Purdue University in Indiana is just one of thousands of research institutions concerned their networks are going to be compromised — or hacked. (Flickr/ttesori)
First there was Target. Then high-end retailer Neiman Marcus. Now, security experts say future cyber attacks are likely to come through college and university networks — networks that tend to have big, broad Internet pipes, with less protection.
Just in the past month, Purdue University in Indiana estimates it has blocked some 30,000 cyber attacks. The university's Chief Information Officer David Shaw says those hits represent a new challenge facing old institutions in the digital age.
"I think universities have to take a different stance toward security because we are an open environment," Shaw said. “That’s much different than say a company like Lockheed Martin that does a lot of heavy industrial defense work.”
So tightening security is a problem for flagship universities like Purdue where openness is their lifeblood.
“The whole concept of higher ed is about the free exchange of ideas and being able to share and collaborate around data and do research,” Shaw said.
Purdue is just one of thousands of schools concerned their networks are going to be compromised — or hacked.
"We are already seeing universities being the target of attacks and being conduits for attacks,” said Richard Bejtlich chief security strategist and fellow at the Brookings Institute. He says hackers are going through universities to attack commercial operations.
“They have information that people want, whether it’s their faculty and student names and credit card numbers and social security numbers or it’s the research that they're doing,” Bejtlich said.
Despite the proprietary nature of this research, which often becomes part of classified programs, professors are still reluctant to add security measures.
"They don’t want IT to be involved, and as a result those systems are fairly vulnerable and ready to be attacked," Bejtlich said.
Ran Canetti, who teaches computer science and studies cyber security at Boston University — which sees thousands of attacks every day — doubts whether colleges are more vulnerable than other big organizations.
“The first attack that took down one-third of the Internet in a couple hours came through a university, but I’m not sure that today this is such a big danger,” Canetti said.
Canetti says there are a lot of steps universities can take, like updating their software, but there’s no silver bullet.
"The universities are attacked," he said. "Banking systems are attacked. Everybody is attacked."
Meanwhile, universities like Purdue that conduct business all around the world can’t afford to be too secure, Shaw says.
“It’s not like I can put a block on my network for all traffic from China because we don’t do business with China," he said. In fact, we have a lot of students from China."
Balancing openness and security, experts say universities should first figure out what’s already happening inside their networks, and then take steps to secure their information and research.
Computer science professor Hal Ableson led MIT's investigation into the Aaron Swartz case, whichthe prestigious university didn't target the Internet activist after he was charged with hacking into MIT's network. Watch Abelson talk cyber security on Greater Boston: