Colleges and universities collectively represent a worst case scenario in cyber defense. Security professionals charged with protecting schools must often account for vast financial assets, large databases of personal information, and unrestrained usage of untested technology and services. They also contend with high annual user turnover, historically limited operating budgets, and national security concerns related to government funding.
Higher education user expectations further complicate cyber defenses. Students and faculty demand extraordinary openness, demonizing just about any control that might constrain information flow. More than just an opportunity to flaunt independence, academic research often requires collaboration across institutional and international boundaries, including sensitive data such as emerging intellectual property related to technology innovation and software code that may contain advanced proprietary algorithms.
While most businesses operate in the same global threat environment, very few are subject to the adversity that higher education institutions face. Rather, businesses can better restrict what services users can access, constrain where information can flow, and disallow internal connections from unapproved devices. Effective cyber defense practices in business are thus characterized by barriers and choke points that an organization can internally control.
Because of those fundamental operational differences, higher education institutions fail to protect themselves against advanced threats when they try to mimic business cyber defenses. Quite simply, schools have to defend more with less. To continue modeling their security functions on business practices reflects a denial that most schools are incapable of doing so effectively.
Comparing higher education institutions against like-sized businesses exposes severe cyber resource deficiencies. Starting at the executive level, I found in my interactions with New England companies that businesses typically hire a chief information security officer (CISO), a security executive specifically charged with strategically planning cyber defenses for the organization, when annual revenue reaches around $100M. Compare that to higher education institutions that I have found more typically consider hiring their first CISO at around $200M in operating expenses.
When we account for number of users as an indication of viable attack surface, the difference between businesses and schools is even more stark. Businesses that are just beginning to hire security executives may have around 250–500 corporate users. Commensurate colleges and universities may have that number in administrative and faculty users, but then add 5,000 or so students that need to be segmented, managed, and trained. That is a tenfold increase in what most security professionals will say is the primary threat vector for subverting their defenses.
Moving down the management stack to the front-line security personnel illustrates even more systemic cyber defense issues. In my work operationalizing information sharing networks in New England, I observed that major institutions with about $1B in operating budget may have 4–6 dedicated security staff, including a CISO or Security Director role. A business of similar size would be more likely to measure the number of security staff by dozens with fully staffed security operations centers providing 24/7 monitoring and response. For those schools just hiring their first CISO, the new executive would, at best, expect to have 1–2 additional unshared resources.
Unfortunately, based on 2017 data from the National Center for Education Statistics (NCES), more than 90% of US higher education institutions reported expenses below the $200M benchmark for hiring a security executive. Many of those, such as community colleges, completely lack dedicated security resources to manage defenses or respond to incidents. Those institutions that do get attacked often look to the state to aid in response.
These factors, combined with traditionally low salaries in higher education, have made it difficult for institutions to attract and retain experienced security professionals. So, even funded positions stay vacant because of the inherent lack of support combined with extraordinary responsibilities.
To effectively defend against a dynamic cyber threat environment, higher education institutions need to identify novel approaches for leveling the playing field or risk persistent damage from increasingly sophisticated cyber attacks. Accepting that sufficient security resources and capabilities needed for effective cyber defense are inaccessible to most institutions, the most rational course is to leverage their core strengths to define new pathways for success. Unlike most business environments, colleges and universities have a distinctive history of cross-institution collaboration despite operating in a competitive environment for students and faculty. That basis for collegial respect between institutions represents a significant differentiator between higher education and other business sectors, one that can extend to how schools defend themselves against advanced cyber threats.
By taking a consortium approach to cyber defense, institutions can realize stronger economies of scale while also quickly gaining advantage from the experiences of their peers. To start, colleges and universities should consider implementing a shared-executive model for establishing a joint strategic framework for cyber defenses. In this model, several institutions would work together to hire one full-time executive leader charged with responsibility over each of their security programs.
Several Canadian educational institutions piloted a shared security executive effort in 2017 under the non-profit Ontario Research and Innovation Optical Network (ORION). Beginning at the strategic level allows the participating institutions to proactively determine the most appropriate direction for their individual security programs while learning from each other where similarities and differences may guide decision-making. It also enables the institutions to chart mutually beneficial paths for new cybersecurity acquisitions and identify opportunities for shared operational capabilities.
An obvious next step, though admittedly contentious and complex, would be to consider shared infrastructure initiatives that distribute the cost of cyber defense solutions across collaborating institutions. The non-profit Ocean State Higher Education Economic Development and Administrative Network (OSHEAN) centered in Rhode Island is one infrastructure sharing pattern that higher education should consider. Originally founded to provide trustworthy internet services to a consortium of educational and government organizations, OSHEAN has recently began deploying security solutions on the shared network that enable stronger group-wide defense against cyber attacks.
Where higher education institutions are grouped in close geographic proximity, OSHEAN may serve as a practical future model for security capability sharing. However, as more institutions move to cloud-centric infrastructure environments, there may also be emerging resource sharing pathways for geographically-distributed institutions.
According to most metrics, higher education institutions are fighting a losing battle against the rapidly increasing sophistication of cyber adversaries. Rather than be overwhelmed by persistent public reports of their deficiencies, colleges and universities should leverage their collective strengths to reframe the challenges. Businesses with well-resourced cybersecurity functions routinely demonstrate room for improvement through publicized breaches and other incident disclosures. Perhaps by accepting that its institutions will always lack sufficient resources, higher education will be motivated to find opportunities to lead the industry towards innovative solutions that will make effective cyber defenses more accessible to all organizations.