Roscoe Streyle: University System Politics Threatens Information Security

0

The State of North Dakota Information Technology Department (ITD) has successfully protected the states many agencies from hackers for years by using state-of-the-art Intrusion Prevention and Intrusion Detection Systems (IPS/IDS). These types of systems monitor all traffic coming in and out of the state’s network and alert staff if certain security events occur in real-time. These types of systems are standard in businesses, large or small, to protect critical business and personal information from hackers.

It is one of the most critical pieces to a comprehensive information technology security plan.

The North Dakota University System (NDUS) did not have this type of system in place and it resulted in the largest data breach in the history of the state of North Dakota. There were hundreds of thousands of student records potentially compromised.

Had an IPS/IDS system been in place, I believe the breach would have been detected and stopped very quickly. The NDUS chief information officer took action by asking ITD to implement the same IPS/IDS systems used to protect the state’s networks for all University System networks. This is absolutely the right move and I applaud NDUS CIO for taking decisive action.

But university politics threatens to undermine information security again.

I recently came across emails (see below) in which North Dakota State University interim CIO Marc Wallman and NDSU President Dean Bresciani officially requested to be exempted from participating in the IPS/IDS system. There is a policy (1901.3) in place, which requires campuses to ask the CIO for permission before they implement something that impacts the state network.

This request was sent on July 25, 2014 and later correctly denied by the NDUS CIO for obvious reasons. Keep in mind this interim CIO and President recently migrated off of the consolidated email system onto their own managed and maintained system.

A quote in one of the emails states,

“The addition of such a system will introduce problems that may threaten the productivity of NDSU, an economic engine in the state.”

Really?

They are trying to convince people that having less security in today’s world is good public policy, when major data breaches are becoming common occurrences.

Another very important part of the request is this statement: “Nationally, the trend among higher education research institutions is to remove – not add – such IPS/IDS systems.”

I’m dumbfounded by the total lack of understanding and obliviousness to the threats of today.

The reasons given for why they must be allowed to be exempted include:

  1. Disruption of network traffic flow between NDSU and other institutions in North Dakota and throughout the county and around the world,
  2. Privacy concerns for students, faculty, and staff who live on campus,
  3. Gatekeeping that threatens faculty and students’ freedom to conduct research,
  4. Increased costs related to the need for NDSU staff time and other resources to troubleshoot technical problems caused by the system,
  5. Added single points of failure on the state’s network,
  6. Faculty, staff, and students will have a false sense of security, and
  7. Decreased ability of NDSU to be on the leading edge of network improvements.

No, I didn’t make this stuff up; these are real “concerns” of NDSU. Let’s take a couple of my personal favorites.

Reason #1 is completely untrue and doesn’t even make logical or technological sense. All other campuses will be protected by the same system.

In regards to reason #2, by not implementing this system, NDSU is putting every single person’s privacy on the campus at risk not the opposite.

As for reason #3, anytime “research” institutions come across something they don’t like it is always the same scare tactic, “threat to research freedom” or the research dollars will magically disappear.

Apparently, in reason #6, Mr. Wallman’s believes “a false sense of security” is worse than not having any security.

Every single concern listed is complete nonsense. The NDUS IPS/IDS system will help protect the privacy, security, and “freedom” of research.

Interim CIO Wallman and President Bresciani are once again putting politics and their egos above students and faculty, the same way they did when they withdrew from the consolidated email system. I would hope Interim CIO Wallman is not made permanent CIO, because the advice he has given his boss, President Bresciani, is not at all common-sense or sound IT security policy.

I, of course, don’t expect anything to change at NDSU, the Chancellors office, or on the State Board of Higher Education (SBHE). As one of the only two good board members said, “Short of a crime, nobody gets held accountable here.”

Tom Meredith could not have said it any better during the SBHE “secret” meeting, “The board is running scared.” My question to Chancellor Skogan and the SBHE is, when are you going to step up and provide leadership? The answer, sadly, is never.

NDSU Exemption NDUS Denial