Consider this entry part of the series within this blog to explore what IT Policy can be contributing to Higher Education.
Internet security poses an ongoing challenge for higher education. The open technical protocols that provided the foundation for this world-historical innovation test our abilities to preserve and protect institutional assets and information that lies at the bedrock of our missions. While these challenges are part of the development of the Internet and already an area of attention in our network systems, the more recent concentration of persistent nation-state attacks that target library collections, research data and institutional intellectual property require renewed and focused attention of higher education leadership and campus communities to tailor an effective response.
Persistent nation-state attacks represent a unique form of network security threat. Unlike garden-variety criminal security threats (such as intrusion into systems or devices to harvest personally identifiable data for the purpose of identity theft) or "hacktavism" (which can range from adolescent vandalism to concerted efforts made to promote a political cause), persistent nation-state attacks are characterized by support from sponsoring nation states that seek information for military, economic, social, political or cultural national interests. They are distinguishable quantitatively by the tremendous volume and persistence of attacks and qualitatively by their especially furtive and insidious nature; they often operate without notice to the user or even the network administrator. Given the motivation of these attacks and the information that perpetrators seek, higher education institutions are obvious targets, rich troves of research data, academic learning and often incubators if not repositories of valuable intellectual property.
Persistent nation-state attacks are, accordingly to U.S. domestic law, illegal. They expressly violate federal law, specifically the Computer Fraud and Abuse Act of 1986, 18 U.S.C. section 1030. But because they are deployed by competitive nation-states in an international landscape that lacks global Internet governance, legal enforcement is non-existent. Moreover, domestic market concerns in the United States have tended to minimize government interference. While a boon to the economic growth of the Internet, this disposition has the effect of minimizing governmental response to this particular problem. There is no "national firewall," for example, or comprehensive military approach to fend off these attacks. Information security is therefore the responsibility of each company, corporation or, in the case of higher education, institution that stands up a network. And of course, on-going disclosures about the United States's own form of “espionage” has recently taken center stage.
It is in this complex international environment that higher educational institutions must consider its options. As individual institutions, it requires tremendous commitment of resources to manage information security generally, and to address these particular types of attacks specifically. Offices that represent faculty, research and government grants, previously satisfied to have IT security efforts focus on administrative systems, now find themselves especially vulnerable to attacks but without the administrative, technical or even physical security infrastructure in place to meet this challenge. The distributed structure and culture of most research universities exacerbate this problem, as it is often difficult to get the requisite attention of individual researchers to manage this risk. Finally, the diversity of higher education, a strength in so many respects, is in this aspect a disadvantage.
Higher education leaders must prioritize this issue. To begin, they might publicly call for a response. With allied universities around the world, is there an international response that might put pressure on particular nation states active in this area to behave responsibly, especially if simultaneous to these disruptive actions are also efforts to partner in academic pursuits? Are there domestic government initiatives for which higher education should advocate? Are there collective approaches among our colleges and universities that might maximize information security? How can we direct our missions to this task, for example research in network security or global Internet governance on individual campuses? What kind and degree of resources should be given to secure our networks and data? Given our obligations to public service, shouldn't colleges and universities educate the American public about this issue? Its effects go to the core of economic competitiveness in a global market. It has potential effects on a everyone’s livelihood, not just an academic’s, but perhaps only an academic can explain the connections between the attacks and every person’s concern.
Finally, even if the absence of international law causes a failure to identify these activities as criminal in a code, it does not take much imagination to understand them as antisocial and bully-like. What does that behavior say about the political state of the world in which we live? In the twentieth-century, when faced with the specter of fascism, our “greatest generation” fought for democracy. The subtle nature of these attacks renders them difficult to detect. That fact makes the threat all the potent. As the focused targets of these attacks, higher education has ample reason to react. Let us not ignore the opportunity it poses to exercise higher education leadership to prioritize this issue, explain this threat to the public and to protect the information and assets that lie at the foundation of our missions.