Mingling at the Dance (2020 Update): Cybersecurity and Science Cultures

What has changed in the higher education cybersecurity landscape since my 2016 EDUCAUSE Review Security Matters blog post, and what has stayed largely the same?

What has not changed is that cybersecurity still needs to be considered holistically. When cybersecurity initiatives are implemented, the business mission of the organization needs to be considered. A bank would not follow the same cybersecurity program as a hospital or a high school would. Each presents a very different use case, and trying to take a one-size-fits-all approach will not work.

The goal of cybersecurity is to manage IT-related risks to the mission of an organization. To accomplish this goal, the cybersecurity program must be able to adapt to the mission of the organization and to the particular risks associated with that mission. Higher education institutions are particularly complex when it comes to applying this heuristic. As Indiana University (IU) CISO Andrew Korty has said, "Colleges and universities are more like cities than businesses. There are research laboratories with varying types of research, administrative units, bookstores, cafeterias, dormitories, classrooms, museums, libraries, live and esports events, and so on—all with their own mission and needs."

In November 2019, Laz Andino and Jay Patel wrote an article for EDUCAUSE Review about organizations having a perimeter with a trusted interior.¹ This is a luxury that higher education institutions have never had. With their mix of students, staff, faculty, and public visitors, higher education institutions have been working with network segmentation since the inception of information technology on campuses. And when applying a cybersecurity framework, the biggest challenge for the information security team is not scaling to 500 or tens of thousands of employees but rather handling the diverse activities that happen on the organization's networks every day. How many organizations in other sectors host 100,000 people for a sporting event while performing cutting-edge research, putting on theater performances, and teaching tens of thousands of students?

This makes the increasing importance of research compliance in higher education—particularly since the emergence of the National Institutes of Standards and Technology (NIST) Special Publication 800-171—much more challenging. While more cybersecurity is good, the 800-171 program isn't necessarily the best fit for all parts of higher education institutions. For example, open science is highly collaborative, with activities crossing state lines and even international borders. With its focus on integrity and availability, open science benefits less—and even suffers—from strong confidentiality controls. In short, research can be hampered by an inappropriate cybersecurity program that doesn't consider some of its core concerns.

In response to 800-171, the National Science Foundation (NSF) Cybersecurity Center of Excellence (CCoE), led by IU, has started to formalize some of its guidance to provide a well-defined cybersecurity program for colleges and universities to use on the open science segments of their campuses. We're calling this program the Trusted CI Framework to formalize it and document it in a way that looks like what an auditor or an information security professional would expect to see from a cybersecurity program.

In my 2016 post, I detailed three key lessons the NSF CCoE team had learned about how the information security community can better work with scientists.

1. Learn to meet the scientists where they are.
2. Understand that science projects tend to be highly collaborative and include scientists from multiple organizations.
3. Recognize the culture that results from the time pressures that scientists face.²

Those three lessons remain solid tenets for any information security professional. Now, under NSF funding, Trusted CI, along with partners Duke University, the Pittsburgh Supercomputing Center, and the University of California San Diego, have established the Research Security Operations Center (ResearchSOC) to better support scientists and researchers.

The Research SOC builds on the technology developed for the OmniSOC project—a cybersecurity operations center housed at IU. OmniSoc was founded by IU and four other partners to scale the ability for higher education institutions to do incident detection. The ResearchSOC provides operational security services for large NSF research projects. The first large ResearchSOC research project will be online soon.

ResearchSOC leverages the expertise of Mike Corn, chief information security officer at UC San Diego; Richard Biever and his team at Duke University (Sharing Threat Intelligence for Network Gatekeeping with Automated Response, or STINGAR); and the Pittsburgh Supercomputing Center (Vulnerability Identification Service at the Three Rivers Optical Exchange, or 3ROX).

Under Corn's leadership, ResearchSOC hosted a workshop at the EDUCAUSE Security Professionals Conference in May 2019. During his standing-room-only workshop, Corn brought in researchers and demonstrated how workshop participants could use the tenets described above to talk to researchers. Corn held another workshop in December 2019 that was filled to capacity.

Clearly, those three tenets are as true today as they were back in 2016. Through these workshops, the ResearchSOC project team is making these tenets actionable and empowering higher education information security professionals to be more effective communicators and partners.

Notes

1. Laz Andino and Jay Patel, "Higher Education and the FBI: Working Together toward a Promising Cybersecurity Future," EDUCAUSE Review, November 26, 2019. ↩
2. Von Welch, "Mingling at the Dance: Cybersecurity and Science," Security Matters (blog), EDUCAUSE Review, October 10, 2016. ↩

---

Von Welch is Executive Director of Cybersecurity Innovation and Director of the Center for Applied Cybersecurity Research (CACR) at Indiana University.