Universities Behind the Curve in Cybersecurity

Threat Landscapes and Advanced Response for Counties
October 3, 2013
New law firm marries different missions
January 1, 2014

Universities Behind the Curve in Cybersecurity

By Evan Sills

            In recent months, although Congress has unsuccessfully tried to pass cybersecurity legislation, our nation’s critical infrastructure companies have become better prepared to defend themselves from cyber threats.  This has been especially true for the financial services and telecommunications industries, which have been the targets of relentless DDoS attacks and attempted thefts of consumer data.  Unfortunately, there is still one industry in the United States that holds significant intellectual property but remains particularly vulnerable to cyber threats: American universities.

With students now back in class and Cybersecurity Month beginning this week, it is an appropriate time to focus on cybersecurity concerns at our nation’s institutions of higher education.  It appears they have been slow to react when it comes to hardening systems and networks to protect confidential intellectual property. [1]  That universities acknowledged “some of the hacking attempts have succeeded” but refused to disclose anything other than what is statutorily obligated (personally identifiable information (PII), such as names with social security numbers), leaves these institutions in the same place many other American businesses existed for the past several years: isolated and vulnerable, scared of revealing the seriousness of their losses.  Universities, which hold thousands of patents and conduct some of the most cutting-edge research in the country, are unusual in that most span many industries, providing those who wish to steal technological secrets access to a wide swath of intellectual property unavailable at most private sector organizations.

            Fortunately, the infrastructure and attitudes that will improve cybersecurity at universities already exist.  Some schools, such as the University of California, Berkeley, have developed a healthy skepticism regarding the integrity of their own networks, “treat[ing] the overall Berkeley network as just as hostile as the Internet outside.” For further proof that the University of California system is taking cybersecurity seriously, one only has to look at their hiring of outgoing DHS-Secretary Napolitano)  Others, such as Boston University, participate in cyber threat information sharing networks such as the Advanced Cyber Security Center (ACSC).[2]  The university system should leverage the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC), one of 15 critical infrastructure ISACs that are specifically designed to foster the sharing of cyber threat information and best practices within an industry.  Finally, the FBI conducts outreach to universities through the College and University Security Effort (CAUSE)[3] to protect higher education institutions from “foreign intelligence threats.”

With these resources available, universities must take the next step to implement a culture shift in how they treat their intellectual property and research and development programs, because these discoveries fuel the American economy.  Whereas for most organizations this data would be key to its profits and future earnings, universities not only have other revenue sources but have a business model that does not rely on turning research into profitable products and services.[4]

Therefore, additional incentives are needed to push universities to place more resources in cybersecurity.  Federal and local governments should provide grants to universities willing to invest in better protecting their intellectual property.  This money can be used to purchase separate infrastructure for researchers around university campuses, effectively creating an isolated system similar to the classified networks of the U.S. Government.  Further, universities should give these researchers their own data storage systems that are separate from the rest of the university.  A cyber threat actor trying to steal university data from six different laboratories should have to break into six different systems, not the path of least resistance and acquire access to the entire university’s files.  Finally, universities should continue educating faculty, staff, and students alike who work on these projects about the dangers of transporting data out of secure networks — humans are most often the weakest link in cybersecurity.  By harnessing available resources and committing to the better protection of data, universities can make themselves harder targets and safeguard the hard work of their researchers.

[1] Richard Perez-Pena, N.Y. Times, July 16, 2013, http://www.nytimes.com/2013/07/17/education/barrage-of-cyberattacks-challenges-campus-culture.html.

[2] http://www.acscenter.org/membership/.

[3] http://www.fbi.gov/about-us/investigate/counterintelligence/us-academia.

[4] For reference, 157 responding universities reported a total of $1.8 billion in revenue from licensing academic research.  Goldie Blumenstyk, “Universities Report $1.8-Billion in Earnings on Inventions in 2011,” The Chronicle of Higher Education, Aug. 28, 2012, http://chronicle.com/article/University-Inventions-Earned/133972.

Evan is an attorney in Washington, D.C. focusing on cybersecurity and national issues.  Recently he has done work for Aspire IP and Good Harbor Security Risk Management.  Previously he served as a  Legal Fellow at the Cyber Security Policy and Research Institute and an intern at the Dept. of Justice, National Security Division.  Evan is the Editor of an upcoming book entitled “A Playbook for Cyber Events,” published by the American Bar Association, Standing Committee on Law and National Security, which provides a guide to organizations defending themselves from cyber threats.