Two IT leaders discuss a cyberattack that occurred at each of their institutions and share insights into preparing for future threats.
Chief Information Security Officer
California State University System
Director of the Cybersecurity Program
Senior Vice President and Chief Information Officer
President and CEO
John O'Brien: Welcome to a new and special community conversation today, I'm joined by Brian Kelly, who is the director of EDUCAUSE Cyber Security Program. I'm O'Brien and saying we're joined by two technology leaders who have not only survived, but powered through security incidents and are here to talk about them. So a welcome to Ed Hudson, who's the Seesaw for the California State University System and Michelle Norin who's former EDUCAUSE board chair and the CIO at Rutgers University. Take it away, Brian.
Brian Kelly: Thank you both for joining us today. In cybersecurity and EDUCAUSE, we often talk about the importance of sharing what we've learned with each other. And then today we're going to talk about campus security incidents and what happened and what we learned during those incidents. So, Michelle, we'll start with you. Could you talk a little bit about what happened during an incident and more importantly, what you or as Ed said, what we learned during that?
Michele Norin: Without being too specific cause it's a little bit of a fresh circumstance, Rutgers was involved in a ransomware attack situation. It did not effect our data per se, it affected data of one of our partners but it did affect our infrastructure. So we had a role to play in responding to the to the circumstance. I will say that in my career, this is the first time I've been this close to that kind of a cybersecurity incident
Ed Hudson: For us, we were the largest four year public university system in the country. So my scope is 23 different campuses and our chancellor's office. So we have had some successful attacks. We also had a fairly significant event at the end of last year that while it did not malware the ransomware was not detonated, it had a significant impact to IT operations. We were able to maintain academic and business operations at the campus, but the amount of effort that the particular it team at this campus went through over about a four to six week period was unprecedented for us. And in that case, what ended up happening was the threat actor, which we were able to tie to a nation state, came in and appeared to be doing some extended reconnaissance. And so while the malware wasn't detonated, we found them in the system, the system that our protectors that were in place alerted to them, but they came back several times. And so it was a very laborious process to root them out from where they were in the network, how they'd gotten in and where they had gotten in. And then, you know, trying to parse that out was an extremely impactful event for us.
Brian Kelly: So I know Ed, when your incident was occurring, you sort of took the time to step out of that room and let me know that you were experiencing an incident and what you could share so that we could work to try to get that out to sort of anonymously out to the broader cyber security community, so that they could learn from your experience. And I think that's hugely important we talk about collaboration. So, you know, what takeaways are most urgent when we think about communicating to campus leadership and also across institutions to our peers?
Ed Hudson: Part of what happened when we were dealing with that event at one campus, because we were obviously sharing with all 22 other campuses of what we were finding because we're all in higher ed have some similarities in the way that we architect our networks. But also we found code from the threat actor that referenced another university outside of California. And so while the campus was working that particular event, my job is to orchestrate the resources from a system-wide perspective. And we thought it was important to get that word out to the broader higher education community with what we could share at the time and what we knew the threat actors actions were. So, you know, we talk all the time about how, you know, the threat actors, the bad guys, the hackers, they're sharing information all the time. And I think, you know, John pulling this whole conversation together with Michelle and I and Brian, and as we share with our colleagues and counterparts across the country I think it's really important that we talk about what's happening. What are the kinds of attacks that we're facing? What are the indicators of compromise, so that we can help each other more effectively.
Brian Kelly: And Michelle, do you want to give us the perspective from the CIO's seat during an incident?
Michele Norin: The circumstances and the situation that we had, there were some very fundamental key takeaways from that, you know, one is, think through what you would do in that circumstance. I mean, those of us that have been in the cybersecurity space for a long time, you know, typically you come up with your game plan, right? How are you going to respond? Who's on point, how do you structure? So there's a foundation of that that I think are important for some of these new threats, ransomware, any other kind of threats that come through. So, you know, revisiting those to be sure, do we remember what we need to do here? Secondly, these new situations, you know, like a ransomware attack, in my view, it is different. The players are different, you start in a different place, you need to have your legal team ready and prepped for what that might look like. Likely you'll need external resources to help you investigate, do the forensics, having the conversations with institutional leadership about, look, if we have one of these situations, this is how we're gonna have to approach it. We're going to need leadership to engage, to think about things like the legal guidelines to be following here. What can be said, what can't be said, are we gonna pay a ransom or not? Who do we need to be working through? And so priming that kind of conversation I think is important so that it's not a big surprise, you know, one day if I get to walk into the president's office and say, ah, we got to have a conversation. So I think coming up with a blueprint or some kind of a playbook specific to that circumstance I think is important. So I would recommend, you know, doing a table talk, trying to understand how that looks, working with other entities who've gone through it to say, hey, what'd you have to do? what should we think about, you know, who would we line up here? And just try to learn as much as possible so that you're not caught off guard if you ever end up in that kind of a situation.