Beware the Ides of March: Security in Higher Education

This week, the FBI indicted nine Iranians on charges of cyber espionage, targeting mostly academics at higher education institutions across the world.

The M.O. of the attackers is pretty straight forward — there was no new technology deployed to make this happen (at least, not that’s being disclosed so far). Thousands of academics accounts were compromised, and intellectual property was stolen. Estimates of financial loss are in the billions of dollars, although this is a hard estimate to quantify.

In the same week, Facebook is being criticized for its data handling processes, which involve a Cambridge University Professor and an external data analytics firm, and the potential for the misuse of millions of Facebook user’s data.

Stories like these inevitably lead to industry pundits remarking on the lack of security in Higher Education and Research, with associated hand wringing by governments, industry partners and higher education leadership. They will talk about the open environment in Higher Ed, where people choose to share information without regard to the value of it. They will talk about the lack of consistent hardware and software standards, and the high amounts of BYOD. They will talk about the porous networks, the explosion of IOT devices, and the ability of anyone to come and go, digitally speaking. They will also talk about tenure, and how the Academy isn’t politically designed to ensure compliance to standards.

And they would all be correct.

For a Higher Ed Security Professional, the role of ensuring that data integrity, confidentiality and availability is a monumental one, and one that is often under appreciated by Security Professionals in other industries. Higher Ed Security Pros work across industry, across geographies, and across distributed business and IT management structures. Other Security Pros in other industries have big jobs, certainly, but few of them have to manage the breadth of systems, information and politics like those in Higher Education. Almost all of whom, incidentally, work for below-market compensation.

Welcome, Spring

I would suggest that the very circumstances that make Higher Ed a challenging Security environment are what puts Higher Ed security at the forefront of the Security profession.

There has been a lot of conversation in other industries about the benefits of collaboration across competing businesses. Much has been made of the success of the Financial ISAC, or the Cyber Threat Alliance and other collaborations, as being a breakthrough concept to develop common solutions to common problems. Higher Education has been doing this since the beginning, especially in IT. Creation of research networks, collaborative buying consortiums, and yes, ISACs, have been effectively working together for a long time. It is part of the DNA of Higher Education to share knowledge for the betterment of society — why should Security be any different?

Yes, Higher Ed is a place where technology standards are varied, if not missing entirely. Unlike other industries, Higher Ed is a place where the employees and the customers are in the same physical space, side-by-side as they work to learn and discover. This doesn’t happen in any other industry. Because Higher Ed blurs the line between work and home, staff and customer, researcher and subject, there is a high level of variation in computers and software. There is a high proportion of BYOD and “shadow IT”. This is where other industries are headed. We already see a blurring of the lines between work and home in other industries, and when that happens, Security Pros in other fields will have to learn to secure data regardless of the device type or the location. This is where you see Zero Trust models of Security starting to flourish — because this is the perfect test bed for these kinds of solutions. Security vendors who offer a solution which only work with Windows, or with Macs, or Linux, have only a small role to play in securing the Higher Education environment.

Yes, Higher Education has porous networks and a lot of weird and wonderful devices in its environment. It has to. While there is some research that has been protected in the traditional data center and firewall configuration, a lot of the research is done in the public square, using public data sources and human subjects. As other industries are realizing that the zone of protection needs to be the individual not the server, higher education professionals have known this for a long time. Hopefully now our vendors will provide solutions to meet this reality.

Tenure is an interesting higher education phenomenon. Whereas just about everyone else deals with “at will employment” (at least in the US), those with Tenure enjoy a level of job protection that makes them immune to many of the rules and processes which affect the rest of us. To be a Security Professional in Higher Education means making changes to the way people work, and not TELLING them to change, but convincing them that change is in their best interest. In most other industries, you can make a policy change from the top down. In Higher Education, policy change has to come from the bottom up. This means that policy and behavior change takes longer. It also means that when change happens, it sticks. This is the beauty of Higher Education Security; change may be slower than other industries, but it is much more long lasting when it arrives.

It’s all about the Data

Regardless of the politics and structure of Higher Education, Security comes down to protecting the data, and the systems on which the data reside. Here too, Higher Education is ahead of society’s curve. Higher Ed assumes data are shareable within the community unless they are clearly not. Higher Ed acknowledges that the value of data can change over time, and by usage — it is not static but contextual. Our best Artificial Intelligence hasn’t worked that out yet. Researchers already have governance structures to determine not just how data can be shared, but whether it should be shared in the first place. Researchers have to be able to prove their work, not just manipulate data for the sake of it.

Higher Education and Security is not an oxymoron. Whereas the last 20 years in general Security has been about locking down and shutting out, Higher Education has never been that, and will never be. It is only now that the rest of the Security world is seeing what Higher Ed has always known — that data leads to information, knowledge and wisdom, and you cannot close that off. Now that technology has enabled the sharing of data, Higher Education might just be the sector to look towards for information on how to manage Security in the new world.

Cyber Security, Technology Ethics, and Humanity. What else? I can be found on Twitter @CisoHelen