Mingling at the Dance: Cybersecurity and Science Cultures

Grant-funded science projects are exciting. Imagine being a campus scientist leading such a project: you've defined a problem, spent hours — including evenings and weekends — writing a grant, and you've been selected from a competitive field to receive the award. Now you have a limited amount of time to build your team, execute your plan, and reach your research goal.

One common factor among scientists, no matter which science discipline they belong to or how complex the project may be, is the use of computing. Scientists use computers for simulations, data capture, storage, sharing, and analysis, as well as project management, collaboration, and the more mundane tasks like e-mailing, scheduling, and maintaining websites. And with computers inevitably come cybersecurity concerns. Even if your use of computers is minimal, threats such as ransomware and usurpation of your computers for a botnet or SPAM can seriously impede your research. Some projects will have a clear challenge around regulated data (e.g., HIPAA for certain types of health information and defense regulations for certain types of classified data), but for the purpose of this post we'll focus on projects where cybersecurity requirements may be less clear.

The importance of cybersecurity will not come as a surprise to readers of this blog. However, there are specific cybersecurity challenges for grant-funded science projects, and the infosec community can help resolve those challenges.

Grant-funded science projects face a number of unique challenges related to cybersecurity:

• Projects are rarely large enough to warrant hiring personnel dedicated to information security.
• The limited lifetime of a project makes them laser-focused (sometimes literally!) on their scientific goals.
• Science instruments can require specialized computing infrastructure that is difficult to update and challenges common information security practices.
• There is a common misunderstanding that an open science project that doesn't have confidentiality requirements has no cybersecurity concerns.
• Scientists find a plethora of (often contradictory) information security advice, leaving them feeling anxious, overwhelmed, and uncertain about how to begin addressing cybersecurity with respect to their research projects and data.

In the National Science Foundation's Cybersecurity Center of Excellence (CCoE), we've been working to understand the science community's cybersecurity needs and how to best provide leadership and guidance. An annual NSF Cybersecurity Summit has been key to building connections and trust within the community, with a willingness to share lessons learned being a key metric of success. Additionally we've been providing scientists situational awareness through cybersecurity training and best practices tailored to science and working with them one-on-one to address particular needs.

We've learned three key lessons in how the information security community can work with scientists:

1. Learn to meet the scientists where they are. Scientists have many concerns about the integrity of their science projects, but their language and thinking rarely map directly to cybersecurity. To effectively help scientists, infosec practitioners need to be able to listen to their scientific concerns and discuss how cybersecurity addresses those concerns. The CCoE has been working, in collaboration with ESnet and a distinguished working group, to interview members of the science community, establish a list of concerns from the scientists' perspective, and map those concerns to the cybersecurity risks. Our goal is to provide a translator between the two cultures and help the information security community understand how to best communicate with scientists while providing the necessary advice and support.
2. Understand that science projects tend to be highly collaborative with scientists from multiple organizations. Strict controls (e.g., firewall policies) that make sense for administrative computing might get in the way. Consider research-centric approaches such as Science DMZs and enable scientists to use your local authentication system across campuses. For example, your institution can participate as an identity provider in InCommon with attribute release to research projects in the Research and Scholarship category.
3. Recognize the resulting culture that stems from the time pressure scientists are under. Advice needs to be "digestible" and cast into small chunks described in the context of the scientists' goals. Information security practitioners need to listen, discern where cybersecurity is most critical, and prioritize recommended actions that deliver the most bang for the buck in a short amount of time.

Hopefully this post has conveyed some of cultural challenges of science projects and provided some actionable guidance to facilitate more productive discussions between information security professionals and scientists. If you'd like to participate in more conversations on this topic, consider joining the CCoE's discussion e-mail list.

---

Von Welch is the director of the Indiana University Center for Applied Cybersecurity Research (CACR) and principal investigator for the NSF Cybersecurity Center of Excellence (CCoE), a project funded by the National Science Foundation to work with its community on developing a culture of cybersecurity and addressing specific challenges. Additionally, he is the CISO of the Software Assurance Market Place, a DHS-funded facility to foster software assurance and software assurance research, and serves on the InCommon Steering Committee as an advisor for the research community. You can follow him on Twitter at @VonWelch and the NSF CCoE at @trustedci.