Daniel W. Drezner
How colleges should handle international cybersecurity
Well, Richard Perez-Pena has quite the New York Times front-pager, doesn’t he? America’s research universities, among the most open and robust centers of information exchange in the world, are increasingly coming under cyberattack, most of it thought to be from China, with millions of hacking attempts weekly. Campuses are being forced to tighten security, constrict ...
Well, Richard Perez-Pena has quite the New York Times front-pager, doesn’t he?
America’s research universities, among the most open and robust centers of information exchange in the world, are increasingly coming under cyberattack, most of it thought to be from China, with millions of hacking attempts weekly. Campuses are being forced to tighten security, constrict their culture of openness and try to determine what has been stolen.
University officials concede that some of the hacking attempts have succeeded. But they have declined to reveal specifics, other than those involving the theft of personal data like Social Security numbers. They acknowledge that they often do not learn of break-ins until much later, if ever, and that even after discovering the breaches they may not be able to tell what was taken.
Universities and their professors are awarded thousands of patents each year, some with vast potential value, in fields as disparate as prescription drugs, computer chips, fuel cells, aircraft and medical devices.
“The attacks are increasing exponentially, and so is the sophistication, and I think it’s outpaced our ability to respond,” said Rodney J. Petersen, who heads the cybersecurity program at Educause, a nonprofit alliance of schools and technology companies. “So everyone’s investing a lot more resources in detecting this, so we learn of even more incidents we wouldn’t have known about before.”….
Analysts can track where communications come from — a region, a service provider, sometimes even a user’s specific Internet address. But hackers often route their penetration attempts through multiple computers, even multiple countries, and the targeted organizations rarely go to the effort and expense — often fruitless — of trying to trace the origins. American government officials, security experts and university and corporate officials nonetheless say that China is clearly the leading source of efforts to steal information, but attributing individual attacks to specific people, groups or places is rare.
What’s interesting is the difference in how universities are responding to these threats as opposed to corporations:
Like major corporations, universities develop intellectual property that can turn into valuable products like prescription drugs or computer chips. But university systems are harder to secure, with thousands of students and staff members logging in with their own computers.
Mr. Shaw, of Purdue, said that he and many of his counterparts had accepted that the external shells of their systems must remain somewhat porous. The most sensitive data can be housed in the equivalent of smaller vaults that are harder to access and harder to move within, use data encryption, and sometimes are not even connected to the larger campus network, particularly when the work involves dangerous pathogens or research that could turn into weapons systems.
“It’s sort of the opposite of the corporate structure,” which is often tougher to enter but easier to navigate, said Paul Rivers, manager of system and network security at the University of California, Berkeley. “We treat the overall Berkeley network as just as hostile as the Internet outside.”
Now, far be it for me to suggest an alternative strategy to counter these kind of cyberattacks, but I do wonder what would happen if academic institutions decided to simply throw open almost all of their Internet traffic to outside observation. The idea here would be to drown cyberspies in so much minutiae that the following would happen:
SETTING: NONDESCRIPT BUILDING, SHANGHAI, CHINA, AT LEAST TEN PEOPLE SURROUNDING ONE COMPUTER TERMINAL
ENTER GENERAL CHANG INTO THE ROOM.
CHANG: Well, Comrade Li, what valuable information have you extracted from Tufts University? Anything valuable?
MAJOR LI SEES CHANG, STANDS UPRIGHT, SALUTES.
LI: Oh, it’s very exciting, General. I’ve been monitoring their Central Committee exchanges, although they use the bourgeois term "faculty governance" instead.
CHANG: Major, I think we were more interested in whether Tufts had any technical—
LI: Apparently, the Tufts faculty has splintered into many, many factions, sir! Some of the splittists are waging a fierce online guerilla campaign to secure coveted parking spots!!
CHANG: Major, maybe it’s time you took that holiday we talked about—
LI: No, sir!! Then I wouldn’t be able to see which faculty members manage to avoid membership in the accursed admissions committee!!
CHANG: You fool, Li!! Can’t you see that is distracting you from your real purpose?! Is this all you’ve found out, Li?
LI: No, sir, I’ve also hacked into the New York Times server and have acquired all the necessary metadata to produce a detailed graph function of who is sleeping with who, sir.
CHANG: Well done, Li!! With this information, we will continue our peaceful rising no matter how badly the Americans try to stifle us!
Seriously, beyond the few precautions discussed in the article, I’m dubious that much can or should be done about this. Perhaps some intellectual property would be preserved by cracking down on the openness of the university system. I suspect, however, that far more would never be created in the first place.
What do you think?