Contact KU and higher ed reporter Sara ShepherdHave a tip or story idea?
If the rest of the world were as crime-ridden as the digital world, nobody would leave his house.
Not that staying inside would make you safe. Hundreds or even thousands of times per day, every day, some stranger would be turning your door handle, just to see if it might be unlocked. And somewhere out there, far more sophisticated intruders are trained to wait in the hidden corners of your own home until they’re able make off with your most valuable possessions.
An institution the size of Kansas University has thousands and thousands of entry points into its computing systems. Behind some of them is extremely valuable loot: the personal identifiers of students, faculty and staff, as well as sensitive information garnered from research and potentially lucrative intellectual property.
Rob Arnold, the information security officer for KU’s Information Technology services, is the man charged with keeping the world's cyber criminals at bay. Supported by a budget of less than half a million dollars, Arnold’s office is responsible for tooling the security architecture, assessing and responding to threats, and training students and faculty on how to protect sensitive campus information stored in the digital world.
Remove the blazer and wire frames, and Arnold, with his buzzed hair and bulldog build, could just as easily fit the part of security detail at a nightclub or hotel.
Arnold heads a full-time staff of six, with additional help coming from students, faculty and IT staff with security expertise. Arnold himself has been on the job for about six months after 18 years at Waddell & Reed, a financial company based in Overland Park.
Going into the school year Arnold will have more money to put toward staffing and technology. The budget for the IT security office increased from $350,311 in the fiscal year 2013 to $483,528 in fiscal year 2014, a jump of about 38 percent.
Paul Farran, chief of staff for KU IT, said the budget increase was a priority for Director Bob Lim. When Lim, who was traveling and unavailable for comment, joined he decided to reallocate the department's funds to boost the security budget, Farran said.
Cybercrime has been getting a lot of press of late. Reports surfaced earlier this year about attempts by Chinese hackers to break into U.S. news outlets, including the New York Times and the Washington Post. Shortly after, a report from digital-security company Mandiant laid out details about cyber-spying on U.S. companies carried out by a specific unit of China's People's Liberation Army.
Last month, the New York Times published a report about universities across the country facing a "rising barrage" of foreign cyberattacks, millions every week, most of them from China.
Numbers like those can be misleading because they don't distinguish between a successful attack and what Arnold describes as "jiggling a door handle," automated and usually clumsy attempts to find vulnerabilities in a system.
Rodney Petersen, director of the cybersecurity initiative of Educause, a nonprofit focused on IT issues in higher education, said that the rising numbers of recorded attacks could be, at least in part, a measure of our increased ability to detect those attacks.
Arnold is guarded with information about the details of KU IT security, which is probably what you would want from someone paid to guard information for a living. He doesn’t want to say how often the university comes under cyberattack. Partly, he worries that an understanding of the differences among threats could be lost through disclosing raw numbers.
“One guy with one laptop could generate a hundred thousand attacks in a day depending on how you define an attack,” he said. "Anything connected to the Internet is continuously under probe.”
Protecting its assets
Along with having thousands of devices connected to its network, and thus entry points into the system, the university also has a wealth of digital assets that could be worth something on the black market. Students submit Social Security numbers, health records and other personal information to the university, which then stores that information in computers. Perhaps more valuable, faculty and graduate researchers develop knowledge and technology that can be, and often are, patented.
The majority of cyber-criminals are vandals and petty thieves who are usually not looking for lucrative profits. They might simply want to monkey with a website's appearance, send a virus into the system, or take information just because they can. For instance, last fall a hacking group calling itself Team Ghost Shell claimed credit for the theft and publication of tens of thousands of email addresses plus usernames and passwords stolen from 53 universities, including Harvard, Princeton and Cornell.
Although it didn't list universities as a major target, the Mandiant report makes clear that more sophisticated, and government-supported, hackers are out there. They can breach a system without detection, linger for months or even years, and make off with prized intellectual property: data, schematics, blueprints, patent notes, and other valuable information.
To date, no such attack has occurred in the KU IT system, Arnold said. According to the KU general counsel's office, there have been no instances in the last five years where personal identifying information or intellectual property have been compromised through cyber attack.
Generally, Arnold said that the Times characterization of attacks on universities didn't quite jive with reality as he knows it.
"I don't think it would be right to characterize what we see here as a massive upswing in attacks," he said. But that doesn't necessarily mean the university's systems are safe. "We are under heavy attack, and we fairly well always have been. That's not news."