CybersecurityUniversities struggle to balance cybersecurity, openness

Published 19 March 2014

Since January 2013, more than fifty academic institutions across the country have been targets of cyberattacks, compromising personal information and intellectual property. Unlike other organizations, universities cannot mandate what devices are used to access their networks, and they must accommodate faculty, students, and researchers spread across the globe. Academic network systems are attractive to hackers because they contain valuable intellectual property.

Since January 2013, more than fifty academic institutions across the country have been targets of cyberattacks, which have compromised personal information, according to the Privacy Rights Clearinghouse, a California-based consumer-advocacy group. Last year, a cyberattack on the Arizona school district, which has about 265,000 students enrolled in courses annually in ten community colleges, could have compromised 2.5 million Social Security and banks account numbers belonging to students, former students, and employees.

The Baltimore Sun reports that colleges and universities can be easy targets for hackers because they offer many access points into their networks. Unlike other organizations, universities cannot mandate what devices are used to access their networks, and they must accommodate faculty, students, and researchers spread across the globe. Academic network systems are attractive to hackers because they contain valuable intellectual property.

The vulnerability campus networks and the growing threat have led many institutions to rethink their information sharing practices.

It’s been a long-standing concern that our culture of collaboration and trust kind of flies in the face of the need for security to be more closed, more alert and more skeptical and cynical,” said Rodney Petersen, senior policy adviser for SecuriCORE, a higher education information security project at Indiana University. Just as universities have increased campus surveillance and security guards, they must also advance their cybersecurity operations.

Recognizing hacking attempts can prove difficult for academic institutions, said Darren Lacey, Johns Hopkins University’s chief information security officer. “Really, everything is an anomaly. If I get a million connections from another country, a corporation might say that’s not good. In our world, because we have students and faculty all over the world, that doesn’t necessarily trigger any response from us.”

Some universities are now beginning to review questionable system activities. A 18 February 2014 systems breach at the University of Maryland, College Park which compromised Social Security numbers and birth dates of 287,580 students, faculty, and staff prompted university president Wallace Loh to assign a cybersecurity task force to explore whether the university’s information technology systems should be centralized to keep sensitive data in one place, instead of having data scattered across various university departments. The group, which first met on 12 March 2014, has not published its recommendations.

The Sun notes that security experts recommend that access to some parts of university networks should be limited. One option is to require users who log in to university networks via a new device to provide a verification code sent via text message or e-mail.

Still some academic institutions are reluctant to compromise the “open concept” of their networks at the risk of allowing such change to disrupt research. “I think things are going to get a lot harder for everyone,” said Matthew Green, an assistant research professor of computer science at Johns Hopkins. “It’s good to be secure, but it’s good to be open. You have to really be careful how much you do to prevent people from the work they’re supposed to be doing.”