AT THE BEGINNING OF THE YEAR, President Obama called for a 60-day review of national policies and structures related to cybersecurity. The denial-of-service attacks launched against some government and commercial websites here and in South Korea over the July 4 weekend probably proved the necessity of such a step to any remaining doubters.
The resulting report called for enhancing public-private initiatives to improve security, encouraging research and innovation, and improving training and education for the next generation of technology experts, among other things. These measures may well trickle down to higher education in some form.
Some campus IT directors tend to change the subject when network security is discussed. They don’t want to show their hand on the measures they have in place. But many security experts are willing to talk about the broad threats higher ed is facing.
“We aren’t used to thinking of ourselves as critical infrastructure,” says Fred Cate, a law professor at Indiana University. As director of IU’s Center for Applied Cybersecurity Research, Cate was invited to comment on Obama’s 60-day review. On the national level, he says the matter obviously demands more urgency. But at the higher ed level, he says it really is a matter of national security.
“We’re like mini-cities. We provide parking, payroll, etc. It’s hard to imagine any type of information we don’t have,” Cate points out. And while campus leaders might have a handle on personally identifiable data, such as driver’s licenses and Social Security numbers, there needs to be more of a focus on data that is not personally identifiable, like data associated with scientific research. “We know where our nuclear material is, but where is the data about it?” he asks.
Higher education has a lower number of chief privacy officers than any other sector, Cate adds. “We are so accustomed to sharing information that [locking down data] is a bit counterculture.”
However, that willingness to share information, and the openness of networks on campus, positions higher ed to embrace change and collaborate to develop solutions, says Joshua Corman, principal security strategist with IBM Internet Security Systems. Unfortunately, security isn’t the only thing placing demands on technology office budgets at colleges and universities. Yet at least the economic situation hasn’t wrecked havoc on IT budgets. While general budgets across campuses are suffering, IT budgets will remain flat, predicts Nicole Engelbert, the lead analyst of education and vertical markets technology for Datamonitor, an online data, analytic, and forecasting service. “IT is too mission critical at this point and is generally seen as a key tool for doing more with less.”
She also predicts that breaches in higher ed aren’t going away anytime soon. “The fundamental problems are more human than technical,” she says.
Student demand for “anytime, anywhere” access to information is forcing people to change the way they think about network security, Corman notes. “The old guard is about protecting the network by closing it off, while the new generation wants change. Security has to shift from the reason you can’t to the reason you can.”
At the same time, the nature of threats to networks is also changing, partly because institutions are better about addressing some aspects of security—such as not allowing unsecured personal computers on campus—and partly because the motivation behind the threats is different.
Combating hackers who are just having “fun” can make a campus IT director’s life difficult. “Some people creating viruses are doing it as a hobby,” says Bryan Mehaffey, vice president of technology at Ave Maria University (Fla.). “I have a budget, but they can go as long as they are interested.” Layers of protection are necessary to stop attacks, which might each require a separate solution. “You can’t just put a firewall up and think you are protected,” Mehaffey says.
However, not all viruses are created just for fun. For the first 20 years of cyberattacks, people wrote viruses to gain prestige and notoriety, but for the last five years politics and profit have been the motivation, Corman explains.
Hackers have always taken advantage of the open access and ample storage available on university networks to cover their tracks. Since cybercrime has become a major money-making opportunity, it is more important than ever for institutions to secure their networks, Corman says. “The stakes have gone up, the activity isn’t as benign. That creates an obligation and an opportunity to clean up your network.”
In addition to securing the network, the effort to educate users on safe computing practices must continue. “I believe what we are fundamentally lacking is a ‘stop, drop, and roll’ type of cyber-education,” Corman says, referring to the famous fire safety instructions. He suggests including safe computing practices in 101-level classes and teaching programmers how to write code properly, not quickly, as good places to start.
The sentiment is echoed by Steven Song, a security business manager with Cisco. Adversaries are always launching more sophisticated attacks, while user education might not be keeping pace. “People know not to open attachments from unknown sources, but links aren’t viewed with as much skepticism,” Song says.
Some institutions are already working on the initiatives the president called for. CyberWATCH is a consortium of higher education institutions, businesses, and government agencies in Maryland, Virginia, and Washington, D.C., with the mission of improving the quality of the IT security workforce through the sharing of curriculum and professional development opportunities. A partnership between the public and private sectors has long been necessary because of the commercial solutions being used to protect networks, explains Brian Darmody, associate vice president of Research and Economic Development at the University of Maryland.
As a member of CyberWATCH, the University of Maryland created a digital forensics lab that other consortium members can access remotely for real-time demonstrations, notes Gerry Sneeringer, UMD’s director of IT security for the office of information technology.
“Our institution focuses on the research end of the equation,” Sneeringer says, with the goal of training a new generation to work in the national homeland security industry. He hopes the president’s focus on the topic will open up funding opportunities to support similar programs.
“The number of students majoring in computer science decreased when the dot-com bubble burst,” Darmody says. “It’s on the upswing again, but it could be six years before they graduate.” Working with the Department of Defense isn’t easy, because the positions are usually limited to American citizens who can pass an extensive background check. “There is a pretty narrow band of students who will graduate with those qualifications,” Darmody explains. Still, he predicts information security will continue to be a growth area and offer stable employment.
Education, of course, is only the first step. Strong policies, and enforcement of existing policies, are also important, says Dave Durbin, a partner at Laurus Technologies, a technology consultancy with clients in higher ed. He says that while external threats from malware and spyware are still a concern, internal threats—ranging from people stealing laptops and digital media to the lax business practice of sending unencrypted sensitive information through e-mail—are gaining more attention.
“The schools have policies in place, but they aren’t enough to keep the data from walking out the door,” he says. Take the threat of stolen laptops, for instance. An estimated 2.5 million laptops were stolen in 2008, according to MyLaptopGPS.
When data is compromised, institutions have to go through the expense of sending out notifications and possibly buying fraud protection for the victims. According to DataLoss, a website that documents data breaches worldwide, in June a computer was stolen from Cornell, exposing 45,277 names and Social Security numbers of current and former students, faculty, and staff; and documents were stolen from the University of Central Missouri containing names, dates of birth, and Social Security numbers for 7,000 students. According to the institutions’ websites, Cornell engaged Kroll Inc. to provide credit monitoring services, while UCM used Experian.
Training is the first step in preventing human error, but data loss prevention technology can also help. The technology monitors network traffic for sensitive information and notifies the user of the breach. As Durbin points out, the expense of dealing with a breach could justify the cost of the technology, not to mention the “soft cost of the bad news” resulting from the negative press.
One result of the president’s review might be stronger enforcement of existing national policies, such as HIPPA and FERPA, says Jeremy Miller, a systems engineer with Laurus. Medical schools especially are affected by the major regulations protecting personal information. “The funding for electronic health records includes protecting that data, and schools are responding.”
Unfortunately, more government regulation might lead to more paperwork, rather than solutions. “My gut tells me if you look at the way the government does things, it will be an audit process and requirements for us to receive grants,” Mehaffey predicts. “And those requirements will be generic and hard to meet because they aren’t specific to higher ed.”
Regulations are a double-edged sword, says Corman. “There are regulations that have a high cost. They aren’t bad in theory, but they often require investments in less modern forms of security,” he says. “We have wooden shields when there are rockets focused on us.”
Some people approach compliance as a necessary evil that drains the budget but still leaves the network insecure. Instead, people should view compliance as the floor, not the ceiling. “Is compliance the cyber-equivalent of [K-12’s] No Child Left Behind Act?” Corman asks, then goes on to suggest higher ed leaders can take the opportunity created by the national review to continue the conversation and reexamine some of the regulations.
As with so many things on campus, the need exists to start being more proactive and less reactive when it comes to cybersecurity.
“I think the key part of the president’s speech for me is the stakes are going up,” says Indiana University’s Cate. “And the risk is higher that critical information will be compromised.”