Internet Security: A Sisyphean Task?

As the Director of IT Policy at Cornell University for over twelve years I estimate that I spent the majority of my time working on security-related issues.  I began work, inauspiciously, on April 1, 2001.  A month later, I remember going over to the Law School with the Security Coordinator to talk about a breach that occurred with servers of the Legal Information Institute.   Hackers with Internet Protocol addresses that resolved to the People’s Republic of China had broken into the database and were removing tremendous volumes of material.  I inherited an acceptable use policy that had some references to security, for example the prohibition against sharing passwords, so my supervisor, Vice President Polley McClure, set me on the task of writing a separate security policy.  If common criminals and nation-state threats weren’t enough to keep us busy, script kiddies had just become popular.  Teen-age vandals who traded spray paint for computer programs proliferated illegal scans, computer worms and various other forms of malware at a rate that was blowing the roof off of our technical security analytics.

Under Polley’s watch, Cornell transitioned its “security coordinator” into one of the first full-fledged directors of IT security in the country.  That role, unlike its predecessor, had university-wide responsibilities.  It also began to acquire a number of F.T.Es who operated as security engineers to do scans, analysis, forensics, integrate technical controls into network, operations and information services as well as work with me on policy, help educate leadership at the university, stakeholders and the community about the need for improved security practices.  I do not know of a college or university that did not follow suite one way or another.  Simultaneously, Mark Luker, Vice President of Policy at EDUCAUSE in those years, put Steve Worona and Rodney Peterson on the creation of the EDUCAUSE Security Professionals’ Conference, the Internet2/EDUCAUSE Security Task Force and the inauguration of the Security List Service.  Most directors of security report to the CIO and many now join their CIOs at the institution’s risk management big table.   Altogether, counting tools and FTE and collateral assistance from offices of audit, counsel, and risk management, the total costs represent big money.

And yet the breaches keep coming.  Sometimes they derive from residual lapses in human error.  The spreadsheet with personally identifiable information from ten years ago that sits on an unprotected computer, or even worse, PII that gets posted on a web site because someone hit the wrong button.  Of increased attention since last summer are persistent nation-state threats.  While among seasoned players in the security arena this type is not new  but it has captured media attention for two principal reasons.  First, mad as a hatter, the New York Times lashed out at China in particular this kind of activity when it learned that the PRC military operations were allegedly responsible for hacking into the mail accounts of reporters whose beat was China.  Then came Edward Snowden and his disclosures.  Trickling out since June of last year, every time I think we have reached the bottom of the barrel, like Jason in Halloween, another one pops up to blow our collective mind.  Or at least it has blown mine.

The details of how and in what ways the United States has been operating offensive Internet security maneuvers should not surprise me. After all, I am a historian. Moreover, my father’s brother was in the Office of Strategic Services during the Second World War and then a member of the Central Intelligence Agency.  Revered among our family for his heroism as a saboteur jumping behind German lines and training spies in the U.K., my “Uncle Bill,” (nee Anthony Mitrano) made legendary stories of spies and saboteurs.  After 9/11 did I really think that the United States was an innocent player in the world of cyber warfare?   After Israel’s cyber attack on Iran, was it possible to imagine that our country was not involved?  And with my own introduction into this world of security incidents in 2001, how naïve could I be not to imagine that at least some sector of our government: the C.I.A., the N.S.A, or the military, were not also in the thick of these kinds of activities.

The most recent Snowden disclosures about the N.S.A. spoofing Facebook or using cyber warfare to monitor the Chinese company Huawei do not surprise me.  But when I make the connection between my academic analytic self and someone who has worked in and around the Internet security area for years I cannot help to be deeply dismayed.  How can our colleges and universities be expected to compete with this well-funded, hotly motivated, opaque world?  More important: how can we maintain our missions that rely on privacy and security, integrity and confidentiality of information?  I have long argued that our security operations need to rise to the higher level of information management.  That opinion remains.  I have long thought that IT Officers and Offices should not be made the administrative scapegoat for these breaches.  All too often CIOs have all the responsibility and none of the authority to manage information.  Uninformed administrators from other units collapse a complex world into one word, one solution: security.   Security incidents affect all aspects of our institutions: responsibility for managing them should be shared among units and constituencies.

But the most recent Snowden disclosures have given me pause.  Under the circumstances of a surreptitious undeclared cyber war, is network security a Sisyphean Task for colleges and universities?  Our sector has been severely criticized for our technical lapses, held to account so many demoralizing times, and spent so much money that we and our students cannot not afford to compete in a game that we cannot win.  At least this way, we can’t.  Not without knowing the full measure of what was and continues to go around us among and between nation states.  If there was ever a reason for transparency of these operations, it is the untenable position that our government has placed higher education.  Among essential democratic, citizenship principles, transparency would at least place this undeclared, and out-of-control, cyber warfare into a context we could at least begin to understand if not provide guidance, direction, and hope to address reasonably.