A recent New York Times article by Richard Perez-Pena on shaky computer security at U.S. universities sounded familiar to us at California: We ran a piece in 2012 on the proliferation of email scams and cyber crimes.
Pena-Perez’s piece got us wondering if university servers are indeed especially vulnerable to hackers and cyber attacks. More to the point, it got us wondering just how secure Berkeley’s systems are—so we called Paul Rivers, the University’s manager of system and network security, to find out.
Well – it turns out there’s real cause for worry. And that’s putting it mildly. Still, Chicken Little-style panic is hardly the appropriate response, emphasized Rivers. He favors a more measured approach.
“Yes, it has me concerned,” Rivers said. “But what I’m most focused on is expansion of our response so we have better risk management. In the last year, the University doubled our investment in security, from $1.5 million to $3 million. And that’s just at the central level. There are also investments in the distributed environments, involving different departments such as law and electrical engineering.”
Rivers said he is “emphasizing an approach that starts from the beginning, engaging all departments. It’s a cliché, but security literally is everyone’s job. It has to be ongoing, and it has to involve everyone from department heads to IT technicians.”
The problem has mushroomed in recent years because the “attack surface” has expanded massively, continues Rivers.
“There are many more devices, a much bigger network, expanded cloud services, with costs going down for everything – plus, you have more and more people capable of sophisticated attacks. There is a thriving black market (for data purloined from computers) – and not just for traditional stuff like social security numbers and ID information. Universities have plenty to lose on the research side – patents, research grants, even good community relations if bad press results from certain projects that are publicized inaccurately or inappropriately.”
In Pena-Perez’s article, most of the attacks on university computer systems are identified as coming from China. But such blanket attributions, said Rivers, make him “squeamish.”
“I know it’s popular to blame all of this on China,” Rivers said, “And perhaps that’s true to a large extent. But attribution is very tricky – we’re simply not in a good position to say with certainty that we know the origin of a given attack. Yes, it may look like it came from China – but that could be a ruse. If I see an attack that looks like it originates from a specific university, I don’t necessarily assume it is coming from someone who works at that university. Maybe the computer is compromised, or maybe the attack is being bounced through the system of that university. You have no idea how many hops it took.”
Further, says Rivers, simply blaming China for all computer attacks establishes a disturbing and xenophobic subtext to the computer security issue.
“We don’t want to start blaming ‘the Chinese’ for our all security issues,” Rivers said. “That can have very negative consequences for Chinese nationals who are legitimately attending or teaching at our universities – or even for Chinese Americans. I think we need to make some distinction between the games governments play and what it means for everyone else. Where my own work is concerned, it doesn’t matter if 90 percent of attacks are coming from China – or Russia, or France, or any other country. At the end of the day, what matters is mounting an effective response.”