Last fall, Donald Trump theorized that the computer hacker who stole emails from the Democratic National Committee could have been “someone sitting on their bed that weighs 400 pounds.” But the stereotypical rogue nerd isn’t the threat that most concerns information-security officers on college campuses.
Their institutions are under constant attack, they say, by groups of criminal hackers who have professionalized, and industrialized, their efforts in the past few years. If the hackers find a tiny flaw in a college’s data-security apparatus — an unsecured server, a careless user — they can infiltrate its network, Hoover up any and all data they come across, and peddle the choice bits on the dark market — those shadowy corners of the internet where people go to buy and sell illicit goods anonymously. There have been thefts of politically sensitive data, as when hackers published hundreds of emails and documents in 2009 that raised questions about climate scientists’ impartiality, but almost all attacks have more mercenary motives.
Colleges want to track students and help them succeed, to find out what works in the classroom, and to measure professors’ productivity. Read a special report that unpacks what big data can and can’t do.
It’s an escalating battle that many colleges must fight with limited resources. And the stakes are high. A major breach can expose thousands of names and Social Security numbers, credit-card numbers, and other personal data that employees and students turn over to colleges all the time, leaving those affected vulnerable to identity theft. A breach at the University of California at Berkeley last year compromised the personal data of about 80,000 current and former employees and students.
An attack can also bring an institution’s computer network crashing down: In 2015, Rutgers University was hit with several “denial of service” attacks, in which a hacker flooded the institution’s network with data, temporarily crippling it. In the aftermath, the university budgeted about $3 million to improve its data security.
Colleges “have to be right every time” when it comes to securing data, says Brad Wheeler, vice president for information technology and chief information officer at Indiana University. “The bad guys can try 10,000 times, or 50,000 times. As long as they get it right once, they get a win. It’s a very, very asymmetrical game now.”
Groups of criminal hackers, many of them based overseas, have upgraded their tools and methods. “They’re using these almost weapons-grade hacking kits,” Mr. Wheeler says.
But even familiar modes of attack have grown in sophistication. “Phishing,” in which people receive an email designed to get them to give up passwords or financial information, has evolved past “a rich uncle in Nigeria who wants to wire you a million dollars,” he says, and now uses messages that look very legitimate: “They’re simple, they’re short, they’re often contextualized for something going on at the institution.” Indiana delivered 442 million emails to its users last year, and its countermeasures killed 2.1 billion emails before they entered its system.
The rise of big data has also abetted hackers’ efforts. A decade ago, a spreadsheet of Social Security numbers was “the holy grail” for hackers, says Ronald D. Kraemer, vice president and chief information and digital officer at the University of Notre Dame. Data that can be used for identity theft or to tap financial resources remain the primary targets, but in the past few years, “the analytics tools that people have available to them to sort through data and to figure out what the hidden gems are have just advanced so much,” he says. Personally identifiable information is still the most desirable, and lucrative, goal, but if hackers get into a college’s network they can gather terabytes of research data or emails to sift for possible profit. Most of the nonpersonal data will contain little or no information that can be leveraged, but it doesn’t matter.
“They just slurp it all up,” says Mitchel W. Davis, chief information officer and senior vice president at Bowdoin College. “It might take years to look at it, but they want to get hold of it.”
Large, relatively open computer networks with thousands of users help universities to perform their expansive missions, but they also make it difficult to defend against intrusion. Data security at a college over all is only as good as the security of each server, and of each individual user.
Big attacks often start small. “Someone will hack a school, lab, or departmental-level server. Then they’ll look around sideways,” Mr. Wheeler says. “Then they’ll escalate their privileges on that server. Then they’ll start working up the food chain,” probing for deeper access, and more and more valuable information.
At Indiana, Mr. Wheeler and his staff have spent several years working on reducing potential intrusion points. About four years ago, a self-audit at Indiana revealed about 1,600 computer servers that Mr. Wheeler’s office didn’t even know about. Back then, only about 65 percent of servers on campus were contained within the university’s central data center, where they could be monitored by the best security the institution had on hand. Now about 90 percent are. “If we have fewer things to attack, and fewer things that we can focus more professional energy on securing them, we’re going to be better off than otherwise,” he says.
Many institutions are being more cautious about the information they keep on their networks. When it comes to data, Mr. Kraemer says, “if we have to have it, we encrypt it. If we don’t have to have it, we get rid of it. An organization becomes less of a target if you don’t have tens of thousands of Social Security numbers sitting in an unsecure system.”
More colleges are also moving toward requiring multifactor authentication, where a password and some additional information or item are required to gain access to its system. If you’re a hacker trying to get past it, “just stealing a password doesn’t help anymore,” Mr. Kraemer says.
Notre Dame recently made multifactor authentication mandatory for all faculty, staff, and students, a move that involved a management as well as a technical challenge. Mr. Kraemer and his staff spent months talking to various groups on the campus about the security value of multifactor authentication, explaining that it would protect not only the university but also individuals from theft and fraud. Most people are already used to using multifactor authentication for accessing bank machines (a bank card and a PIN), he says. It seems like an unaccustomed step for computer access, but it shields their research and their finances.
Indeed, getting everyone on campus to keep computer security in mind can be as good as some technical backstop, and more affordable. When Bowdoin rolled out multifactor authentication about a year ago, the goal was not just to sell the new program, according to Steven A. Blanc, vice president and associate chief information officer. It was important to impart the idea that “security is not something that IT does, it’s something the college does,” he says.
There’s no reason to believe that hackers will become less skilled, or less persistent, in the future, so colleges will probably continue to face escalating data-security challenges.
The advent of cloud computing has afforded colleges new options for protecting their data, but it also creates potential new threats to security. Storing data in the cloud has helped institutions fend off ransomware attacks, in which malicious software allows hackers to hold data on a machine hostage. “If your data actually exists in multiple places, you can get back your data without having to go through the ransom process,” says Mr. Kraemer. But unless handled carefully, passing data back and forth between a university’s systems and the cloud is one of many processes hackers can exploit to compromise security. “Very few IT organizations in higher education have a clear understanding of what it takes to secure something that’s now part of your system but outside of your organization,” Mr. Davis says.
Hiring data-security personnel with the necessary skills and experience has become increasingly difficult for colleges. Many institutions have started cybersecurity programs that are turning out graduates as fast as they can, but universities themselves are often looking for more senior employees.
“We’re looking for people who are seasoned in dealing with difficult situations,” says Darren Lacey, chief information-security officer and director of IT compliance at the Johns Hopkins University and Johns Hopkins Medicine. “It can be difficult for people to get into the field, even though there’s a shortage of people once you’re in.”
The shortage has driven up salaries for top information-security staff as well. A chief information-security officer at a typical college 10 years ago might have started at $75,000, Mr. Davis says. “Now? Double that.”
Despite scarce personnel and limited resources, Mr. Lacey thinks colleges do a good job over all at data security. Data-security professionals in higher education can communicate with peers at other institutions through a membership organization known as Ren-Isac, the Research and Education Networking Information Sharing and Analysis Center. Such networking helps keep even the smallest institutions up on the latest threats and protective tactics.
Mr. Wheeler worries, though, that such collaborations may not be enough to stave off the growing threat. Even with an information-sharing apparatus in place, word of attacks still sometimes takes days to spread in an era where minutes can count. Each institution may draw on widespread best practices, but they’re all still reinventing the wheel. “We’re going to have to find a path among colleges and universities that gets to a greater degree of efficiency and operational effectiveness at scale, rather than thinking that each campus individually, one by one, can keep up,” he says.
But Mr. Kraemer believes it may be a good thing that colleges aren’t all dug in behind a unified cyberdefense. “The kinds of protections we’ve each put in place, the strategies we use, they’re not unique, but they’re not entirely in sync either, and I think that might actually be a good thing,” he says. “If everyone is doing the exact same thing, in some ways that makes us vulnerable.”