Regional Workshop Aims to Bridge Cybersecurity Gap for MSIs

Colleges and universities nationwide are being besieged by cyberattacks—from nation-state hackers to ransomware and phishing scams—and responding to these attacks can be more difficult at lesser-resourced institutions, which can include minority-serving institutions (MSIs). This summer, two universities and a regional nonprofit research network provider explored a new way to address that gap.

The inaugural CyberRISK (Regional Information Security Knowledge-sharing) Workshop, held July 11–12, 2019, brought together CIOs and CISOs from regional MSIs to introduce effective, community-developed cybersecurity protections and cyberinfrastructure. The joint project between Duke University, North Carolina Central University, and the technology nonprofit MCNC was funded by the National Science Foundation (NSF ORC-1929893).

"We were motivated to organize the workshop out of a committed belief that establishing communication and collaboration among MSIs would lead to tangible progress toward better protecting even the most resource-constrained institutions in the region. By sustaining collaboration, we could set the groundwork for further innovation and future community-based programs," according to Tracy Futhey, Duke University's CIO and a principal investigator (PI) for the grant-supported project.

The two-day workshop drew 21 participants from 14 MSIs within a 220-mile radius of Durham, North Carolina, and was organized around three key objectives:

• Educate and train participants in the operation of specific cyber-defense tools and techniques, with a hands-on workshop to configure tools for each participating campus.
• Provide a forum for national groups such as Internet2, EDUCAUSE, and the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC) to learn more about the needs of the MSI community and to share services and opportunities with MSIs.
• Provide opportunities for the participants to meet with their peers to discuss common issues.

To incorporate both administrative and technical aspects of effective cybersecurity programs, each institution was asked to send two participants: a "senior leader" who has the authority to guide policy and arrange financial support, and a technical representative with the skills and experience needed to implement IT tools that fit institutional cybersecurity priorities.

The workshop began with panel discussions featuring representatives from four national organizations: Internet2, EDUCAUSE, REN-ISAC, and Trusted CI. Damian Clarke, CIO at Alabama Agriculture and Mechanical University, then delivered the keynote address, and Michael Robinson from Jackson State University shared his institution's experience with the NSF's Campus Cyberinfrastructure (CC*) programs. The second day included a hands-on technical session with the open-source Shared Threat Intelligence for Network Gatekeeping and Automated Response (STINGAR) project (NSF1815691, NSF1840034), currently in development at Duke, and an exercise asking participating institutions to evaluate their specific environment using the Center for Internet Security (CIS) controls framework.¹

Post-workshop surveys were positive. All participants described the workshop as "very successful" or "extremely successful," and many expressed interest in continued engagement with one another and with the regional and national experts who attended.

"It was important to hear from other institutions that we are all facing the same issues," one participant stated in the post-workshop survey. "Through personal conversations, I was able to learn some strategies and initiatives that I can implement now."

To maintain momentum from the summer workshop, participants began a series of webinars this past fall to educate and stimulate dialogue on both security protections (CISO-focused) and policy matters (CIO-focused). "The resources we collected during and after the workshop are available [on the CyberRISK Workshop website] so others can use and build on them going forward," said Leah Kraus, NC Central's CIO and a co-PI for the CyberRISK project.

The workshop has also fostered ongoing discussion about future collaborations. "We're excited about the prospect of new security technologies MCNC is pursuing to help protect these campuses and others across the region," said Jean Davis, CEO and president of MCNC and a co-PI for the project.

Both participants and organizers agree that the workshop could serve as a model for similar workshops that could be offered throughout the nation. Future workshops could build on the concepts presented at the inaugural event, such as the following:

• Fiscal constraints, common throughout higher education, are pronounced for MSIs, where having staff devoted to cybersecurity is the exception rather than the rule. This creates special issues in cybersecurity, where sustained support is required to address constantly evolving threats.
• There is a growing gap between institutions, and one size does not fit all. Preparedness and infrastructure differ widely, depending on an institution's specific educational mission (e.g., type of degrees granted, fields taught, and research activities), size, and locale. Cybersecurity training options and their adaptability are critically important to guarantee relevance and improve the chances of successful implementations.
• Collaboration is essential, both in terms of regional consolidation of infrastructure and services as well as continuing education and exchange, both online and in person. The current practice of each institution setting up and sustaining its own IT infrastructure exacts burdens; developing shared infrastructures that can be economically managed and effectively distributed can increase the depth of resources available to institutions. Shared resources such as STINGAR can provide no- or low-cost expansions of information security protections. In addition, ongoing communication among peers (such as through an ongoing program of webinars and during periodic gatherings) can help to cement relationships and increase information sharing.
• Partners must be identified to sponsor and organize other regional workshops. The regional model and focus on cybersecurity at MSIs proved to be effective, and participants agreed that the model would "travel well," especially in regions with a certain critical mass of targeted MSIs. These include HBCUs, which are more numerous in the eastern and southern United States; tribal colleges and universities (TCUs), which are more numerous in the upper Midwest and Northwest; and Hispanic-serving institutions, which are more numerous in the southwestern and western United States.
• An organizational support structure with a focus on fostering institutional ties and sharing successful best practices can help to sustain and expand workshop and communication efforts. Dedicated and energetic leadership will be needed to sustain and improve upon what was accomplished in the first workshop. Institutional ties between colleges, universities, and national/regional organizations must be fostered to facilitate research collaboration and joint funding proposals for shared cybersecurity and cyberinfrastructure. Specific use cases and models of best practices were particularly helpful, according to some participants. Topics of interest included risk management, risk impact, account management or life cycle, phishing, and the challenges and successful practices of multifactor authentication deployment.

Detailed information about the workshop, including a final report, is available on the 2019 CyberRISK Workshop for Minority Serving Institutions (MSIs) website. The final report is also available on the EDUCAUSE website.

Note

1. Center for Internet Security, "The 20 CIS Controls & Resources," n.d., accessed November 25, 2019. ↩

---

Cara Bonnett is a Senior Analyst and Team Lead for Policy, Risk and Outreach for the IT Security Office at Duke University .