MCLC: cyberattacks challenge US campus culture

[Denton, Kirk]

MCLC LIST
From: pjmooney <pjmooney at me.com>
Subject: cyberattacks challenge US campus culture
***********************************************************

Source: NYT (7/16/13):
http://www.nytimes.com/2013/07/17/education/barrage-of-cyberattacks-challen
ges-campus-culture.html

Barrage of Cyberattacks Challenges Campus CultureAmerica’s research
universities, among the most open and robust centers of information
exchange in the world, are increasingly coming under cyberattack, most of
it thought to be from  China, with millions of hacking attempts weekly.
Campuses are being forced to tighten security, constrict their culture of
openness and try to determine what has been stolen.

University officials concede that some of the hacking attempts have
succeeded. But they have declined to reveal specifics, other than those
involving the theft of personal data like Social Security numbers. They
acknowledge that they often do not learn of break-ins until much later, if
ever, and that even after discovering the breaches they may not be able to
tell what was taken.

“The attacks are increasing exponentially, and so is the sophistication,
and I think it’s outpaced our ability to respond,” said Rodney J.
Petersen, who heads the cybersecurity program at Educause, a nonprofit
alliance of schools and technology companies. “So everyone’s investing a
lot more resources in detecting this, so we learn of even more incidents
we wouldn’t have known about before.”

Tracy B. Mitrano, the director of information technology policy at Cornell
University, said that detection was “probably our greatest area of
concern, that the hackers’ ability to detect vulnerabilities and penetrate
them without being detected has increased sharply.”

Like many of her counterparts, she said that while the largest number of
attacks appeared to have originated in China, hackers have become adept at
bouncing their work around the world.

Analysts can track where communications come from — a region, a service
provider, sometimes even a user’s specific Internet address. But hackers
often route their penetration attempts through multiple computers, even
multiple countries, and the targeted organizations rarely go to the effort
and expense — often fruitless — of trying to trace the origins. American
government officials, security experts and university and corporate
officials nonetheless say that China is clearly the leading source of
efforts to steal information, but attributing individual attacks to
specific people, groups or places is rare.

The increased threat of hacking has forced many universities to rethink
the basic structure of their computer networks and their open style,
though officials say they are resisting the temptation to create a
fortress with high digital walls.

“A university environment is very different from a corporation or a
government agency, because of the kind of openness and free flow of
information you’re trying to promote,” said David J. Shaw, the chief
information security officer at Purdue University. “The researchers want
to collaborate with others, inside and outside the university, and to
share their discoveries.”

Some universities no longer allow their professors to take laptops to
certain countries, and that should be a standard practice, said James A.
Lewis, a senior fellow at the Center for Strategic and International
Studies, a policy group in Washington. “There are some countries,
including China, where the minute you connect to a network, everything
will be copied, or something will be planted on your computer in hopes
that you’ll take that computer back home and connect to your home network,
and then they’re in there,” he said. “Academics aren’t used to thinking
that way.”

Bill Mellon of the University of Wisconsin said that when he set out to
overhaul computer security recently, he was stunned by the sheer volume of
hacking attempts.

“We get 90,000 to 100,000 attempts per day, from China alone, to penetrate
our system,” said Mr. Mellon, the associate dean for research policy.
“There are also a lot from Russia, and recently a lot from Vietnam, but
it’s primarily China.”

Other universities report a similar number of attacks and say the figure
is doubling every few years. What worries them most is the growing
sophistication of the assault.

For corporations, cyberattacks have become a major concern, as they find
evidence of persistent hacking by well-organized groups around the world —
often suspected of being state-sponsored — that are looking to steal
information that has commercial, political or national security value. The
New York Times disclosed in January that hackers with possible
links to the Chinese military had penetrated its computer systems,
apparently looking for the sources of material embarrassing to China’s
Leaders.

This kind of industrial espionage has become a sticking point in United
States-China relations, with the Obama administration complaining of
organized cybertheft of trade secrets, and  Chineseofficials pointing to
revelations of American spying.

Like major corporations, universities develop intellectual property that
can turn into valuable products like prescription drugs or computer chips.
But university systems are harder to secure, with thousands of students
and staff members logging in with their own computers.

Mr. Shaw, of Purdue, said that he and many of his counterparts had
accepted that the external shells of their systems must remain somewhat
porous. The most sensitive data can be housed in the equivalent of smaller
vaults that are harder to access and harder to move within, use data
encryption, and sometimes are not even connected to the larger campus
network, particularly when the work involves dangerous pathogens or
research that could turn into weapons systems.

“It’s sort of the opposite of the corporate structure,” which is often
tougher to enter but easier to navigate, said Paul Rivers, manager of
system and network security at the University of California, Berkeley. “We
treat the overall Berkeley network as just as hostile as the Internet
outside.”

Berkeley’s cybersecurity budget, already in the millions of dollars, has
doubled since last year, responding to what Larry Conrad, the associate
vice chancellor and chief information officer, said were “millions of
attempted break-ins every single week.”

Mr. Shaw, who arrived at Purdue last year, said, “I’ve had no resistance
to any increased investment in security that I’ve advocated so far.” Mr.
Mellon, at Wisconsin, said his university was spending more than $1
million to upgrade computer security in just one program, which works with
infectious diseases.

Along with increased spending has come an array of policy changes, often
after consultation with the F.B.I. Every research university contacted
said it was in frequent contact with the bureau, which has programs
<http://www.fbi.gov/about-us/investigate/counterintelligence/us-academia>
specifically to advise universities on safeguarding data. The F.B.I. did
not respond to requests to discuss those efforts.

Not all of the potential threats are digital. In April, a researcher from
China who was working at the University of Wisconsin’s medical school was
arrested and charged with trying to steal a cancer-fighting compound and
related data.

Last year, Mr. Mellon said, Wisconsin began telling faculty members not to
take their laptops and cellphones abroad, for fear of hacking. Most
universities have not gone that far, but many say they have become more
vigilant about urging professors to follow federal rules
<http://www.bis.doc.gov/policiesandregulations/> that prohibit taking some
kinds of sensitive data out of the country, or have imposed their own
restrictions, tighter than the government’s. Still others require that
employees returning from abroad have their computers scrubbed by
professionals.

That kind of precaution has been standard for some corporations and
government agencies for a few years, but it is newer to academia.

Information officers say they have also learned the hard way that when a
software publisher like Oracle or Microsoft announces that it has
discovered a security vulnerability and has developed a “patch” to correct
it, systems need to apply the patch right away. As soon as such a hole is
disclosed, hacker groups begin designing programs to take advantage of it,
hoping to release new attacks before people and organizations get around
to installing the patch.

“The time between when a vulnerability is announced and when we see
attempts to exploit it has become extremely small,” said Mr. Conrad, of
Berkeley. “It’s days. Sometimes hours.”