Emphasizing campus cybersecurity is crucial
Joe Adams, Interim President and CEO and Vice President of Research and Cyber Security, Merit Network
The Michigan Cyber Range is a virtual facility where people can practice responses to cyberattacks. What was the impetus behind creating it?
In October 2011, Michigan’s governor, Rick Snyder, called for the development of a virtual facility for cybersecurity workforce training. Merit Network took that mission on, looked at what we wanted to teach and developed a plan for providing basic education and testing. The Range opened in November 2012 and representatives from the state police, state of Michigan, DTE Energy, Consumers’ Energy and Merit continue to work on it. From exercises to certification classes, the Range enables organizations to build consistent training programs for their staff.
One thing that differentiates the Range from other cybersecurity practice environments is that it is part of Merit Network, which runs the nation’s largest and oldest research and education network. This gives the Range both national connectivity and the expertise of Merit’s staff.
“We built the Range to be accessible to people all over the country; to be hands-on, so students can demonstrate knowledge; and to be adaptive, so everyone at every level is challenged,” says Adams.
Institutions trying to start their own cybersecurity programs are finding that constructing suitable infrastructure is very costly. The Michigan Cyber Range provides a virtual space so instructors do not have to build and maintain their own spaces, and students can learn from anywhere instead of one particular room on campus.
What are particularly high-risk areas for colleges and universities in terms of campus security?
A lack of awareness is a big issue. Many administrators cannot imagine their college or university getting attacked. But institutions have a lot invested in computing resources and more. Between personal information of students, staff and faculty—not to mention intellectual property—there is a lot of valuable information at stake. Even universities that do not have teaching hospitals or research arms usually have health centers that store medical information of students and have privacy policies that must adhere to HIPAA regulations. The cost of a breach of this type of information is tremendous, and will only continue to increase.
The nature of colleges or universities is to be open so that people can access shared ideas and resources. Unfortunately, this has made them a target. Institutions have a massive amount of computing power in servers and labs, which are attractive to hackers who want to distribute spam or malware. And even when the institution is not at fault legally, it tends to get the blame when its machines or servers are used to attack another organization or group of people.
For institutions understaffed in IT and security, what advice do you have to combat these risks?
It might make sense to purchase consolidated security services in these cases. Often, devices are purchased at different times and the backend architecture is patchworked together. When devices are paid for and administered centrally, there can be savings and uniform, in-depth defenses. Money and time savings can also be achieved by employing an outside company to manage firewalls, email filtering or website protection.
Most importantly, when a staff is small, it is essential their skills are up-to-date. Take advantage of distance learning-type set-ups and build time in their schedules to watch webinars and take classes. This keeps staff at maximum efficacy and certifications up-to-date, and helps retain talent.
“The nature of colleges or universities is to be open so people can access shared ideas and resources. Unfortunately, this has made them a target.”
For more information, visit http://merit.edu/cyberrange/