Cybersecurity: New Directions for Research and Education Networks
A panel of recognized national experts in online security was convened during CENIC’s 2017 annual conference focused on sorting through the various models of securing what was widely recognized as “insecurable” by those in attendance.
Moderator Sean Peisert, CENIC’s chief cybersecurity strategist, set the tone in his opening comments that focused on both the vulnerabilities and strengths of the network community.
“This notion of community makes us collectively vulnerable to cyber attack, much like the presence of unimmunized portions of the population do in a public health sense,” said Peisert. “On the other hand, if properly leveraged, our community may help us figure out how to protect our organizations, so our goal is to understand the challenges created by this community as well as to explore possible solutions.”
The panel included former director of Energery Sciences Network, Greg Bell, who is now CEO of Corelight, a cyber security startup company, and a member of the CENIC board of directors; Anita Nikolich, program director for cybersecurity in the division of advanced cyberinfrastructure of the National Science Foundation; and Indiana University’s Von Welch, director of the Center for Applied Cybersecurity Research (CACR).
Bell and his colleagues noted that CENIC was an ideal community to support such a discussion based on the range of its members including the needs of community colleges, research universities, public libraries, and K-12 schools.
“The threat model for large companies and major university campuses is similar,” said Bell. “Certainly there’s common criminality, distributed denial of service attacks, phishing, and even attacks from those targeting political dissidents or intellectual property. At the same time, network patterns change all of the time because of the bleeding-edge performance and global nature of all campuses where there’s no clear boundary between the 'inside' and 'outside' for that work.”
“There’s a total lack of control by design,” said NSF’s Nikolich. “Faculty does their own thing; students plug in everything from X-Boxes to their own computers. There’s this need for openness without too much control, and at the same time there’s a need to hold onto an understanding of all the risks.”
Her colleague from Indiana University agreed. “I think there’s a correlation between the size of a campus and the differences between research culture around cybersecurity and operational issues. I think it gets harder and harder the larger the university is,” said Welch.
Another complicating issue involves network interaction with patient medical data on those campuses with academic health enterprises.
“Right now it is a research question — how to deal with health data protected by HIPAA (the Health Insurance Portability and Accountability Act of 1996) and regular security issues?” said Welch. “There’s a ramp-up of security to accommodate health data generally as it creeps into our general data centers. We may need to move from just Science DMZs into medical Science DMZs to address these security needs.”
Panelists agreed that the issues shift when speaking of the challenges of security for libraries and K-12 schools that serve younger users.
“I think it is a valuable thing to prepare young people to be aware of how one can be manipulated online,” said Bell. “There are lots of life skills we convey to students in K-12 already and understanding online security may need to be another one.”
Von Welch cautioned that too much of a focus on the individual may be the sign of failure. Security is a shared responsibility between end users and institutions.
“We spend a fair amount of time trying to figure out where responsibility for security falls between people and networks and Google and websites,” said Welch. “Once we settle on the end user as having primary responsibility as we did with social security numbers and identity theft, I think it means that our system has sort of fallen down in a bad way. One of the places where CENIC and other collaborative institutions can help is to sort out these issues of where responsibility for these facets of security lies.”
Bell agreed: “This is where the public health metaphor is apt when it comes to network security. Personal action is important when it comes to an understanding of the impact of connecting a personal machine to a complex system like a major research university. At the same time, we need to take responsibility for the commons we share — a multi-faceted approach.”
Panelists agreed that the industry-wide secrecy surrounding the impact of security breaches is a problem for improving network processes.
“We’re lacking the post-incident analysis of the National Transportation Safety Board,” said Welch. “Right now we believe there’s more advantage to keeping these incidents secret rather than to publish it to get the information to the good guys. And that hurts us all.”
Peisert prompted a discussion of appropriate roles within the network and among the members of the network by asking about where in the CENIC community technical solutions could be applied. Suggestions ranged from baking security into the network more broadly than an individual institution, to CENIC serving as a repository for a range of acceptable solutions that members could tap into as needed.
“If CENIC is an instrument for discovery, could it also be an instrument for cybersecurity?” asked Bell. “If so, then members will need to start with a very simple set of services to avoid complicating CENIC’s mission.”
“If we shift our mindset to seeing cybersecurity as a way to help manage business functions, then the network becomes a lens to understanding those functions,” said Welch. “As soon as you recognize that, then that helps you understand what’s important about the business you do.”