As hackers have found their way into computer networks around the country in recent years -- putting individuals' personal information at risk of identity theft and embarrassing companies, colleges and other entities -- many if not most higher education institutions have significantly tightened their technological security.
But as revealed by recent security breaches at the University of Texas at Austin and the University of Alaska at Fairbanks, and two others announced Monday at Ohio University, the steps taken so far have far from completed the job of securing campus networks.
And one major reason why, college and university technology officers and experts say, is that given the highly decentralized nature of most colleges and universities, a significant amount of campus data are found in servers controlled by departments, programs or other "sub-units" that often remain outside the control of institutions' central information technology departments. The most recent incidents involved the business school at Texas, a branch campus of Alaska-Fairbanks, and the alumni office and a business incubator at Ohio, for instance, and other recent attacks hit smaller offices at George Mason University and Boston College.
"To the extent that universities have hired security officers or taken other steps" to lock down their campus networks and servers, "it often hasn't trickled down to colleges and departments," says Rodney J. Petersen, a policy analyst at Educause and coordinator of its security task force.
Just because a college's central administration doesn't control a department's network or data doesn't mean that it won't be held responsible if a breach occurs. As a result, many campuses are taking steps to assert more control, either by requiring local departments or programs to store their servers on campus networks or -- often to the same effect -- setting security standards so strictly that most departmental administrators decide it is easier to let the pros do it.
"Our approach has been to raise the bar sufficiently high and suggest that we in IT have a way of doing it," says David Escalante, director of computer policy and security at Boston College, where a hacker last year broke into a server on its campus run by a third party, gaining access to the records of 100,000 alumni. "A lot of people say, 'I don't want to do it -- you do it.' We've having pretty good luck with that approach."
Collecting Data, Almost Accidentally
Many individual departments and programs are in the data collection and storage business whether they intend to be or not, campus technology officers say. Some, says Escalante, are almost accidental data collectors, like the history department that puts on an annual symposium, and "Joe Department Chairman asks Jane Graduate Student, 'Can you please put up a Web page for the symposium and allow people to pay their $100 fee via credit card?' Then the page gets indexed by Google," and the data is available to the world, he says.
Other departments or programs have over the years taken charge of their own technology needs much more purposefully. Danial A. Updegrove, vice president of information technology at UT-Austin, where one of the recent security breaches occurred, says that at a major research university like his, many departments and colleges "need to have some customized information systems," like the business school's system for managing corporate recruiting visits or an education school's database for mentors for its student teachers in the region. "It used to be that all the programmers and analysts were in the central group, but now it's much more likely that they are out in the field reporting directly to the dean" or department chairman, he said.
And many of those departments and colleges have liked having that control, says Kenneth C. Green, founding director of the Campus Computing Project. "The relationships between some of these units are liking having an moody adolescent in your home," he says. "They want to assert their independence, want the benefits of living in the house, but also don't always want to play by the house rules."
College IT officials say they are mindful of the principles in the academy that tend to favor autonomy and look askance on overcentralization -- but also of the ramifications that can come crashing down on an institution, from students, staff, alumni and the public, when a security breach occurs. And when one does occur, "usually lost in the announcement is that it happened in X, Y, or Z academic unit," says Green. "It's Acme U., and it's the IT department that takes the heat."
"No matter how decentralized an institution is, there are certain policies -- 'financial control' policies, like that people cannot have their own credit card operations without permission from the comptroller -- that if individual faculty members violate them, they'll be dismissed," says Joy Hughes, vice president for information technology at George Mason. "What universities have come late to is the recognition that cybersecurity is a financial control issue, too, because there are direct costs and many indirect costs that are spent recovering from an incident, which can affect the quality of students you recruit, the loyalty of alums, the confidence that research agencies have in your institution."
To "command the attention" of data holders across the growing George Mason campus, the university has altered its "data stewardship policy" to increase the obligations on how departments and individuals use and store of personal and other information, and to subject violators to disciplinary action. In response, one department chose to maintain control over its own servers but to outsource their management to an outside company. Others have blocked outside Internet access to their servers.
But many others, she says, have turned management of their servers over to George Mason's central IT department. "When they're deciding how they want to spent their time and their resources," she says, "we want them to choose us."
Adds Escalante of Boston College: "Securing computer data is a significant problem, but it's not a core competency of much of the university outside IT. We're hoping more and more departments will focus on the things they're good at, and let central IT do something it has a core competency in. This division of labor thing does exist in universities, and it works. But it requires giving up a little independence."