By ALEXA DAVIS
In June 2009, Cornell experienced its most expensive security incident in its history — a stolen laptop. It was the information on the laptop, complete with the identities of 49,000 people, that contributed to the steep price tag associated with the theft. Four years later, the wealth of information in all of Cornell’s data systems continues to be one of the University’s most threatened and protected assets.
Recently, Cornell has seen a surge in cyber attacks, the most prevalent of which are “advanced persistent threats,” commonly referred to as APT’s, according to Tracy Mitrano, director of Information Technology Policy and Institute for Computer Policy and Law. These attacks originate from outside the United States but may appear as if they are coming from domestic servers because they use proxy servers as a medium, she said.
According to Mitrano, information has become a valuable currency in today’s Internet age, prompting criminality to expand from physical space into cyberspace. The openness of the Internet lays ground for vulnerabilities, which cyber hackers have increasingly targeted in hopes of gaining data from government, military and higher education institutions, including Cornell.
Each year, Cornell experiences 2,500 “run of the mill” malware infections and 2,000 stolen passwords, said Wyman Miles, director of Information Technology Security. These attacks, which pose high risks, are considered to be relatively simple in comparison to other forms of digital threats that Cornell faces.
Mitrano outlined four main types of cyber attacks against Cornell: intentional crime, adolescence vandalism, purposeful political activism and the pursuit of data.
“The purpose of these attacks is to obtain as much data from academic libraries, scholarly journals, research and institutional intellectual property as is possible,” she wrote in a personal blog post. “Often, it is simply to have the information available in the event that it might be useful rather than always a finely tailored search for a discrete data set or patent.”
Attacks from within the U.S. are subject to the Computer Fraud and Abuse Act of 1986, but international attacks are not held to any forms of Internet regulation, Mitrano said in a blog post. The Internet has become the “wild west in terms of crime and law enforcement global.”
Due to the anonymous nature of the Internet, very few attackers ever face real consequences, Miles said. He would not disclose the frequency of law enforcement investigations concerning security breaches at Cornell, but provided assurance that law enforcement sometimes arrest overseas hackers after lengthy investigations.
Stolen research data certainly puts the University at risk, reduces its competitiveness and creates reputational issues, Miles said. However, he said, Cornell has placed an emphasis on ensuring the security of confidential data, including information that could be used for financial fraud, such as Social Security, bank account and credit card numbers.
Miles said certain legal obligations have been a major driving force for the University to concentrate on protecting confidential or administrative data. For example, in December 2005, New York State created a data breach law, which requires institutions that own sensitive data to notify people if they have reason to believe that their information has been disclosed to unauthorized parties.
According to Mitrano, Cornell is maximizing its administrative, technical and physical security measures to successfully protect community members and data systems against cyber attacks. Such technical safeguards include network and information security policies, requiring all Cornell users to update software on devices connected to the network and staff to encrypt confidential information.
While security policies and practices for administrative or confidential data are comprehensive, Mitrano said, there is still much room for improvement in building powerful defenses against hackers seeking research data.
“As is the case for many research universities, it is time to review existing technology and data policies to be sure that research data and intellectual property is covered to the same degree as administrative data, and to be sure that security and compliance are in balance for all institutional information,” Mitrano said.
This “very large educational effort”can begin with Cornell community members taking precautions when using the Internet, Mitrano added.
Miles suggested that individuals take certain steps to protect themselves, including taking advantage of the software and data discovery tools made available to the entire campus community. Additionally, creating unique passwords for net-ids and not clicking on suspicious links are simple preventative measures that all students, faculty and staff members can take to increase cyber safety, he said.