In May, Penn State revealed its computer networks were infiltrated by Chinese hackers who downloaded user names and passwords. At a press conference, Provost Nick Jones said Penn State first learned about the breach in November when the FBI alerted the university.
“In a coordinated and deliberate response by Penn State, the college’s computer network has been disconnected from the Internet and a large-scale operation to securely recover all systems is underway,” said Jones.
Then, in June, Harvard University disclosed a data breach of its network, too.
They aren’t alone. The University of Chicago, Auburn, and the University of California, Berkeley, all suffered hacks this past year that compromised the personal information of faculty, staff, students and alumni.
These breaches are happening more and more frequently, but hackers aren’t always looking for the same information.
In some cases, the attacks are targeting intellectual property and research. But more frequently, they’re after addresses and phone numbers, transcripts and social security numbers.
“You can worry about intellectual property on a college campus, but a lot of the cases we’ve seen have not been that,” says Josephine Wolff, a fellow at Harvard’s Berkman Center for Internet and Society.
Wolff says colleges are facing a tough choice: sacrifice security for the sake of access, or lock down their networks and undermine collaboration and sharing on campus.
“I think what’s really at stake for the universities is trying to maintain this atmosphere of being open collaborative research institutions but to not be worried that they’re going to be kind of a gateway in for bad guys,” says Wolff.
She says the ever-changing digital landscape further complicates cyber security on campus. No university is emerging as a model, because the industry standard doesn’t exist yet.
“Nobody knows exactly what a model would look like,” Wolff says. “Would the model for universities be somebody who was super secure and had locked down everything and was scanning every single device that came on to campus? A lot of campuses would tell you that they don’t want that. That’s not their ideal.”
With so many students and faculty bringing their own devices, scanning every computer and smart phone is a tough sell, says Christian Hamer. He’s Chief of Information Security at Harvard.
“Defending networks in general is a difficult challenge,” says Hamer. “I think that we’re seeing these issues across industries. I don’t think that higher ed is unique in any way.”
Josephine Wolff, with Harvard’s Berkman Center, disagrees. She says universities are unique because they tend to have computer networks equal to major corporations, but with fewer privacy protections.
“For the most part, when we see data breaches, they’re data that’s not being stored by you personally, they’re data being stored in bulk by an administrative office, and you as a student or a faculty really have no control over how that’s being handled,” says Wolff.
Security expert Lysa Myers says colleges are starting to realize that cyber attacks have tangible consequences, and both individuals and institutions need to be more vigilant.
“I hope that there’s a growing sense that there’s benefit for each of us to protect the network of the universities,” Myers says. “It’s not just about protecting some kind of faceless corporation. You’re protecting your own research. You’re protecting your own reputation.”
And protecting data isn’t as easy as it sounds. Many companies are developing software solutions to issues of cyber security, but the technology isn’t enough. Myers says it’s about setting priorities, and getting buy-in from faculty and students.
“My hope is that this has kinda permeated the popular consciousness enough that people will start thinking about it as opposed to having a problem and then realizing after the fact,” says Myers.
Molly Boigon contributed to this report.
[Cross-posted at On Campus: The WGBH News Higher Education Blog]