Improving Cybersecurity at Harvard University

In the digitalized world, hackers possess wider opportunities to gain unauthorized access to unclassified data such as financial information, email accounts details, and research and development. Therefore, Harvard University — among other higher education institutions globally — has been a frequent target for cyberattacks from different parts of the world. It is vulnerable mostly for two reasons:

1. Lucrative data within a single system: hosting a wide variety of sensitive and valuable data from social security numbers to cutting — edge innovation. This amount of attractive data is enormous.

2. Open — access culture and transparency: there is no strict control over the hardware and software that is used within Harvard community. Plus, students, faculty and guests use personal devices on campus which makes it hard to ensure that all of their electronics are secure.

Unfortunately, cyber-attacks are becoming more common and no one is exempt from them. Trying to protect everyone’s data in a piece-meal approach all the time is exhausting and unrealistic. Hence, a “threat modeling” approach can optimize network security by identifying a problem, and then it can find ways to block or alleviate the impending menace. This model determines what to focus on in order to keep a system secure. It is an iterative and agile procedure which requires constant collaborative decision making and risk assessment (what can go wrong.)

For example, we can threat model a vehicle even if no information was provided about its type/size/color. However, we can imagine possible problems that can happen to it, and brainstorm how to avoid them. For instance, the car can be stolen or its window can be broken because a thief saw an iPhone on the driver’s seat. How can these scenarios be avoided? Among a few feasible solutions are parking in a safe location, installing a camera or an alarm, and not leaving valuable things inside. We can examine each possible solution by answering four fundamental questions:

1. What are we working on (building)? Invite a group of people and brainstorm by jotting down the answers.

2. What can go wrong? STRIDE abbreviation stands for:

- Spoofing

- Tampering

- Repudiation

- Denial of Service

- Information Disclosure

- Elevation of Privilege

We can answer questions such as “How can someone spoof a problem or how can someone tamper with a malicious activity and so on.”

3. If something goes wrong, what will we do about it? Address each risk in some way.

4. Did we do a good job? Analyze that you have covered all the questions and possible outcomes.

According to the arguments outlined above, I would propose Harvard to install a “LastPass” software and encourage its community to use it. It is easily accessible, manageable, and comes with strong encryption algorithms. The only thing required is to remember one master password.

Needless to say, cybersecurity is a unique challenge which requires continuous review and investment to keep educational institutions secure. We cannot allow hackers to steal Harvard’s treasure trove of sensitive data.