"Nobody has a fortress anymore. The perimeter is not just gone—it's burned to the ground," said Nate Fick '99 in his keynote address at Securing the eCampus 2014, a conference on information security in higher education held July 15-16. The event was hosted by Dartmouth for chief information security officers from a number of colleges and universities.
He warns that a small number of people with limited resources can do things that have global effects. Culprits could be, for instance, Eastern European teenagers working out of their parents' basements. "The barriers to entry are very low to achieving very sophisticated high-end capability."
Fick, a member of the Board of Trustees, is chief executive officer of Endgame, Inc. and former CEO of the Center for a New American Security, a national security research organization. He served as a Marine Corps infantry officer in Afghanistan and Iraq and wrote about the experience in his New York Times bestseller One Bullet Away.
He was introduced by Ellen Waite-Franzen, Dartmouth vice president for information technology, who recounted some of the history of the conference. The first Securing the eCampus was convened in 2007—a year marked by the revelation that 47 million accounts were compromised at T.J. Maxx and the hacking of Monster.com exposed the records of millions of job seekers.
The inaugural conference was supported by monies from a federal grant awarded to then-director of Dartmouth's Institute for Security, Technology, and Society (ISTS) David Kotz, now associate dean for the sciences. "Kotz’s grant had included funding for education and outreach on information security and subsequent conferences have been held because of continuing interest in information security," said Waite-Franzen.
Fick spoke of the challenges facing those who safeguard sensitive and critical data and the networks that carry the information. Much of what he presented was based on his experiences from 10 years working in the operational security world in the Marines, running a security software company, and serving as a Dartmouth Trustee.
He noted that there are 9 billion connected devices today and the number is growing exponentially with the average student having five. "Device and data proliferation along with increasing network complexity is changing the game, providing more targets for penetration.
"The intruders are already inside our networks, and that's not going to change," said Fick. "People are still clinging to the idea that they can prevent something that already happened instead of focusing on detection and response," he said. "Your connected world is more multifaceted than it has ever been, and it is getting more so. You need to focus on the handful of things that matter and make a risk-adjusted choice about whether or not to respond and how."
Dartmouth is following this model, implementing a risk-based approach under the guidance of Steve Nyman, chief information security officer. The College is concentrating on where the information is, determining the risk should the information be disclosed, modified, or lost, and then applying the appropriate controls.
As to threats themselves, Fick says that some intrusion targets attributed to Russian sources have been personally identifiable information from which credit card and banking information may be gleaned. Those attributed to the Chinese, he says, generally target engineering research or biochemistry research.
While there is much public concern about the security of individual health records, Fick said, "There is not a whole lot of interest on the part of professional criminals on whether or not you have some kind of disease. They just don’t care. What they really care about is the part of the medical record associated with payment." Theft of this information could make them money.
Fick also addressed some philosophical and policy issues, such as privacy versus security. "We need to decouple privacy and civil liberties. They are different things," he said. "Historically, privacy was greater because of the absence of technology. We have been trading privacy for convenience for a long time but it has been a conscious choice. However, we don’t want somebody else making those choices for us."
Fick said that any workable management of security challenges must look more toward a human solution than a technical one. "A natural evolution of norms has to happen here—a cultural shift in how surveillance and privacy and security are viewed, not as an intrusion but as a measure of protection," he said. "Until that cultural conversation happens, until that evolution really takes place, there is going to be a persistent gap—barriers to effective cybersecurity, particularly in academic environments."