Enhancing Public Institutions Cyberdefenses

In May 2019, Baltimore was struck with a ransomware attack that locked officials’ data and crippled key city operations, accumulating an estimated $18 million in lost revenue, damages, and recovery costs. Ransomware attacks, often built from easy-to-purchase malicious software, are designed to deny access to data or digital systems until an individual or organization pays a ransom fee. Ransomware typically infiltrates computer networks through phishing emails or infected websites, suggesting that social engineering, in addition to technical solutions, could be effective in helping to reduce risk. In recent months, major cities like Atlanta, Baltimore, and Dallas, as well as smaller towns in the United States have been attacked by hackers using ransomware to take control of critical urban infrastructure.

On August 26th, 2019, the MIT Science Impact Collaborative in the Department of Urban Studies and Planning received a pledge of $100,000 from an international cybersecurity consortium to support the creation of an MIT Cybersecurity Clinic in 2020. The new Clinic will train and certify MIT students to help urban infrastructure managers diagnose their vulnerabilities to cyberattack. Beginning in February 2020, student teams, led by doctoral students and post-docs will work with selected cities, water districts, and utilities to build municipal capabilities to assess and respond to the risks of cyberattack. The Clinic will be managed jointly by Larry Susskind, Ford Professor of Urban and Environmental Planning and Danny Weitzner, Director of MIT’s Internet Policy Research Initiative, an institute-wide initiative housed in CSAIL.

Q1 This clinic is managed jointly by faculty in urban planning as well as computer science and artificial intelligence. How are urban planners and computer scientists collaborating to reduce the harm of cyberattacks?

Susskind: Many cyberattacks on critical urban infrastructure could easily be avoided if public agency staff paid attention to very simple (inexpensive) things like immediately applying software patches and updates to their operating systems and making sure all new employees are trained not to open email attachments from unknown sources. These all relate to what we call social engineering. These don’t require elaborate encryption. Urban planners focus on the way in which urban service systems are managed, so they are in a unique position to help design better ways of reducing vulnerabilities to cyberattack and preparing to respond to attacks when they do occur. Computer scientists bring a deeper understanding of the systems involved and the technical skills needed to respond to cyberattacks. So, after planners identify vulnerabilities to cyberattacks and work through possible social engineering strategies that might reduce risks and impacts, computer scientists take over and design appropriate back-up systems, shut-down procedures, and training programs that put cyber risk management front and center.

In the new MIT Cyber Clinic, students from multiple departments, once trained to identify vulnerabilities to cyberattacks, will work in teams to assist public agencies around the country in taking steps to reduce their risks of attack.

Q2 Ransomware attacks have also targeted private companies. Can the experiences of companies such as Sony, be an example for how to develop public responses to cyberattacks?

Susskind: When companies experience cyberattacks, there is usually a plan in place indicating who will have the authority to shut down operations, engage external entities like the FBI in following up, identify the ways in which the hackers entered the system, and insist in changes in company operating procedures to avoid future attacks. All of these tasks require skilled and knowledgeable senior managers. Cities don’t have the resources to compete for this kind of skilled personnel. In addition, in the city, lines of managerial authority are very unclear because urban infrastructure system are invariably liked to systems in other agencies, municipalities, or higher levels of government. In these circumstances, there is a strong hesitancy to report cyberattacks (because no one wants to take the political heat for what will look like a failure on their part). The private sector is learning from their experience with cyberattacks. Private cybersecurity companies are developing new tactics and strategies to deal with the risks of cyberattack. Public agencies are not benefitting from all this new knowledge. They don’t have the money to engage private experts. State and federal agencies have not passed legislation that requires reporting of all cyberattacks on critical urban infrastructure. Private insurance companies that might provide some financial relief to cities that have to pay ransom to regain control of their computer systems have not set minimum cybersecurity standards that public agencies must meet to be able to buy insurance. There is a lot of work to do!

We are hoping that MIT’s Cybersecurity Clinic can use what it learns from its efforts to help many city agencies (at little or no cost) to help formulate clear “standards of care” for cybersecurity that cities all over the world could adopt.

Q3 What types of skills will participants in the MIT Cybersecurity Clinic develop?

Susskind: The new MIT Cybersecurity Clinic is in the process of developing a 10-hour online self-paced video learning program that will allow students to gain accreditation as cybersecurity risk assessors. This online learning program is being developed this Fall in conjunction with EdX. Only students who are accredited will be able to work as part of Clinic teams (for pay or credit) that are assisting different city agencies around the country. There will also be a fall workshop for students and faculty who want to assist in developing the online learning curriculum. In November, with support of the School of Architecture and Planning’s Bemis Fund, workshop participants will participate in a day-long session at MIT for representatives of organizations like the International City Managers Program, the US Conference of Mayors, the National Conference of State Legislators, and others to be sure we have their input into the design of Clinic operations that meet city interests. We hope that MIT students in any department will be able to complete the online accreditation in January and February so the Clinic can begin operations in March 2020. Ultimately, the online accreditation course will be available to students at other universities as well through EdX.