Universities Schooled On Cybersecurity

Although universities can be part of larger cyber attacks as unwitting victims like any other organization or enterprise, the institutions are distinguished by a collegial nature that renders them vulnerable. Academia has a more open atmosphere and a mindset of research and collaboration, making universities an enticing cyber target even for adversaries such as nation-states

Universities can be caught up in all kinds of attacks or suspicious activities—by nation states, criminal groups and low-level hackers, says Richard Forno, assistant director, University of Maryland, Baltimore County (UMBC), Center for Cybersecurity, and director, cybersecurity graduate program.

“What makes university environments a little more challenging is that on one hand, you have research and normal company-like functions, and on the other hand, you have an open, inviting and flexible information technology environment and infrastructure,” says Forno, who holds a Ph.D. in Internet studies from Curtin University of Technology in Australia.

Elementary schools, junior and senior high schools, and community colleges also face an increasing risk of cyber attacks. “Even those schools are finding nation-states in their networks,” he observes.

Schools may have multiple networks, including a Wi-Fi network, along with a more secure network for students, faculty and staff. This factor, combined with multiple devices connecting to the network and the transient nature of students and visiting faculty members and researchers, leaves universities susceptible to intrusions. “Essentially, you have a bunch of computers that aren’t all securable,” warns the senior lecturer in the university’s Department of Computer Science and Electrical Engineering. “It’s a much more complicated environment than trying to secure Ford Motor Company or a government agency because the mindset, the people and the business that goes on in a university environment is so diverse and so varied as compared to a traditional enterprise.”

Universities must take steps to strengthen their networks, employing basic cybersecurity procedures used today by companies or agencies, Forno advises. That includes applying best practices, administrative policies and procedures, having the right staff and tools in place, and making sure that software is current and patched. “That is the same no matter where you are,” he says. Beyond that, universities, like banks or power companies, can share information among chief information security officers and security teams as part of working groups or task forces to strengthen cybersecurity across the education sector.

Forno stresses that “technology is never the only solution, and it’s never the only answer to cyber attacks.” It is part of the solution in a dual approach with technical and human aspects. Forno says it is an “uphill battle with users” to make sure they are not either intentionally or unintentionally hurting themselves or their organizations.

He also notes that not only computer scientists are looking at cyber practices but also those who understand how humans interact with computers, including psychologists, sociologists and economists. “Cyber is so broad that it encompasses far more than the technical aspects,” Forno says.

Although cyber attacks are more prevalent now at universities and overall, some types of attacks are not new. “A lot of what we are seeing is just a continuation of what we’ve been seeing for the last 20 to 30 years,” Forno offers. “Of all the guidance and direction we gave people in the 1980s and 1990s, we are still telling folks to make good passwords and not to just trust public Wi-Fi networks. People are panicking about today’s advanced persistent threats and malware, and there is a lot of hand-wringing and sensationalism, but when you really look at it, a lot of the stuff is just something old wrapped up in something new. And a lot of the countermeasures are the same.”

One big difference today that affects universities—and everyone else—is that the world is so interconnected, Forno continues. “We all have smartphones, home computers and devices, and they all are connected. And they are potentially vulnerable to cyber attacks. It behooves all of us to have some sort of cyber citizenship so that we can know what we are getting into when we decide to connect,” he says.

As for whether universities should be held accountable for being vulnerable or having breaches, Forno observes that “we are all guilty of some form of cyber malfeasance or complacency, and it requires a collective action to overcome that.” He notes that the government itself is vulnerable, but so are companies. Consider the breaches of the Office of Personnel Management as well as Experian, Target and Sony Pictures, among countless others.

The computer science lecturer does see cultural changes at schools as far as cybersecurity awareness is concerned. “I think universities have become more accepting of the threats in cyberspace over the past several years,” Forno says. “Universities have become more aware that cyber is here to stay, that there are concerns and that they have to be a little bit more paranoid, if you will, watching not only who is on the network but also what kind of traffic there is.”

Universities are not as relaxed about giving out email accounts, compared with 20 years ago. Back then, Forno recalls, “If somebody wanted an account on a university computer, they could just ask their buddy, who was a student, and ‘Sure, no problem,’ they had an account.” Before providing an account, schools now make sure someone is a current student, an employee or a faculty member.

As for security consciousness among students, Forno sees a range of awareness. More computer-savvy students understand that there are threats, especially if a school teaches cybersecurity. “I do think generationally there is a change,” he adds. “I won’t say it’s necessarily millennials, but essentially it is folks that have grown up only knowing this technology and sharing of social media.” Generation X, in comparison, still values “privacy and unplugging and pushing back at technology,” Forno explains. “Younger folks don’t have the same mindset necessarily. It’s not enough to just be able to change your Facebook password. They have to learn cyber hygiene. And schools really need to implement basic cyber citizenship and how to be a good participant on the Internet.

“It’s all part of the bigger picture and coming to terms with cybersecurity and cyber in general as a function of life,” he adds.

Colleges and universities can be part of the solution in growing and educating the next generation of cyber protectors. As the U.S. military is developing a cyber force through its cyber commands, in a similar vein, academia is pursuing ROTC cyber programs at universities and partnerships with government-sponsored scholarship programs for cybersecurity students. Another program, Forno says, is Scholarship for Service (SFS). The joint program of the National Science Foundation and the Office of Personnel Management, also known as the CyberCorps, is developing a cadre of cyber workers by awarding scholarships to students interested in cybersecurity. The program, at about 70 universities in the United States, partly covers tuition, finds internships and offers a first look at available federal cyber jobs. Students agree to work in a federal cybersecurity-related position upon graduation for each year they receive funding. “It is a popular, successful program,” Forno reports.

Programs at other schools tap students to test and improve university network cybersecurity. At UMBC, cyber students, in partnership with and under the supervision of the school’s information technology department, conduct live testing of network vulnerabilities and give feedback to the chief information security officer.

Lastly, Forno relates another concern that U.S. universities increasingly are facing, one with both political and cultural sensitivities: foreign students and technology as a possible cyber or research risk. “More so in recent years at U.S. universities, one of our concerns is the issue of students from certain countries, whether it is allowing their exposure to advanced technologies or research,” Forno says. “International Traffic in Arms Regulations may apply if a student falls under a certain research project, and they may not be allowed by law to be involved. A professor could be consulting on a research project and is cleared to work on it but may have certain foreign students in his or her class [who are not cleared].” Forno shares that the issue raises questions about the position it puts a professor in and what information has to be reported. “Although this is not a new concern, the presumption in recent years is that we must be more vigilant,” he offers. “All of academia shares that issue.”