We are all in this together.
Not even the best university IT security team can take on cybercrime alone. The team needs partners throughout the university, including IT professionals, faculty, staff, students, and — well, yes, pretty much everyone.
During National Cyber Security Awareness Month at the University of Michigan we take extra steps to empower the members of our community to help them protect themselves, each other, and the university. Our flagship event for the month is SUMIT — Security at University of Michigan IT — an annual, on-campus cybersecurity conference offered at no charge. It presents a rare opportunity for members of the university community, and the southeast Michigan community at-large, to come together to hear nationally recognized experts from higher education, industry, civil liberties organizations, law enforcement, the military, and government discuss the latest technical, legal, and operational IT security and privacy threats and trends.
SUMIT is open to everyone because we want everyone at U-M armed with the knowledge to protect themselves — and those they work with and care about — from cybercrime. We also want them to understand the issues so they can think through for themselves the trade-offs between privacy and security, between ease-of-use and level of protection.
Starting the Conversation
Back in 2005, when SUMIT began, attendees were mostly IT staff in central and unit-based IT departments across the university. Some of them were students who did system administration for U-M departments. They gathered to hear about U-M's security initiatives and the goal of "building a distributed network of skilled IT security professionals to protect the university."
They heard about risk assessments, the latest viruses and other malware, and initial plans for implementing two-factor authentication. And they heard a U-M lawyer specializing in cyber law speak about protecting sensitive data.
Joining the Cool Kids
IT staff members had a sense of being invited to join the cool kids who knew enough about hacking to protect the good guys from harm. One presenter that first year showed participants how to find hidden information using Google and then told them how they could protect those they worked with from this "dangerous form of information leakage."
SUMIT began with an "in-group" of people in-the-know — the tech-savvy white-hat hackers, IT security professionals, and experts thinking about related policy and the legal implications of the threats and IT security challenges of the day. Those of us without a strong technical background felt a little out of place at first, but we were welcomed.
SUMIT quickly expanded its audience, moving in its second year to the larger campus venue that has become its regular home. Over the years, through the education provided at SUMIT, the in-group got bigger. Government and law enforcement experts gave presentations. Speakers from IT security companies, such as Symantec, FireEye, and Splunk, and software companies, such as Microsoft, Apple, and Oracle, talked about the threats they were seeing and what they were doing about them.
Broadening the Conversation
The idea was to broaden the conversation and share the knowledge, to build a community of people working together to improve IT security. SUMIT often includes some highly technical presentations, but it also includes talks by privacy experts, prosecutors, educators, Fourth Amendment scholars, lawmakers, researchers, and journalists. One year, participants even heard about physical security and lock picking.
IT staff from the university and surrounding communities listen to the presentations and ask lots of questions. They talk with faculty and exchange ideas with students. Students ask questions about IT security careers and get a first-hand look at some of the opportunities. Last year, more than 270 people participated in person, more than 170 joined via live web streaming, and others viewed the presentations online after the event. Other universities even stream SUMIT as part of their National Cyber Security Awareness Month events.
All participants get the inside scoop on the technical, legal, and financial aspects of privacy, cybercrime, and cyber espionage. Participants hear case studies about the detective work needed to track cybercriminals and nation-state actors. Last year, attendees learned about security and privacy issues associated with connected cars and the sensors that help vehicles detect and adjust to the traffic around them.
Panels, Presentations, and Posters
This year, we are trying some new things. We are broadening the conversation among presenters through panel discussions, and we are asking students to participate more fully by presenting their IT security research in a poster session. There is time in the SUMIT 2015 agenda for participants to view the posters and talk with students about their work.
A morning panel discussion on "Privacy, IT Security, and Politics" will feature Ari Schwartz, former special assistant to the president and White House senior director for cybersecurity, and David Sobel, senior counsel at the Electronic Frontier Foundation. The session is moderated by J. Alex Halderman, an assistant professor in the University of Michigan College of Engineering.
An afternoon panel on "Advanced Persistent Threats" will feature Tom Winterhalter, supervisor for the FBI Detroit Division's cyber squad; Jen Miller-Osborn, cyber threat intelligence analyst, Palo Alto Networks; Colonel Jon Brickey, Army Cyber Institute Partner Relations director for the national capital region; and Randy Hegarty, enterprise security IT manager, CISO Office, Penn State University. It is moderated by Donald Welch, University of Michigan chief information security officer (CISO).
We'll also have presentations. John S. Townsend, manager of Information Protection & Security for DTE Energy, will talk about the top 10 threats faced by the electric and gas sectors and mitigation actions for those threats. The Honorable Rick Snyder, governor of the State of Michigan, will help us tie the day's discussions together through a cybersecurity conversation with Welch.
By asking some of the presenters to be panelists and talk to each other, we are setting the stage, literally, for SUMIT participants to join the larger conversation. We can't afford to limit privacy and security discussions and information to an in-group. We all need to participate.
"We Are All on the Same Team"
Welch stresses, "We are all on the same team." In the larger higher education community, he is collaborating with CIOs and CISOs on shared approaches to improved IT security. This is his first SUMIT, a key opportunity to engage not only with leaders and experts, but with students and frontline staff who ask and answer the day-to-day questions about phishing e-mails, security threats, and new tools.
SUMIT brings them all together every year to keep the conversation and the learning going. This year, SUMIT begins a second decade of empowering and educating IT professionals, future IT security experts, and those who just want to learn more so they can better understand the importance privacy and IT security play in our lives every day.
Janet Eaton is a senior technical writer providing communication, documentation, education and awareness materials, and more to the Information & Infrastructure Assurance and Identity & Access Management teams in the University of Michigan's Information and Technology Services. She has attended SUMIT almost every year, beginning with the first SUMIT in 2005.
© 2015 Janet Eaton. This EDUCAUSE Review article is licensed under the Creative Commons BY-NC-SA 4.0 International license.