April 2016
Senate Responds to Cybersecurity Concerns
The systemwide Academic Senate is taking a key role in following up on concerns first raised by faculty in December 2015 about a new systemwide cybersecurity threat detection program. The program, managed by Fidelis, was implemented in the wake of a security breach at the UCLA medical center last summer and is providing a layer of detection for University computer networks by analyzing network traffic to find evidence of potentially malicious activity.
Faculty were not consulted initially about the development of the program and UCOP officials did not provide details, given that the program was developed alongside preparation for legal proceedings related to the UCLA attack. Faculty at Berkeley and other campuses raised concerns about the lack of consultation, the secrecy surrounding the process, and the nature and extent of the services deployed.
The Senate’s Committee on Academic Computing and Communications (UCACC) took the lead on behalf of the Senate. Following an in-depth briefing from Chief Information Officer Tom Andriola and Chief Information Security Officer David Rusting on February 1, UCACC issued a Statement noting that faculty “should have been informed and consulted at the earliest stages of the process and should be involved in future decision making.” UCACC also noted that it found “no reason to distrust UC officials or the information they supplied” and endorsed UC’s efforts to monitor and prepare for and prevent future cyber-attacks.
Academic Senate Vice Chair Jim Chalfant agreed with UCACC’s separation of comments on shared governance from comments about whether threat detection might be appropriate. Chalfant says that UCACC believed the most productive course of action was to acknowledge the serious failure of shared governance in this case and to ensure faculty involvement going forward.
“The faculty concerns and questions about privacy were appropriate ones to raise, and it was unfortunate that no opportunity for faculty input was provided from the start, which just creates suspicion,” he said. “However, the administration recognized the need for more faculty involvement and took concrete steps to increase involvement and consultation.”
Chalfant adds that the administration is working to satisfy Senate faculty that the intent of enhanced security measures is to look for significant patterns of unusual activity across UC networks and not to access to specific user files, email content, or web-browsing histories.
In response to Senate concerns, the administration added additional faculty membership to the Cyber-Risk Governance Committee (CRGC) and will use the UCACC as the formal governance mechanism for raising faculty issues and concerns around the issue of cyber security and cyber risk. The CRGC was convened after the UCLA attack and oversees systemwide plans related to cybersecurity and plays a coordinating role across locations. Joining UCACC Chair David Kay (UC Irvine) on the CRGC will be UCACC Vice Chair Christine Borgman (UCLA). The committee also includes a Cyber-Risk Responsible Executive (CRE) from each UC location – generally an administrator, but sometimes a faculty member – and other UCOP personnel. A proposal for increased faculty involvement has been developed and was approved by the CRGC in their April meeting. The revised charter calls for three faculty members on the CRGC and three additional faculty members to be appointed to the CRGC Advisory Board. All of these appointments will be handled by UCOC, and based on either expertise in the area or an ability to represent concerns from a faculty-welfare or academic-freedom perspective. UCOC will therefore likely draw not only from UCACC and from faculty with disciplinary expertise on computer security and privacy, but from UCAF or UCFW.
Following the publicity concerning faculty concerns, Vice President Andriola met personally with several Academic Senate committees and faculty on several campuses who raised concerns about the threat detection program. He continues to work with UCACC to channel faculty views to the Governance Committee to help ensure faculty views are incorporated early in the process.
Vice President Andriola said that “the University is an institution designed for openness, which also makes it an attractive and vulnerable cyber-attack target. Advanced Persistent Threats targeting sensitive UC data, such as identity, intellectual property, data, and other assets, can damage the University’s reputation, and create lawsuits that may have significant financial consequences for UC. We must all take steps to reduce cyber risk. The University’s cyber program, both systemwide and at each location, balances the need to protect against the needs to achieve our mission.”
More recently, UC’s five health systems used an RFP process to select a second outside vendor, FireEye, to provide more comprehensive cyber-risk security solutions. Campuses IT professionals were also engaged in the RFP process. FireEye is an integrated suite meant to work with current protections on campuses and in the health systems to provide a multi-layer set of protections against malicious activity and the ability to respond quickly to successful attacks.
While all University locations will be required to continue the coordinated systemwide threat- detection, each campus may adopt the additional capabilities of FireEye based on their security needs and priorities. Decisions will be made in shared governance consultation with faculty at the local level. UCOP will help coordinate the roll-out of tools and ensure that locations have access to technologies and information they need to make decisions, but will not require specific actions beyond the systemwide coordinated threat detection effort.
Jim Chalfant: “The use of any of the FireEye products beyond the medical centers, on a general campus, will be a campus-by-campus decision. It is expected that the administrations on each campus will consult widely and involve the Senate. Especially since the issue has been so controversial, and remains a very sensitive topic for many faculty, we are encouraging faculty to get involved. Interested faculty should read the FAQs on the UC Security website, and ask any questions they feel have not been answered.”