Cybersecurity for Critical Urban Infrastructure

When considering cyber defenses, security professionals and critical infrastructure operators immediately think about technical solutions such as intrusion detection systems or firewalls. However, hackers do not only use technical tools to break into critical infrastructure systems. Social engineering is a set of highly effective non-technical techniques that involve manipulating people and their data in order to penetrate a target system. Considering hackers use non-technical tools to break into systems, we propose that defenders should use non-technical tools to defend themselves. We are working with the state of Massachusetts to identify Minimum Cybersecurity Defenses and Procedures that cities and towns should adopt as well as obstacles to implementing these minimum defenses. 


Project Website and Blog

Cybersecurity Clinic 

Consortium of Cybersecurity Clinics


Google and Alphabet CEO Sundar Pichai announced a new $20 million commitment to expand cybersecurity clinics to give students more opportunities to learn, while keeping communities safe. The MIT Cybersecurity Clinic is one of 10 university clinics to receive an award up to $1 million. MIT is one of the founding members of the Consortium of Cybersecurity Clinics helping to build cybersecurity readiness in cities and towns in New England as well as hospitals. The Clinic also aims to help students build a career in cybersecurity. 

Municipal Cybersecurity: More Work Needs to be Done

As governments have digitized their operations, they have opened themselves to cyberattacks, resulting in harmful disruptions to government services. The scholarly world has been slow to pick up on this growing risk. Professional associations have conducted studies of their own, and produced recommendations, but few scholars have looked closely at cybersecurity practices at the municipal level. The interconnectedness of local infrastructure—across and among agencies and levels of government—makes it hard to figure out what is happening. In this paper, we urge scholars from multiple disciplines to examine the dangers created by the cross-linkages that characterize local cybersecurity. We examine the existing academic research, and demonstrate the significant growth in cybersecurity practice that has cropped up in spite of the relative sparsity of academic work. Theory and practice need to catch up with each other.

Cyber negotiation: a cyber risk management approach to defend urban critical infrastructure from cyberattacks

Technical tools dominate the cyber risk management market. Social cybersecurity tools are severely underutilised in helping organisations defend themselves against cyberattacks. We investigate a class of non-technical risk mitigation strategies and tools that might be particularly effective in managing and mitigating the effects of certain cyberattacks. We call these social-science-grounded methods Defensive Social Engineering (DSE) tools. Through interviews with urban critical infrastructure operators and cross-case analysis, we devise a pre, mid and post cyber negotiation framework that could help organisations manage their cyber risks and bolster organisational cyber resilience, especially in the case of ransomware attacks. The cyber negotiation framework is grounded in both negotiation theory and practice. We apply our ideas, ex post, to past ransomware attacks that have wreaked havoc on urban critical infrastructure. By evaluating how to use negotiation strategies effectively (even if no negotiations ever take place), we hope to show how non-technical DSE tools can give defenders some leverage as they engage with cyber adversaries who often have little to lose.

Continuous Measured Improvement: A New Approach to Meeting the Municipal Cybersecurity Challenge

This thesis examines the cybersecurity challenges facing municipal governments and proposes a new policy approach. Through a review of existing public-sector cybersecurity concerns and an interview-based case study of Massachusetts municipalities in partnership with the Massachusetts Cybersecurity Center, this thesis identifies the main problem as a lack of a proper incentive structure for municipalities to prioritize cybersecurity improvements. I propose a new approach to state / local government efforts to improve cybersecurity. I establish the goal of continuous, measured improvement in cybersecurity posture for municipalities, and propose a state-sponsored, eligibility-restricted insurance mechanism for municipalities to systematically lower their cyber risk to meet that goal. In exchange for commitments to implementing regularly-updated cybersecurity best practices, municipalities would receive high-quality, affordable insurance against catastrophic cyber-related losses, and a commitment from the state to aggregate loss and resource-use data to provide best-in-class cybersecurity infrastructure help. I lay out a roadmap for the implementation of such a Massachusetts Cyber Disaster Insurance Program (MCDIP) along with proposals for data-driven refinement of state cybersecurity resource offerings through the use of the new MIT SCRAM platform. This public-sector cybersecurity goal and implementation strategy has implications far beyond Massachusetts and the potential to change the course of cybersecurity policymaking.

Cybersecurity Clinics Create Online Defense for the Public Good

Seed funding from New America’s Public Interest Technology University Network helped launch the Consortium of Cybersecurity Clinics — and expand a new model for digital security assistance.

Online Course

Critical urban infrastructure including energy, transportation, waste management, emergency service and communication systems are being hacked remotely by cyber attackers. These hackers use ransomware to encrypt the data cities need to run; then, they demand that public agencies pay a ransom to get their own data back. The costs associated with cyber attacks are substantial, extending to tens of millions of dollars to recreate data that are lost, and undermine the reputation of city governments across America.

This course will prepare anyone who wants to work with agencies that are worried about their vulnerability to cyberattack. Topics include:

  • Who are the attackers and what are their methods?
  • What are the “defensive social engineering” moves cities can use to protect themselves?
  • What are the minimum security standards that all public agencies need to meet?
  • Who should have responsibility for overseeing cybersecurity in a public agency?
  • Should cities be willing to pay the ransoms demanded by hackers?
  • What should a city do after it has been attacked?
  • What are the most important lessons drawn by cities that have already been attacked?

Through a series of explanatory videos (prepared by industry experts), case studies of an actual attack, role play simulations and debriefings, and short assigned readings, you will learn what cities can and should do to reduce their vulnerabilities. The course also includes checklists of various kinds that cybersecurity vulnerability assessors need to ask and answer.

 Online Course Website