How university cybersecurity clinics can help cities fight ransomware
When the Royal ransomware group struck computer systems in Dallas earlier this month, the attack disrupted public safety systems, 311 services, municipal courts, and other city departments and services. The attack forced courts to close. Police struggled to access internal share drives. The city library system’s database and catalogue went down. And city officials estimate it will take months to recover.
Ransomware groups are increasingly targeting U.S. municipalities, and the difficulties Dallas officials face in getting back up and running illustrate just how vulnerable U.S. cities are to ransomware attacks. The fact that a relatively well-resourced city like Dallas is struggling to recover from a ransomware attack hints at the far greater difficulties smaller municipalities face when their IT systems come under attack.
In the aftermath of ransomware attacks, cities frequently turn to the federal government for assistance, but such aid is mostly reactive. It would be better if cities were positioned to prevent these breaches in the first place. But all too often municipalities lack the resources and human capital to defend themselves.
Today, university-led cybersecurity clinic programs are trying to fill this gap by building local cyber capacity. At institutions like the University of Texas at Austin, MIT, the University of Georgia and UC Berkeley, cyber clinics are working to protect local institutions from cyber threats by training and deploying students to government and community groups to provide free cyber risk assessments and give simple, step-by-step recommendations. In some clinics, students are designing and implementing custom cybersecurity solutions to bolster client defenses and guide future incident response.
Clinics such as these are well-positioned to help local institutions better protect themselves online. As Sarah Powazek of and Marc Rogers recently wrote for CyberScoop, universities are typically deeply embedded in their local communities and have the trusting relationships required to assist critical city departments with onsite cyber resources. The university clinic model has existed in medical and law schools for decades to train the next generation of leaders in these fields with hands-on, real-world experience. Extending the clinic model to cybersecurity gives students experience while offering municipalities access to valuable expertise. Town-gown clinic partnerships like these advance university goals, provide necessary public services back to their host cities and help to fill a nationwide cybersecurity workforce gap.
The Applied Cybersecurity Community Clinic at The University of Texas at Austin launched this year as one such partnership. The fruit of discussions with the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Advisory Board, the city of Austin and UT Austin’s Robert Strauss Center for International Security and Law, the clinic provides pro bono cybersecurity services to community organizations and small businesses that cannot afford such services on their own, while giving students hands-on cybersecurity experience.
Given Austin’s burgeoning tech ecosystem and staggering urban growth, the city provides a perfect testbed for delivering cybersecurity services via a university clinic. Austin is home to a large number of disruptive tech start-ups, many of which are more focused on growth than cybersecurity and in need of the clinic’s services. And as the city grows, Austin’s nonprofits and city services are in need of robust digital services as they support underserved Austinites who have been adversely impacted by cost-of-living increases. Between these sectors, the UT Austin cybersecurity clinic’s inaugural student cohort will deploy to serve a mix of small business, nonprofit and public sector clients in the 2023-2024 school year.
Due to the transitory nature of college students and the legal risks involved in incident mitigation, university clinics are not especially situated to provide boots-on-the-ground incident response services. But by serving as force multipliers, university cybersecurity clinics help to accomplish cyber defense goals across local, state, and federal governments. Clinics alleviate requests for state and federal resources by emphasizing a hyper-local preventative approach to cybersecurity. By tracking students into the cybersecurity workforce, clinics may ease the shortage of cybersecurity expertise by providing a talent pipeline and internship-like experiences to bridge existing gaps.
The cybersecurity clinic network is growing, and clinics represent a sustainable, scalable and long-term presence in the areas they serve. As we seek to grow the cyber workforce, clinics serve as a valuable resource to leverage the expertise of university students and faculty to address the immediate needs of communities with their unique forms of cyber mutual aid. As the workforce catches up and more skilled professionals enter the field, clinics can evolve and adapt their services, offering advanced cybersecurity solutions, specialized consulting expertise and research collaboration. In the future, clinics working together could standardize research and reporting on cyber incidents that affect their clients to better inform the defense of U.S. computer systems. The sustained presence of cyber clinics will be essential in supporting the ever-changing cybersecurity landscape and ensuring small, local organizations have resources to combat emerging threats.
Incorporating university-led cybersecurity clinic programs into local cyber planning and prevention offers a proactive and free third-party solution to ransomware attacks on under-resourced U.S. cities. Municipalities in areas with active clinics should seek clinic assistance to foster local cyber resilience and reduce reliance on reactive state and federal intervention. Municipalities interested in more information about cyber clinics should consult the Consortium of Cybersecurity Clinics for resources and contact information.
Francesca Lockhart leads the Applied Cybersecurity Community Clinic at The University of Texas at Austin.