How AI Is Changing Campus Cybersecurity: 4 Key Challenges

Gerry Bayne: Welcome to EDUCAUSE Exchange, where we focus on a single topic from the higher ed IT community and hear insights, perspectives, best practices, and more. The introduction of general purpose language models has intensified attention on the growing capabilities of AI reshaping campus cybersecurity threats, not by inventing new ones, but by accelerating threats that already exist. And for colleges and universities, which are opened by design, that challenge is especially complicated. In conversation with cybersecurity experts and leaders, four themes around this topic emerged. Number one, AI is accelerating familiar cyber threats.

Mohammad Ahmad: What has really changed this game is obviously speed, personalization and believability.

Gerry Bayne: That's Mohamed Ahmad, asistant professor of management information systems at West Virginia University.

Mohammad Ahmad: AI obviously did not reinvent phishing or did not really invent cybersecurity threats. It just simply removed the attackers' barriers that used to exist in the past and made these scam attacks or these cybersecurity attacks cheaper, easier to make, and obviously faster to put out there for public.

Bruce Schneier: AI exacerbates an already existing problem.

Gerry Bayne: Bruce Schneier is a lecturer in public policy and a security technologist at Harvard University.

Bruce Schneier: There's often not much an organization can do, which is why they resort to, well, maybe we can train the user. Maybe we can fix the user because they have no other options.

Josh Callahan: I think we're in a transition phase on that.

Gerry Bayne: Josh Callahan is chief information security officer at California State University.

Josh Callahan: We're starting to see more phishing. We're starting to see fraud and identity challenges that are significantly harder to sort through, but we haven't totally moved into the new world yet.

Mohammad Ahmad: Now AI can basically generate almost flawless emails. These emails sound like they are coming from the department chair or a student or an HR personnel or even IT support. So the attackers do not really need to have these sharp skills crafting these attacks any longer. The AI can do that for them. All they have to do right now is really scrape the information, public information about their target about the university. They can get that information from the university websites or LinkedIn and they can create pasages that feel very specific and very, very real.

Gerry Bayne: Number two, AI is making traditional awareness training less reliable.

Josh Callahan: Yeah. I mean, I think this is pushing a lot of us to do better. I mean, security awareness training has not been as effective, I think, as we all wanted to. I think we're constantly looking at what does the research show? How can we improve that? I'm definitely having a lot of conversations about how do we get particularly more useful student facing content. I think really need to engage with students at a digital literacy level. And I think a lot of other people hit a point where they said, "Oh, well, students are coming as digital natives. They know how to operate in these environments. We don't need to really do the old tech tools model of here's the basic skills you need." But I think really when you look at the layers at which people operate in our technologically mediated society, being a native of using Web3 abstracted social media and communication tools doesn't actually give you a deep understanding of how that communication flow works.

Mohammad Ahmad: So we are adapting the universities or campuses, they are adapting to this in a few ways. We are moving away from the traditional spot, the type of cybersecurity awareness. This does not work anymore. The new trainings that these universities are adapting are right now focusing more on behavior. They're focusing more on the unusual requests. So we ask people to slow down obviously before clicking. We ask them to confirm payment or credential requests through security channels that are embedded in the university or in the campuses and obviously to port suspicious messages quickly.

Bruce Schneier: I am never been a fan of the educate the user paradigm. I think that puts the blame in the wrong place. It's not the user's fault. These are sophisticated attacks. These are hard attacks to detect. I mean, I know people who are cybersecurity experts who have gotten fooled if the attack comes just at the wrong time in just the wrong way. I think in terms of system redesign that people should be protected from their own mistakes.That often isn't anything that an organization can do because it's the products that they receive. It's the banking websites, it's all of the services. But I want to see more defense in depth, less reliance on the user getting it right and more defense within the system.

Gerry Bayne: Number three, AI is raising the stakes on basic security practices.

Mohammad Ahmad: Right now, campuses are strengthening identity controls, MFA, two-factor authentication, control access, you name it. Even many are even adapting or adopting a PowerSportless authentication. They don't even need to have a password anymore. And right now, something that also universities are doing or campuses are doing, they're treating IT as part of cybersecurity. Sorry AI as part of cybersecurity. It's not an IT issue any longer. It's a cybersecurity issue. So AI and cybersecurity almost are together.

Bruce Schneier: All customers need to demand from the vendors that they implement better systems that are more resilient to phishing attacks, more resilient to fraud in general. And you could think about ways that your banking system is more resilient to fraud. There are transactions that you just can't do remotely, that the bank will call you. The bank will demand additional authentication to make sure that you know what you're doing. That's specialized, but that's where that matters.

Josh Callahan: Even systems that put a human in the loop and largely automate everything, you create a situation where you start actually looking at things. So you need to build systems where you're still looking at some number of events as a actual check.

Mohammad Ahmad: The real danger, however, is overconfidence.That is the major issue you have there. Not the fact that it hallucinates. We all know that AI systems hallucinate. The problem is those systems hallucinate with confidence. They sound like they know exactly what they're talking about. So they confidently summarize the wrong thing. So this can make a weak signal look more certain than it is. And obviously if those teams rely blindly on AI generated summaries without actually going and looking at them, they might actually end up missing the real incident here or there.

Gerry Bayne: And number four, AI is testing institutional openness and risk.

Josh Callahan: We really need to be in the driver seat and bringing up the issues around ethics and policy development and responsible use that we've learned and built over the last few decades in a needful way.

Mohammad Ahmad: Higher education really cannot govern, in my opinion, AI the same let's say banks or IT institutes or defense contractors might. We are different in nature. Universities are open by design. We have different interacting units. We have teaching, we have research, student learning, public reach, public service, public vendors, you name it. In my opinion, and I think this is what many campuses are approaching this problem. What they're doing is here is risk-based governance. So for instance, you can categorize the AI usage based on how risky that use is. So for instance, you can say, "All right, I'm going to have, let's say three categories, low risk use. For instance, you can use AI for brainstorming or coding, simple coding exercises here or there, or even writing documentation or even translation, even summarization of public information, or even tutoring something also that we encourage students to do, go to tutoring.

Mohammad Ahmad: And we don't mind using AI there. This is considered as low risk. And then you move to maybe to second tier where it's maybe medium. There is a medium risk if AI is used, for instance, for designing courses or grading students assessments or summarizing or even creating student feedback or interacting with internal records or attaching, for instance, administrative tasks here or there. So this could be in a gray area. And there is obviously you can say there is a very high risk use if you end up using AI for obviously sharing students' records, HR data, or financial information. So we can categorize that. Based on how you're going to use AI, we classify you into this category.

Gerry Bayne: AI is accelerating familiar cyber threats, is making traditional awareness training less reliable, is also raising the stakes on basic security practices and testing institutional openness and risk. That's our four challenges for cybersecurity and the age of AI. I'm Jerry Bain for EDUCAUSE. Thanks for listening.