Cyber security: it takes a community: it's time for all of us to come together, to ensure cyber security

BAD THINGS CAN HAPPEN IN CYBERSPACE. THE FREE AND UNIMpeded flow of information and ideas now relies on adequate security because breaches, hacker attacks, and viruses can take down the networks upon which research, instruction, and communication depend. Information security is an increasingly important responsibility for all organizations--particularly academic institutions. But just how large a problem do security incidents (which can range from unauthorized access, alteration of data, and virus infiltrations, to denial-of-service attacks) actually present to IHEs?

A 1998 University of Michigan study estimated that 30 known security-related IT incidents cost over $1 million in direct and indirect costs, and resulted in the expenditure of over 9,000 employee hours for incident investigation and resolution. Nearly 270,000 computer and network users were affected. Since the study was completed, the number and complexity of cyber attacks on computer networks has increased, as have the costs of dealing with them. Managing the risks and the liabilities associated with IT-related incidents is a real and escalating challenge for higher ed.

But hard costs are only part of the story. The true costs of information security breaches are not always easy to quantify; they involve issues such as potential legal liability, loss of intellectual property or institutional assets, delayed or compromised research, and damage to the reputation of the institution itself. In addition, availability of computing resources is critical to the day-to-day operation of the institution.

One thing is clear: Network security is everyone's responsibility. While it would be more convenient if the solution were a piece of technology, and it's tempting to rely on IT staff or information security officers to ensure cyber security, the reality is more complex. It will take a coordinated effort to develop an effective cyber security program. It is an ongoing challenge that requires the cooperation and vigilance of administrators, faculty, staff, and students, and the leadership and cooperation of senior executives, legal counsel, auditors, police and public safety, and others. A successful academic security strategy involves technology, policy, and people.

And just as cyber security is not solely a technology problem, IT security in higher education is not dependent just on higher education. Businesses that provide products and services are involved as well. It is no longer sufficient for higher education and industry to work on cyber security in parallel; it must become a collaborative, broad-based effort to be successful.

Because of these perceived needs, a coalition of technology, industry, and education leaders is moving to establish a Cyber Security Forum for Higher Education. Its purpose is to create an opportunity for discussion of higher ed computer and network security issues that involve both the corporate and academic communities, with the goal of improving higher ed cyber security through mutual efforts. The forum will focus on the IT security needs of higher education while respecting the business needs of its corporate participants. It will recognize the need to share information across organizations and will work toward common goals that further the shared interests of higher education, business, and government, adhering to principles of open-mindedness, fairness, ethical decision-making, and balanced advocacy. Though the environments differ, we share common themes and lessons, and need to ensure that products work together synergistically. The Cyber Security Forum for Higher Education and the EDUCAUSE/Internet2 Computer and Network Security Task Force support an agenda that specifically and actively addresses the security needs of colleges and universities.

The goal is to increase the awareness of IT security risks and the corresponding responsibilities of higher ed executives and end users of technology, including faculty, staff, and students. IHEs need to develop more effective problem-solving and communication mechanisms to minimize damage or disruption from security incidents, and provide advice on cyber security strategies, planning, and coordination.

There is a need to collaborate on research and development activities to design, develop, and deploy improved security for future research and education networks. Our hope is that higher education will work with vendors to develop and deliver more secure products that address the specific security needs and requirements of higher ed. Institutions should also employ technology to monitor resources and minimize adverse consequences of security incidents in areas such as firewall implementations, network partitioning, virtual private networks, wireless security, system scanning, and intrusion detection systems.

Although IHEs recognize the need for the development of security policies and procedures within the academy, adequate institutional policies may not yet be in place. The sharing of effective practices and solutions that enhance computer and network security from any sector (such as government, business, or education) is encouraged. All organizations should promote the adoption of effective practices and solutions by vendors and educational institutions.

The responsibility of higher education to cyber security goes beyond keeping its slice of cyberspace safe. Higher ed can play a larger leadership role for government and industry by providing guidance and innovation in digital security issues. But it is time for higher education and business to work together--for everyone's benefit.

For more information, go to www.educause.edu/security.

COPYRIGHT 2004 Professional Media Group LLC
COPYRIGHT 2004 Gale Group