KU to figure cost of computer security

Lawmakers ask how much universities need to spend to upgrade systems

? With viruses rampaging and after Kansas University computer security has been breached twice this year, state lawmakers want to know what it would cost to upgrade security of university information systems.

Speaking on behalf of the state universities, Kansas University Vice Provost for Information Services Marilu Goodyear told lawmakers that fending off hackers and viruses was consuming more money and staff time.

“All are challenged by our difficult fiscal circumstances to put staff into this area,” Goodyear said recently to members of a legislative committee that focuses on information technology.

With each new semester, students bring with them thousands of personal computers, “all with vulnerabilities,” she said.

Computer security and preventing copyright infringement are becoming critical, officials said.

While students and faculty need the ability to share computer files, the practice has its downside in illegal distribution of copyrighted material, such as movie and music files, and is sometimes the source of computer virus infection.

“Keeping up with that is a real cat-and-mouse game,” Goodyear said.

Campuses are exempt from liability under federal law prohibiting copyright infringement, but the university must follow a schedule of graduated penalties against people discovered to be violating the law, she said.

Members of the committee asked Goodyear and officials from other universities to present a proposal on how much would be needed to provide the optimal computer security systems.

“There needs to be an assessment of where each university is at,” said state Sen. Tim Huelskamp, a Fowler Republican who is vice chairman of the House-Senate Information Technology Committee.

Committee members said they would like to have those assessments and cost estimates by November, so they could prepare to seek appropriations during the 2004 legislative session, which starts in January.

“I have no doubt that the regents institutions are secure,” said committee Chairman Joe McLeland, a Wichita Republican. “But I also believe there are a heck of a lot more hackers trying to break into systems than there are people to defend.”

Later, Goodyear’s office told the Journal-World that KU did not know how much it spends on computer security and didn’t plan to provide lawmakers with an estimate of how much it would cost to have optimal security until a formal request for that information was made by the Kansas Board of Regents.

McLeland seemed mystified by that response. “November is when we want those numbers,” he said.

This year, KU has been hit by two security breaches. In January, a computer hacker downloaded files on 1,450 foreign students, and in April, the names and Social Security numbers of 920 students at KU Medical Center were mistakenly posted on the Internet for a week.

Goodyear said one of the main efforts in securing the computer system was educating users through a variety of programs. Web sites devoted to computer security at KU include www.security.ku.edu.

James Bingham, chief information officer at KU Medical Center, said the most important strategy for security was “defense in depth,” which means many different security measures are deployed so if one system is breached, the entire system will not be at risk.