Amid the increasingly sophisticated cyberattacks faced by universities, UC Berkeley is doubling its efforts and allying with other UC campuses to address security risks.
UC Berkeley was previously underfunded for an institution of its size but will increase investment in its central information security program from $1.5 million to $3 million for the next fiscal year. Universities face the extra challenge of protecting intellectual property and the security data of a heterogeneous population while preserving the openness unique to a research institution.
UC Berkeley faces millions of attempts at breaching vulnerabilities every week, according to Larry Conrad, UC Berkeley’s chief information officer.
“Unfortunately, universities are a worldwide destination for hackers,” Conrad said. “To steal a Social Security number or credit card number, you get some financially stable people (in universities) you can leverage. Research universities also create new knowledge — there’s intellectual property, value on the new market.”
These cyberattacks are also becoming more sophisticated, and phishing attacks — which trick people into revealing accounting credentials by replicating login pages and stealing credentials — have seen an increase. According to Paul Rivers, UC Berkeley’s system and network security manager, hackers monitor UC websites so they can replicate login pages as closely as possible.
The number of cyberattacks campuses face may also depend on the size of the institution and significance of its research. UC Riverside receives thousands of attacks per year — compared to UC Berkeley’s millions — and its budget for next year will be far less than double that of UC Berkeley, said Bob Grant, director of technology at UC Riverside.
While corporations also face cyberattacks, the information exchanges in universities entail a more open but more vulnerable environment. Unlike corporations, campus networks allow virtually anyone to connect to a server and access the Internet from outside.
The research focus of universities also brings unique challenges for researchers and professors who want to protect intellectual property. Hackers may not always have the motivation to steal research to make their own patents — sometimes, they only look to take advantage of the information.
Handling stolen intellectual property is also more difficult because of international hackers and the challenges that come with obtaining cooperation from foreign countries, according to Brian Carver, an assistant professor at the UC Berkeley School of Information. Hackers often launch attacks from multiple locations or change locations, making it complicated to trace the origin of the breach.
Looking ahead: taking steps to ensure improved security
In 2009, hackers broke into University Health Services databases, gaining access to 160,000 people’s personal records for six months. Afterward, the FBI and UCPD combed through records extensively to ensure that all students were aware of the security breach and that firewalls were secure.
Now, the campus’s Information Services and Technology department plans on doubling its funding, an investment that will bring the institution up to par with its peers. Currently, the UC Privacy and Information Security Initiative is also seeking to have an advisory board for both the UC president and for each university by 2014 to guide discussions about issues of privacy and information security.
“It really does take a village to try to respond to this,” Conrad said. “The threat is too pervasive. The (other universities) help identify where the exposures are and do a good job of disseminating the info.”
However, each individual will also have to play an active role, as the most important thing for departments and researchers to do is remain aware of what data they have that could be breached, Rivers said. IST has also emphasized clear data classification standards that inform departments of the level of security their data requires.
Hackers target not only high-security computers but also devices as common as personal laptops. Just having anti-virus software does not suffice these days, Rivers said. IST offers a program called Secunia PSI that individuals on campus can use to see whether they have the necessary updated protection.
“Hackers may look for any kind of data system to get into, whether sensitive or not,” Rivers said. “So they spread out and establish capability on the campus network … That’s the basis by which our security standards require patching your system. People wonder, if it’s just my personal laptop, why does it matter to the university? Well, that’s why.”
In 2010, the university moved to create an overarching security policy. The initiative will establish a systemwide advisory board, train campus privacy leaders and form a consistent balancing analysis — a framework for decision-making when competing privacy interests, university values or obligations exist. The university hopes to fully implement the initiative in the next five years.
Despite these steps, the initiative strives to refrain from turning the university’s security program into that of a corporation. Corporations have more restrictions on accessing web servers and may perform stronger monitoring because they regard the computers as company property. According to Rivers, the university does not want to become a “Big Brother” but aims to maintain strong security alongside uninhibited autonomy.
However, security breaches remain a problem for universities. On July 24, Stanford University experienced its own security breach in its information technology infrastructure. Stanford is still investigating the source and impact of the breach but has urged all students to changed their passwords.
“Due to the emergence of so much new technology and the ever increasing amount of data we store it is of great importance that we make security a priority,” said UC spokesperson Brooke Converse in an email. “It is critical that the University be a good steward of information entrusted to it by students, faculty, staff, and community.”
Contact Mary Zhou at email@example.com