipment. Can we do this all over again?\u2019\u201d        <\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How MIT students are helping to prevent cyberattacks | MIT News https:\/\/news.mit.edu\/2026\/mit-cybersecurity-clinic-preventing-cyberattacks-0713 Publish Date: 2026-07-13&#8230;<\/p>\n","protected":false},"author":1,"featured_media":242876,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/news.mit.edu\/sites\/default\/files\/images\/202607\/mit-dusp-Cybersecurity-Clinic.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,24,27],"class_list":["post-242875","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242875"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=242875"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242875\/revisions"}],"predecessor-version":[{"id":242877,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/242875\/revisions\/242877"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/242876"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=242875"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=242875"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=242875"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}