The Hacking Article

Sometimes what is most interesting about attention to an issue is not the attention itself but what it spurs and stimulates subsequently.  That has been my experience since the NYT published the article about hacking on university networks. Discussion within Cornell and on national list services raises a number of questions and illuminates aspects of our work that may not have been present to us in such bold relief.  Here are some specifics:

 A couple of CIOs and a few security specialists found “hyperbole” in the article.  I am not exactly sure what they mean by that term but here are some thoughts of my own.  This issue for colleges and universities is not new, for sure!  We have been addressing it financially, administratively, technically and collectively for at least ten years now.  Mark Luker, when Vice President at EDUCAUSE, created working groups, the SECURITY list service and Security Professionals Conference that remain living examples of that effort.  Together with Jack Suess, they also formed the Internet2/EDUCAUSE Security Task Force that provided valuable guidance and resources for colleges and universities around the country.  Moreover, that collaboration has morphed into the Cloud Alliance that supports the important work that Net+ is doing.  It just might be that some CIOs and IT Security experts who have been tending these vines for a long time now are surprised that the issue is raised as if it were new.   So granted, it is not new, but it remains important.

It is important because it touches on three larger policy issues.   The first is national cyber security.  Few noticed when Congress failed twice to pass legislation to support a more robust national cyber security initiative.  Against all evidence to the contrary notwithstanding (Iran, Israel, U.S. malware stories, not to mention legions of data on everything from Chinese hackers, Russian identity thieves and Nigerian scams … just to name the biggies), Congress ducked its head on this issue because the U.S. business lobby pushed those heads into the sand.  Why?  “Too much money!”  “Technical security will ruin innovation!”  “Locking information down will destroy the free market!”  Subsequently, President Obama issued an executive order to accomplish at least some of the objectives set out in the legislation.  In the meantime, the NYT not only got hacked but had the courage to admit it in public, unlike the pattern in most corporate sectors where the practice has been to shield that information, acting as if it is not a public policy issue but a corporate one.  The point: it is a public policy issue.  That is why even if there is something akin to “hyperbole” (which I read not as that quality but urgency) it doesn’t matter: it remains a major public policy issue and should be addressed as such and not individually, network by network.

The second policy issue is the connection between this one and access to education nationally.  The price of higher education is perhaps the most pressing issue.  I thank the New York Times, and the author of the article, Richard Perez-Pena, for highlighting the matter because it allows universities to demonstrate to parents of students, students, alumni, legislators, the public that the cost of providing quality education is meaningful, real and significant.  The millions – and there is no hyperbole there! – of dollars that an individual institution, not to mention higher education, has spent and continues to spend on technical security is a staggering figure.  (And I have not even addressed the larger scope of information management.)  So if one’s image of where the money is going in higher education is “overpaid faculty” or “administrators not acting like businessmen” or whatever the negative caricature is fashionable today, let’s draw attention to the real expenditures that are rational and necessary to the bone of supporting our missions.

The third policy issue is the broader, multifaceted goal of harmonizing privacy and security laws and practices globally of personally identifiable information held by corporations, and preserving and protecting institutional information and intellectual property of those entities.  That is a mouthful, a chunk so large that “corporate America” has Chief Privacy as well as Security Officers and teams of legal and compliance personnel working on the project.  (Harmonizing the privacy laws of developed countries that take a comprehensive approach with the United States, which has a “sectoral” approach, is job security just on that one point!)  Higher education has been much slower to the game of this unified effort.  (A topic worthy of its own blog.)  The point is that it should be a more unified effort, one recognized as a public policy issue, not piecemeal compliance.  And for that matter, international governance of the Internet raises its head, but that is also a very, very significant challenge, one worthy of more discrete attention.

Before this blog entry rivals War and Peace, let me conclude: we should see these issues in the fullness of their public policy light.  Higher education should take a lead in educating the public on their importance and prompting the country in debate about what the most reasonable approaches to addressing the issues would be in the interest of the citizen and not just the “corporation as a person.”  (I am also working on a blog about how in the twenty-first century the concept of citizen has decompensated into consumer, but elaboration waits for another time.)  Back at the ranch, I urge institutions to get their IT Policy and Security, Research VPs, Compliance and Privacy Officers, Risk Management, University Counsel and Tech Transfer together to discuss how collectively to pinpoint protection of institution assets of the university, from personally identifiable data to institutional information and intellectual property.  That effort alone might act as a model for how as a society we might move forward.