Avatar

Securing University Research

I recently had the honor of working with a global panel of leaders from across the higher education landscape contributing to the 2021 EDUCAUSE Horizon Report | Information Security Edition.  In this report, the Horizon panelists began with a blank slate and were tasked with identifying the technologies and practices they believed would have a significant impact on the future of higher education information security. 

Research security was one of the practices highlighted – and for good reason.  We’ve seen in the news that opportunistic cybercriminals and nation-state actors are targeting COVID-19 vaccine and treatment research. Although these attempts to steal intellectual property or disrupt progress are newsworthy, pandemic-related information is not the only research at risk. According to the NSF, total university-performed R&D surpasses $64 billion a year, and the sad truth is that all such research is increasingly under attack by hackers. 

Cyber defense was never easy, but the increased focus by cybercriminals and the nature of higher education make it particularly challenging to protect research environments. Industry and higher education need to partner closely to develop and deploy the right tools and make sure they work together to protect research environments and respond immediately to threats. 

Unique Challenges for University Research

What makes research a target? To paraphrase Willie Horton, “That’s where the money is.” Researchers are developing valuable data that criminals can sell and nation-states can leverage. Several other unique challenges likely also make research institutions attractive to hackers:

  • Users like the feel of an open environment, so institutions need to give them easy access to the information they need and allow them to share, while protecting them from threats.
  • Research institutions have a large volume of sensitive data, which is usually housed in individual research labs or on an individual researcher’s computer. This dispersed architecture can give multiple paths to exploit vulnerabilities. 
  • Many personal devices are connecting to institutional networks and likely contain sensitive data. Researchers could be putting valuable information at risk when they engage in activities such as checking their email while on public Wi-Fi. 

Research labs might also be subject to requirements as a condition of receiving grant funding. Given that over $30 billion per year of research funding in the US comes from the federal government, the Cybersecurity Maturity Model Certification (CMMC) is looking like it will be the toughest of those requirements. The Department of Defense is starting to require it for their contracts, and civilian agencies are talking about using it too. It is based upon NIST SP800-172 capabilities but adds requirements from the Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulations (DFAR). Moreover, you can no longer self-certify that you meet CMMC requirements: to bid for funding, you must be certified by an approved auditor. 

The Role of the Technology Solution and Service Provider Community

The path to defend research will depend on both institutional goals and the needs of researchers. As your technology solutions partner, our job is to roll up our sleeves and help your institution implement an effective cybersecurity environment that meets your specific requirements. 

How can industry and academia partner to prepare for secure research environments?

  • Assess the security posture of your institution and develop a planned end-state. Technology vendors should work with education institutions to develop security goals, provide expertise and tools to help understand the current environment, and then partner to develop the security architecture for the future. 
  • Use best practices and requirements. As you plan, guidelines such as the CIS critical 20 or the NIST Cybersecurity Framework (CSF) are widely used ways to make sure you are addressing all the risk factors. If you’re handling personal data, you may want to look at NIST SP800-171, and if you have federal grants, you should start looking at the additional Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR) clauses of CMMC. 
  • Look for quick time-to-value. Look for tools that, because they are easy to implement and cover large security gaps, allow you to move toward your goals, while showing quick results. This could be something like DNS protection that prevents users from surfing to websites that serve up malware or provide backdoors to criminals. Another fast win is multi-factor authentication to protect against credential-theft account takeover.
  • Think “cloud smart.” Cloud security and cloud apps can help you get things up and running faster and be easier to manage, but they can get expensive and may not be the right fit for every situation. Weigh your options and make sure your choice fits into your long-term security architecture plan.
  • Demand integration and automation. Stand-alone or hard-to-integrate security tools no longer have a place. Any tool you add to your environment should integrate seamlessly and be easy to manage, with visibility into your environment and the ability to take quick action when needed. 

Protecting your university research data from cybercriminals is critical to success. As your industry partner, we are proud to help you meet your research and innovation goals, while deploying effective, seamless, and integrated security. 

>> Facilitate safety and security at your institution



Authors

Peter Romness

Cybersecurity Principal, US Public Sector CTO Office