Higher education can learn from the culture of apprehension that has evolved in the threat-conscious corporate sector.
Yes, I'm paranoid. And you should be, too.
I have a somewhat unique perspective when it comes to network security. Before I came to Northeastern Illinois University, I worked at Bell Labs for about 20 years. There we learned the meaning of the word “threat” the hard way, when people like Steve Wozniak started hacking into our telephone system using homemade “blue boxes” to make free phone calls.
Thus was born our culture of information technology paranoia.
As IT leaders in the academic world, we don't face the same challenges as our counterparts in the corporate world. True, we all face threats, but there isn't the same sense of fear and urgency in academia that there is in the corporate sector.
Perhaps it's because of a perceived difference in the kind of damage that can be done: Companies that are attacked can lose money, customers and their reputation in short order. What does an academic institution have to lose? Well, it takes money, customers (students and research sponsors, for example) and reputation to run a successful school, too. So our risks aren't all that different.
Back at Bell, in the heyday of phone hackers, two of our colleagues, William Cheswick and Steven Bellovin, developed the first firewalls.
Of course, the Internet was much more limited in scope in those days, but we had plenty to fear, not just from amateur hackers, but also from competitors. This culture of paranoia spurred us to further refine firewalls as we became increasingly connected and potentially threatened.
By the time of the first big disaster on the Internet – the worm released by Robert Morris, Jr. in 1988 – we were fully protected, while vast numbers of Internet-connected public and private sector organizations went dark. This proved to me that our paranoia was justified and that security would continue to be an important aspect of computer operations.
The challenge for academia and the corporate world alike is to find the balance between having enough security to protect personal information and intellectual property and ensuring the freedom to conduct business efficiently. Higher education has been slow to address these requirements for a variety of reasons, including lack of funds, ad hoc architectures that grew in fits and starts as funding became available and, quite likely, a deliberate rejection of corporate values.
When I joined the IT team at Northeastern Illinois, I was pleased to see that the staff had taken security seriously and had incorporated safeguards into the system, as well as building expertise to maintain it. I have visited many universities that have far too little security to be safe in this post-9/11 and post- Napster world. I find it difficult to imagine how some institutions are still able to survive without even deploying firewalls.
On the whole, universities can learn from the “healthy” paranoia that companies have adopted over the past few decades to avoid having too little or too much security. Thankfully, I see more and more universities trying to reach a middle ground, where they can preserve the free flow of ideas and information – and still prevent hackers from destroying their systems or using them to engage in other illegal activities.
Lack of funding, ad hoc architecture and a deliberate rejection of corporate values make network security lax at many colleges and universities.