> Skip to content
FEATURED:
  • The Evolution of Race in Admissions
Sign In
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
Sign In
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
  • News
  • Advice
  • The Review
  • Data
  • Current Issue
  • Virtual Events
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Career Resources
    • Find a Job
    • Post a Job
    • Career Resources
Sign In
ADVERTISEMENT
News
  • Twitter
  • LinkedIn
  • Show more sharing options
Share
  • Twitter
  • LinkedIn
  • Facebook
  • Email
  • Copy Link URLCopied!
  • Print

Keeping Up With the Growing Threat to Data Security

By  Lee Gardner
April 9, 2017
If hackers get into a college’s network, they can gather terabytes of research data or emails to sift for possible profit. “It might take years to look at it,” says Mitchel Davis (right), chief information officer at Bowdoin College, “but they want to get hold of it.” Steven Blanc, associate chief information officer, says, “security is not something that IT does, it’s something the college does.”
Heather Perry for The Chronicle
If hackers get into a college’s network, they can gather terabytes of research data or emails to sift for possible profit. “It might take years to look at it,” says Mitchel Davis (right), chief information officer at Bowdoin College, “but they want to get hold of it.” Steven Blanc, associate chief information officer, says, “security is not something that IT does, it’s something the college does.”

Last fall, Donald Trump theorized that the computer hacker who stole emails from the Democratic National Committee could have been “someone sitting on their bed that weighs 400 pounds.” But the stereotypical rogue nerd isn’t the threat that most concerns information-security officers on college campuses.

Their institutions are under constant attack, they say, by groups of criminal hackers who have professionalized, and industrialized, their efforts in the past few years. If the hackers find a tiny flaw in a college’s data-security apparatus — an unsecured server, a careless user — they can infiltrate its network, Hoover up any and all data they come across, and peddle the choice bits on the dark market — those shadowy corners of the internet where people go to buy and sell illicit goods anonymously. There have been thefts of politically sensitive data, as when hackers published hundreds of emails and documents in 2009 that raised questions about climate scientists’ impartiality, but almost all attacks have more mercenary motives.

We’re sorry. Something went wrong.

We are unable to fully display the content of this page.

The most likely cause of this is a content blocker on your computer or network. Please make sure your computer, VPN, or network allows javascript and allows content to be delivered from c950.chronicle.com and chronicle.blueconic.net.

Once javascript and access to those URLs are allowed, please refresh this page. You may then be asked to log in, create an account if you don't already have one, or subscribe.

If you continue to experience issues, contact us at 202-466-1032 or help@chronicle.com

Last fall, Donald Trump theorized that the computer hacker who stole emails from the Democratic National Committee could have been “someone sitting on their bed that weighs 400 pounds.” But the stereotypical rogue nerd isn’t the threat that most concerns information-security officers on college campuses.

Their institutions are under constant attack, they say, by groups of criminal hackers who have professionalized, and industrialized, their efforts in the past few years. If the hackers find a tiny flaw in a college’s data-security apparatus — an unsecured server, a careless user — they can infiltrate its network, Hoover up any and all data they come across, and peddle the choice bits on the dark market — those shadowy corners of the internet where people go to buy and sell illicit goods anonymously. There have been thefts of politically sensitive data, as when hackers published hundreds of emails and documents in 2009 that raised questions about climate scientists’ impartiality, but almost all attacks have more mercenary motives.

Digital Campus cover with text
The Digital Campus: Big Data
Colleges want to track students and help them succeed, to find out what works in the classroom, and to measure professors’ productivity. Read a special report that unpacks what big data can and can’t do.
  • The Cost That Holds Back Ed-Tech Innovation
  • How Open E-Credentials Will Transform Higher Education
  • Big Data for Student Success Still Limited to Early Adopters
  • Big Data Alone Won’t Help Students
  • The Job-Market Moment of Digital Humanities

It’s an escalating battle that many colleges must fight with limited resources. And the stakes are high. A major breach can expose thousands of names and Social Security numbers, credit-card numbers, and other personal data that employees and students turn over to colleges all the time, leaving those affected vulnerable to identity theft. A breach at the University of California at Berkeley last year compromised the personal data of about 80,000 current and former employees and students.

An attack can also bring an institution’s computer network crashing down: In 2015, Rutgers University was hit with several “denial of service” attacks, in which a hacker flooded the institution’s network with data, temporarily crippling it. In the aftermath, the university budgeted about $3 million to improve its data security.

Colleges “have to be right every time” when it comes to securing data, says Brad Wheeler, vice president for information technology and chief information officer at Indiana University. “The bad guys can try 10,000 times, or 50,000 times. As long as they get it right once, they get a win. It’s a very, very asymmetrical game now.”

ADVERTISEMENT

Groups of criminal hackers, many of them based overseas, have upgraded their tools and methods. “They’re using these almost weapons-grade hacking kits,” Mr. Wheeler says.

But even familiar modes of attack have grown in sophistication. “Phishing,” in which people receive an email designed to get them to give up passwords or financial information, has evolved past “a rich uncle in Nigeria who wants to wire you a million dollars,” he says, and now uses messages that look very legitimate: “They’re simple, they’re short, they’re often contextualized for something going on at the institution.” Indiana delivered 442 million emails to its users last year, and its countermeasures killed 2.1 billion emails before they entered its system.

The rise of big data has also abetted hackers’ efforts. A decade ago, a spreadsheet of Social Security numbers was “the holy grail” for hackers, says Ronald D. Kraemer, vice president and chief information and digital officer at the University of Notre Dame. Data that can be used for identity theft or to tap financial resources remain the primary targets, but in the past few years, “the analytics tools that people have available to them to sort through data and to figure out what the hidden gems are have just advanced so much,” he says. Personally identifiable information is still the most desirable, and lucrative, goal, but if hackers get into a college’s network they can gather terabytes of research data or emails to sift for possible profit. Most of the nonpersonal data will contain little or no information that can be leveraged, but it doesn’t matter.

“They just slurp it all up,” says Mitchel W. Davis, chief information officer and senior vice president at Bowdoin College. “It might take years to look at it, but they want to get hold of it.”

3 Types of Attacks Colleges Face

Phishing

These emails are designed to trick recipients into giving up their passwords or financial information, and they’re getting more sophisticated all the time. Phishing attempts that target students, faculty, and staff members these days may even mimic missives from within the institution itself. Hackers sometimes “draw on social media, look to see what’s going on at the institution, fabricate messages that appear to be legitimate, or even hack the account of someone that you would likely interact with,” says Brad Wheeler, vice president for information technology and chief information officer at Indiana University.

Ransomware

Click on the wrong link — even if it seems legitimate — and you might download malicious software that allows hackers to hold a machine or server hostage, along with its data. Many such attacks can be contained, but it’s important for victims to report attacks immediately so the damage can be dealt with. Mitchel W. Davis, chief information officer and senior vice president at Bowdoin College, says his institution has worked to encourage ransomware victims not to be embarrassed or worried about penalties: “We get calls very quickly if they realize that they may have made a mistake.”

Denial-of-service attacks

While relatively rare in higher education, these attacks can be devastating, as hackers flood an organization’s computer network with data, overwhelming it and blocking legitimate activity in the process. “That is a great concern,” Mr. Wheeler says. If someone doesn’t like something an institution is doing, or a former employee has a grievance, they can “rent a mercenary army to flood your network pipes and knock you offline.”

Large, relatively open computer networks with thousands of users help universities to perform their expansive missions, but they also make it difficult to defend against intrusion. Data security at a college over all is only as good as the security of each server, and of each individual user.

ADVERTISEMENT

Big attacks often start small. “Someone will hack a school, lab, or departmental-level server. Then they’ll look around sideways,” Mr. Wheeler says. “Then they’ll escalate their privileges on that server. Then they’ll start working up the food chain,” probing for deeper access, and more and more valuable information.

At Indiana, Mr. Wheeler and his staff have spent several years working on reducing potential intrusion points. About four years ago, a self-audit at Indiana revealed about 1,600 computer servers that Mr. Wheeler’s office didn’t even know about. Back then, only about 65 percent of servers on campus were contained within the university’s central data center, where they could be monitored by the best security the institution had on hand. Now about 90 percent are. “If we have fewer things to attack, and fewer things that we can focus more professional energy on securing them, we’re going to be better off than otherwise,” he says.

Many institutions are being more cautious about the information they keep on their networks. When it comes to data, Mr. Kraemer says, “if we have to have it, we encrypt it. If we don’t have to have it, we get rid of it. An organization becomes less of a target if you don’t have tens of thousands of Social Security numbers sitting in an unsecure system.”

More colleges are also moving toward requiring multifactor authentication, where a password and some additional information or item are required to gain access to its system. If you’re a hacker trying to get past it, “just stealing a password doesn’t help anymore,” Mr. Kraemer says.

Notre Dame recently made multifactor authentication mandatory for all faculty, staff, and students, a move that involved a management as well as a technical challenge. Mr. Kraemer and his staff spent months talking to various groups on the campus about the security value of multifactor authentication, explaining that it would protect not only the university but also individuals from theft and fraud. Most people are already used to using multifactor authentication for accessing bank machines (a bank card and a PIN), he says. It seems like an unaccustomed step for computer access, but it shields their research and their finances.

ADVERTISEMENT

Indeed, getting everyone on campus to keep computer security in mind can be as good as some technical backstop, and more affordable. When Bowdoin rolled out multifactor authentication about a year ago, the goal was not just to sell the new program, according to Steven A. Blanc, vice president and associate chief information officer. It was important to impart the idea that “security is not something that IT does, it’s something the college does,” he says.

There’s no reason to believe that hackers will become less skilled, or less persistent, in the future, so colleges will probably continue to face escalating data-security challenges.

The advent of cloud computing has afforded colleges new options for protecting their data, but it also creates potential new threats to security. Storing data in the cloud has helped institutions fend off ransomware attacks, in which malicious software allows hackers to hold data on a machine hostage. “If your data actually exists in multiple places, you can get back your data without having to go through the ransom process,” says Mr. Kraemer. But unless handled carefully, passing data back and forth between a university’s systems and the cloud is one of many processes hackers can exploit to compromise security. “Very few IT organizations in higher education have a clear understanding of what it takes to secure something that’s now part of your system but outside of your organization,” Mr. Davis says.

Hiring data-security personnel with the necessary skills and experience has become increasingly difficult for colleges. Many institutions have started cybersecurity programs that are turning out graduates as fast as they can, but universities themselves are often looking for more senior employees.

“We’re looking for people who are seasoned in dealing with difficult situations,” says Darren Lacey, chief information-security officer and director of IT compliance at the Johns Hopkins University and Johns Hopkins Medicine. “It can be difficult for people to get into the field, even though there’s a shortage of people once you’re in.”

ADVERTISEMENT

The shortage has driven up salaries for top information-security staff as well. A chief information-security officer at a typical college 10 years ago might have started at $75,000, Mr. Davis says. “Now? Double that.”

Despite scarce personnel and limited resources, Mr. Lacey thinks colleges do a good job over all at data security. Data-security professionals in higher education can communicate with peers at other institutions through a membership organization known as Ren-Isac, the Research and Education Networking Information Sharing and Analysis Center. Such networking helps keep even the smallest institutions up on the latest threats and protective tactics.

Mr. Wheeler worries, though, that such collaborations may not be enough to stave off the growing threat. Even with an information-sharing apparatus in place, word of attacks still sometimes takes days to spread in an era where minutes can count. Each institution may draw on widespread best practices, but they’re all still reinventing the wheel. “We’re going to have to find a path among colleges and universities that gets to a greater degree of efficiency and operational effectiveness at scale, rather than thinking that each campus individually, one by one, can keep up,” he says.

But Mr. Kraemer believes it may be a good thing that colleges aren’t all dug in behind a unified cyberdefense. “The kinds of protections we’ve each put in place, the strategies we use, they’re not unique, but they’re not entirely in sync either, and I think that might actually be a good thing,” he says. “If everyone is doing the exact same thing, in some ways that makes us vulnerable.”

A version of this article appeared in the April 14, 2017, issue.
Read other items in this The Digital Campus: Big Data package.
We welcome your thoughts and questions about this article. Please email the editors or submit a letter for publication.
Lee Gardner
Lee Gardner writes about the management of colleges and universities. Follow him on Twitter @_lee_g, or email him at lee.gardner@chronicle.com.
ADVERTISEMENT
ADVERTISEMENT

Related Content

  • Cybersecurity, Rising
  • Why a ‘Guerrilla Archiving’ Project Seeks to Preserve Climate Data Before Trump Takes Office
  • Data Breaches Put a Dent in Colleges’ Finances as Well as Reputations
  • Explore
    • Get Newsletters
    • Letters
    • Free Reports and Guides
    • Blogs
    • Virtual Events
    • Chronicle Store
    • Find a Job
    Explore
    • Get Newsletters
    • Letters
    • Free Reports and Guides
    • Blogs
    • Virtual Events
    • Chronicle Store
    • Find a Job
  • The Chronicle
    • About Us
    • DEI Commitment Statement
    • Write for Us
    • Talk to Us
    • Work at The Chronicle
    • User Agreement
    • Privacy Policy
    • California Privacy Policy
    • Site Map
    • Accessibility Statement
    The Chronicle
    • About Us
    • DEI Commitment Statement
    • Write for Us
    • Talk to Us
    • Work at The Chronicle
    • User Agreement
    • Privacy Policy
    • California Privacy Policy
    • Site Map
    • Accessibility Statement
  • Customer Assistance
    • Contact Us
    • Advertise With Us
    • Post a Job
    • Advertising Terms and Conditions
    • Reprints & Permissions
    • Do Not Sell My Personal Information
    Customer Assistance
    • Contact Us
    • Advertise With Us
    • Post a Job
    • Advertising Terms and Conditions
    • Reprints & Permissions
    • Do Not Sell My Personal Information
  • Subscribe
    • Individual Subscriptions
    • Institutional Subscriptions
    • Subscription & Account FAQ
    • Manage Newsletters
    • Manage Your Account
    Subscribe
    • Individual Subscriptions
    • Institutional Subscriptions
    • Subscription & Account FAQ
    • Manage Newsletters
    • Manage Your Account
1255 23rd Street, N.W. Washington, D.C. 20037
© 2023 The Chronicle of Higher Education
  • twitter
  • instagram
  • youtube
  • facebook
  • linkedin