In the past six months, The University of California at Berkeley has been the victim of two attacks on their information systems. The first attack targeted the main web server of the Graduate School of Journalism while the second, and more severe attack, targeted the Health Services databases. In the attack on the Health Services databases the social security numbers of 160,000 people were compromised.
The blame for these attacks cannot be laid upon the University which already spends roughly one million dollars each year to constantly improve the protection of information systems. The true cause of these attacks is that as a university, Berkeley is caught in the middle of the debate between the confidentiality and the availability of information. They have conflicting goals of keeping the information of their students, faculty, and additional employees safe, while fulfilling their purpose as a university to share information with the public. Shelton Waggener who is the associate vice chancellor for information technology at Berkeley articulated this dilemma when he spoke to Amy Brooks at the Daily Californian: "Universities are set up to disseminate data and information. That's what our mission is, so it becomes difficult when you blend public information and private."
Therefore, the debate becomes not how much money or time that Berkeley should spend trying to protect its information, but rather how much it wants to protect its information at all. The problem that arises is creating a system that is secure with confidential information while being completely open to the public with academic information that it wishes to share as part of its mission.
One approach that officials at Berkeley are pursuing to try to balance these goals while preventing future attacks is reducing the number of locations where sensitive information is stored. The University of Massachusetts experienced a similar problem when a laptop was stolen last year that contained the information of students from 1982 to 2002. This incident serves to illustrate the importance of limiting the number of locations where sensitive information is stored. Limiting that number will provide more security for confidential information while leaving the availability of academic information wide open.
Sources:
Brooks, Amy. "Campus Takes Steps to Boost Server Security After Breaches." The Daily Californian. 25 Aug. 2009. Web. 30 Aug. 2009..
Dayal, Priyanka. "Hackers Gained Access to UMass Info." News Telegram. 21 Aug. 2009. Web. 30 Aug. 2009. .
Sunday, August 30, 2009
Subscribe to:
Post Comments (Atom)
Posts
I'm not sure why the addresses for the sources aren't showing - when I go back to edit the post they are, but these are them:
ReplyDeletehttp://www.dailycal.org/article/106339/campus_takes_steps_to_boost_server_security_after_
http://www.telegram.com/article/20090821/NEWS/908210393/1116
I fixed them. You had a slight error in the way your links were formatted.
ReplyDeleteI understand that as a university, Berkeley has a purpose of providing information to the public. However, I do not see any reason why Health Records would need to be accessed by anyone other than the employees in Health Services themselves. Therefore, I think the UC Berkeley needs to be focusing on the confidentiality of this information way more than the availability. Other services, such as the university's library or research websites can focus more on availability.
ReplyDeleteWhile I certainly agree that health records should never be available to the public, there are some serious availability concerns as well.
ReplyDeleteImagine this scenario, if you will. You're rushed to the emergency room unconscious and need immediate treatment. The doctors, unable to access your health records because the system is down (availability!), give you penicillin. Unbeknown to them, you suffer from a severe allergy to penicillin. Bad news!
It seems to me that if I had to choose between my goals of keeping the information of my students, faculty, and additional employees safe, or fulfilling our purpose as a university to share information with the public; Im thinkin about my people first. Its already stated that roughly a million each year is already coming out of their pockets, and their still being hacked. I say put the availability on hold until the confidentiality is taken care of. I understand the medical part of it but hopefully (fingers crossed) the medical records will already be in the hospitals system. Plus they are a college, not doctors office. O yeah and putting a stop to the blending of confidentiality info and availability info would be a good start.
ReplyDeleteI totally agree with Cocoman66. Confidentiality seems much more important when dealing with the release of information in a university setting. As far as the hospital scenario, there should be several sources where they could pull health records besides from a university's information database. When students come to college, they fill out out pertinent information that reveals their self-identity, from their full names, social security numbers, addresses, and a plethora of other sensitive information. No one would knowingly reveal such information if they thought the university valued availability over confidentiality. It's like an unwritten rule.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHonestly, I have little faith in the information security of any university, especially the well known universities. The more popular the university then the more likely it is for private information to be accessed by the wrong people. If big name universities spend large amounts of money and still fail to protect personal information from leaking, then that simply means the attacks are inevitable, and that maybe confidentiality is after all more important than having access to seriously private information. But, is it worth all that money when hackers continue to figure out how to gain access to any information they chose?
ReplyDeleteI agree with Nicole that when students give their medical records and other personal information to their college they have the expectation that the information will be kept confidential. I just wonder if the best way to achieve this confidentiality while avoiding the hospital scenario would be to keep the medical records in several places. Would keeping those medical records in multiple spots make it easier for a hacker to find them?
ReplyDeleteHow can the university not be blamed for allowing this information to become public? It is correct to say that the purpose of universities is to make public information available; however, the last time I checked social security numbers should not be public information.
ReplyDeleteThe university may be spending millions of dollars to protect systems and information but that does not matter if they are allowing private information to escape. If someone broke into a bank vault that was protected by millions of dollars of security wouldn't people still say the bank is at fault even though they took precautions?
I agree with Luther entirely concerning university records being kept in multiple places. As previously stated, we as students fill out numerous forms as incoming freshman containing personal information. I am sure this information is then submitted into some sort of computer system where it should be properly stored and remain confidential. After it is entered into the computer, the paper in which the students filled out should not be thrown away, but filed. This way, the information will be available both through the computer system and by the original paper obtained from each student. Hopefully, this would ensure that the hospital scenario involving penicillin would not take place.
ReplyDelete"They have conflicting goals of keeping the information of their students, faculty, and additional employees safe, while fulfilling their purpose as a university to share information with the public. "
ReplyDeleteI have a problem with this statement like a bunch of others before me had said. I do agree that universities need to relay info to prospective students and anyone else in search of info regarding the respected universities, but how can social security numbers and health records be counted in that same category of info? I do understand the scenario that Professor Chapple had brought up but there has to be a better way to get at info of that importance. The bottom line to me is that as technology develops to protect info so will the technology of hackers. The best way I can see to keep info safe is to be sure that tech for security develops at a quicker rate than hackers.
While I understand the University is doing quite a bit to prevent these attacks from happening, I wonder if it is enough. Yes, they spend about a million dollars per year to improve their systems, but at a university with over 35,000 undergraduate and graduate students, that only comes out to about $30 per student. While I am unaware of what universities of comparable size spend on these projects, that number does seem rather low, at least in my opinion, for information like social security numbers for hundreds of thousands of people. I do however agree with their strategy of reducing the number of locations this information is stored. This seems like a completely reasonable approach to attempt to reduce the likelihood of this happening again.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteAfter reading all of these posts, I am convinced that the major problem for universities is their goal of making information available to the public. From my understanding, all faculty and staff are on the same network as students or "guests". Why is it that we allow computers with important information to also reside on these networks. Is it really necessary for someone to need to access a students social securtiy number anywhere on campus as long as you have authorization? Why not designate a room in one building on campus with computers on a seperate but local network where you can only gain access physically and not wirelessly. Yes this may seem a bit inefficient but important information like that should not be accessible by more than a few important people anyway. This idea probably seems more like a movie where someone needs to break into a room and then break into the computers but if we would like to store information more safely, this could be one of the best ways to prevent theft. As for public information, I guess that can remain the same since people haven't had problems accessing it in the first place. It is important to designate what is public information and what is not.
ReplyDeleteI agree with Ryne when he says that "The best way I can see to keep info safe is to be sure that tech for security develops at a quicker rate than hackers." Certainly, to protect the private information of students and faculty, universities must be confident that their technology is the most up to date. Furthermore, they must continue to finance the development of cutting edge technology so that they stay one step ahead of hackers.
ReplyDeleteThat being said, I struggle to understand why it is necessary for individuals outside the university (other than healthcare officials) to have availability to the personal information of students and faculty. In my opinion, the risk for a security breach could be significantly decreased if access to this information was not so readily available.
The majority of the posts in response to this article have expressed legitimate concern for security amongst any university's information systems. Although, this is a serious problem in all information systems I would like to think availability in any university is of greater concern.
ReplyDeleteDay to day operations throughout any institution is extremely reliant on the information systems being available to students and faculty alike. Schedules, assignments, due dates, readings, notes, graded work, and final grades are just some of the things constantly being updated, edited, and viewed. Why make it more troublesome? Yes security is a serious threat, however, how common is it really? Maybe it is my own experience in a small university, such as Notre Dame, but luckily I have not experienced any security issues while enrolled here.
In addition, I am a strong proponent of the "Concourse" program many professor around the university have begun to use. A separate, unofficial system housing many of the records and materials needed on an everyday basis. If security on Concourse were breached it would have no effect on the status or apparent performance of any student. A nuisance would be of greatest concern.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1520252,00.html
ReplyDeletehey found a pretty cool current event about encryption and breaking code..sorry the link is not working