This workspace may look unassuming, but it’s part of a lab used for high-stakes work. University of Maryland’s Robert Maxwell and team, along with CyberWATCH partner institutions, use it to simulate cyber investigations.
AT THE BEGINNING OF THE YEAR, President Obama called for a 60-day review of national policies and structures related to cybersecurity. The denial-of-service attacks launched against some government and commercial websites here and in South Korea over the July 4 weekend probably proved the necessity of such a step to any remaining doubters.
The resulting report called for enhancing public-private initiatives to improve security, encouraging research and innovation, and improving training and education for the next generation of technology experts, among other things. These measures may well trickle down to higher education in some form.
Some campus IT directors tend to change the subject when network security is discussed. They don’t want to show their hand on the measures they have in place. But many security experts are willing to talk about the broad threats higher ed is facing.
“We aren’t used to thinking of ourselves as critical infrastructure,” says Fred Cate, a law professor at Indiana University. As director of IU’s Center for Applied Cybersecurity Research, Cate was invited to comment on Obama’s 60-day review. On the national level, he says the matter obviously demands more urgency. But at the higher ed level, he says it really is a matter of national security.
“We’re like mini-cities. We provide parking, payroll, etc. It’s hard to imagine any type of information we don’t have,” Cate points out. And while campus leaders might have a handle on personally identifiable data, such as driver’s licenses and Social Security numbers, there needs to be more of a focus on data that is not personally identifiable, like data associated with scientific research. “We know where our nuclear material is, but where is the data about it?” he asks.
Higher education has a lower number of chief privacy officers than any other sector, Cate adds. “We are so accustomed to sharing information that [locking down data] is a bit counterculture.”
However, that willingness to share information, and the openness of networks on campus, positions higher ed to embrace change and collaborate to develop solutions, says Joshua Corman, principal security strategist with IBM Internet Security Systems. Unfortunately, security isn’t the only thing placing demands on technology office budgets at colleges and universities. Yet at least the economic situation hasn’t wrecked havoc on IT budgets. While general budgets across campuses are suffering, IT budgets will remain flat, predicts Nicole Engelbert, the lead analyst of education and vertical markets technology for Datamonitor, an online data, analytic, and forecasting service. “IT is too mission critical at this point and is generally seen as a key tool for doing more with less.”
She also predicts that breaches in higher ed aren’t going away anytime soon. “The fundamental problems are more human than technical,” she says.
'You can't just put a firewall up and think you are protected.' -Bryan Mehaffey, Ave Maria University
Student demand for “anytime, anywhere” access to information is forcing people to change the way they think about network security, Corman notes. “The old guard is about protecting the network by closing it off, while the new generation wants change. Security has to shift from the reason you can’t to the reason you can.”
Threat Assessment
At the same time, the nature of threats to networks is also changing, partly because institutions are better about addressing some aspects of security—such as not allowing unsecured personal computers on campus—and partly because the motivation behind the threats is different.
Combating hackers who are just having “fun” can make a campus IT director’s life difficult. “Some people creating viruses are doing it as a hobby,” says Bryan Mehaffey, vice president of technology at Ave Maria University (Fla.). “I have a budget, but they can go as long as they are interested.” Layers of protection are necessary to stop attacks, which might each require a separate solution. “You can’t just put a firewall up and think you are protected,” Mehaffey says.
However, not all viruses are created just for fun. For the first 20 years of cyberattacks, people wrote viruses to gain prestige and notoriety, but for the last five years politics and profit have been the motivation, Corman explains.
