To protect sensitive data, IT security and researchers must act as teammates

Colleges and universities are more widely implementing tools like multi-factor authentication and anti-phishing software to protect research data, but the best defense against threats remains the connection between information technology security teams and well-informed researchers, experts told EdScoop.

Protecting the data produced through research and development spending at universities, estimated at nearly $84 billion in 2019, is becoming more difficult because of rising cyber threats against the education sector. Protecting data is tricky because these workers often use non-standard software, work on fast-paced, competitive timelines and use unique technology or remote lab environments, said Michael Corn, the chief information security officer at the University of California, San Diego.

Corn’s office, for instance, is responsible for securing data collected by a fleet of ships that conduct marine research and transmit it back via satellite.

“We are in a new world, with nation-state actors being behind ransomware, trying to disrupt operations, trying to poison data,” Corn said. “We can’t pretend that best effort is good enough in the research world. We know our intellectual property’s being targeted, and more so than that, if you’re trying to outcompete another country, it’s not enough to steal their intellectual property — remember, a lot of the data science deals with is open data but you want to take that data, and then contaminate what you leave which gives you an advantage, you want to cause disruptions that cause social unrest.”

Malicious actors look to target researchers through phishing schemes and through direct attacks on machines used for research. The coronavirus pandemic further complicated how researchers store data as started working from home. The threat to research data grew severe enough that in January, Educause, the higher-education IT group, and the Research Education Networks Information Sharing and Analysis Center, or REN-ISAC, convened a group of CISOs to develop better methods for protecting research data.

‘Death spiral’

The education sector has suffered several high-profile cyberattacks in recent years, including an Iran-linked group allegedly stealing 31.5 terabytes’ worth of data from professors worldwide, and the University of California, San Francisco, paying more than $1 million to recover data locked up in a ransomware breach in July 2020.

To respond to security threats, many of the federal agencies that fund university research are updating the security requirements for grant applications — an already complicated process, Corn said.

“Researchers are distracted from not paying enough attention to security, so we have data breaches, or we have system beaches,” he said. “What happens then is the agencies impose more draconian regulations, which the faculty don’t know how to deal with, because they’re not security professionals, or even IT professionals, so the whole cycle starts over. And we have to get out of that death spiral, and the only way to get out of that is for institutions to shift their focus to the research mission.”

Cybersecurity personnel now have more conversations with researchers, said Brian Kelly, director of Educause’s cybersecurity program. He said these discussions give IT offices a better understanding of how and where research data is stored.

“We want you to know what the risks are, we want you to know what the threats to intellectual property are and more importantly, what we can do, how we can help defend against those threats and those risks,” Kelly said. “Those cultural changes have really improved how institutions are thinking about protecting intellectual property and working together with staff on campus for that.”

Managing data

Protecting research data typically begins by asking where intellectual property lives within a university’s network. Researchers work on data management plans for grant proposals, balancing security with making sure the data is stored in an accessible format, said Amy Nurnberger, a program head for data management services at Massachusetts Institute of Technology.

“Every research project is different and the demands of every research project are going to be different,” she said. “So you get something that is a safe clinical research project, the requirements for data storage access within the project, access to a project are going to be very different than say, a chemical synthesis type of research project. One of the things we often say about the that is as open as possible, as closed as necessary.”

Nurnburger’s office advises the academics on drafting comprehensive data management plans. She said along with outside threats, researchers need to consider the biggest threat to securing data — loss from storage in an undesignated place or on volumes reserved for other projects. The best approach is looking at how the data changes as the research progresses and then creating a designated plan and format for each stage, Nurnburger said.

“Something that should ideally be captured as part of the data management plan is what data, what resources, what research outputs exist or will be created at different stages of the research and how those are going to be managed,” she said. “Other things are how big are [the data,] where you going to store them? Who’s going to have access to them? What formats are they going to be in?”

Indiana University recently launched a program called SecureMyResearch, which provides a “cookbook” in which researchers can search keywords and find “recipes” for security precautions. The program also connects researchers to security experts to answer their questions and work on projects.

“Increasingly, you’d often don’t even know the terms of the grant until it gets awarded, which can have you know, consequences for cybersecurity in terms of data use agreements,” said Von Welch, Indiana’s associate vice president for information security.

The extent of those plans also depends on who’s funding the research. The National Institutes of Health required a data management plan as part of grant applications as early as 2003, but those requirements are being updated. The NIH plans to put in place new proposal requirements by 2023, and the Department of Defense issued a much-debated interim ruling on cybersecurity requirements last year, but has not issued a final ruling yet.

Sharing resources

University security teams prepare ready-to-use resources to ease the burden on researchers looking to improve security measures. MIT’s data management program shares data management plan examples and templates, as well as coaching for researchers.

Welch said through SecureMyResearch, IT workers can help researchers navigate security requirements and existing resources.

“Most of the time, we’ve got a good amount of infrastructure here, and it’s just a matter of walking them through the process — here’s where you can store your data, here’s how you can work on it, by the way, here’s some basic hygiene, (like) if you need to take this data home, make sure you encrypt the USB drive,” he said.

At UC San-Diego, researchers are asked to complete a certification program on basic cybersecurity precautions and security teams also work directly with research facilitators, who offer direct IT support for research projects, Corn said. In the certification program, researchers also provide emergency contact information for their machines and labs as well as more information about the type of research they’re leading and what data they are using, which can help security teams map out where sensitive data is stored at the university.

“What most schools do to do these kinds of assessments is they hire half a dozen, a dozen people, and they go to unit-to-unit doing a traditional assessment and that’s more rigorous, absolutely, but you never get through the whole institution that way,” Corn said. “What we’re doing is saying let’s start with at a very high level, let’s understand the terrain, the topology of the campus and then we can allocate resources to where the high risk is, where the needs is and we’ve got the information to actually do that.”

‘We work really hard’

Ed Hudson, chief information security officer for the California State University system, said communicating threats and the importance of protecting data management across the system’s 23 campuses is critical.

“We certainly look at best practices, things like making sure multi-factor authentication is in place, and making sure that resources are behind single-sign on and protected by MFA,” he said. “We’ll look at what are those sort of umbrella things that we can do, what kind of educational programs can we put in place that raise that awareness of of those threats that are out there and what kinds of threats there are?”

Hudson said he communicates potential threats or trends across the system, with each campus employing its own chief information security officer. Those CISOs and their teams can then serve as a resource to researchers on their campus, he said, but it’s important to encourage researchers to proactively ask questions about security on projects.

“We work really hard across the CSU to have that be a more collaborative partnership with researchers and to make it not pointing out where somebody does wrong, but to say how can we work together to secure information,” Hudson said.

Hudson said working with federal agencies like the FBI on ongoing threats and then communicating with other higher education institutions security leaders through professional groups helps him form a better picture of what risks there are to research data.

“The bad guys are talking to each other so we try to make sure that we’re talking to each other as well,” Hudson said.