Download UNIVERSITY OF CALIFORNIA and more Schemes and Mind Maps Computer Networks in PDF only on Docsity!
U N I V E R S I T Y O F C A L I F O R N I A
BERKELEY • DAVIS • IRVINE • LOS ANGELES • MERCED • RIVERSIDE • SAN DIEGO • SAN FRANCISCO SANTA BARBARA • SANTA CRUZ
E X E CU T I VE V ICE PR E SI D ENT — CHI E F OPE R A T I NG OF F I CER OFFICE OF THE PRESIDENT 1111 Franklin Street, 12th^ Floor Oakland, California 94607- 5200 510/987- 0500
January 19, 2016
Krste Asanović, Professor, Electrical Engineering & Computer Science Department, UC Berkeley Eric Brewer, Professor, Electrical Engineering & Computer Science Department, UC Berkeley Ken Goldberg, Professor, Industrial Engineering & Operations Research Department, UC Berkeley Anthony Joseph, Professor, Electrical Engineering & Computer Science Department, UC Berkeley Ethan Ligon, Associate Professor, Agricultural and Resource Economics, UC Berkeley Michael Lustig, Associate Professor, Electrical Engineering & Computer Science Department, UC Berkeley Greg Niemeyer, Director, Berkeley Center for New Media, UC Berkeley James O’Brien, Professor, Electrical Engineering and Computer Science Department, UC Berkeley Katherine Sherwood, Professor, Art Practice & Disability Studies, UC Berkeley Doug Tygar, Professor, Computer Science and Professor of Information, UC Berkeley Niek Veldhuis, Professor, Department of Near Eastern Studies, UC Berkeley
Dear Colleagues:
I am writing to follow up on earlier discussions about cybersecurity matters across the UC system and to share to the fullest extent possible the principles and considerations that guide the University’s efforts to respond to cyber attacks.
First, I want to thank you for sharing your concerns that we maintain the privacy protections enshrined in University policy even as we significantly strengthen our cybersecurity posture. As explained below, I do not believe these imperatives conflict; in fact, they reinforce one another in crucial ways. I would like to share some key principles and practices that help ensure that privacy protections are consistently upheld in the context of network security activities, some observations about the serious cyber attack we experienced at UCLA, and information about increasingly challenging attacks that are rising at academic institutions across the country.
As you know, on July 17, 2015, UCLA publicly announced that it had suffered a serious cyber attack. The attack appears consistent with the work of an Advanced Persistent Threat actor, or APT. An APT generally emanates from an organized, highly skilled group or groups of attackers that orchestrate sustained, well-planned attacks on high-value targets. Today, much effort in the cybersecurity industry is focused on APT attacks because they are difficult to detect and highly destructive. While there is no evidence that cyber attackers actually accessed or acquired any individual’s personal or medical information at UCLA, the University decided to notify stakeholders. UCLA notified 4.5 million patients about the cyber attack. Within days, several lawsuits were filed against the Regents alleging various violations of State law, all 17 of which are now pending.
January 19, 2016 Page 2
The UCLA attack, while exceptional in some respects, is part of an increasing trend of cyber attacks against research universities and health care systems. Institutions of higher education are increasingly targets of APT attacks because academic research networks hold valuable data and are generally more open. Indeed, the mission of our University is to promote knowledge sharing and research collaboration, which involves responsibly sharing data. A recent report from Verizon described educational institutions as experiencing “near-pervasive infections across the majority of underlying organizations,” and observed that educational institutions have, on average, more than twice the number of malware attacks than the financial and retail sectors combined.
APTs seek to illicitly harvest credentials across academic networks and then use those credentials, and the trust relationships among systems, to move laterally to other nodes in a given network. There are techniques to address such attacks, but I share these points to underscore the seriousness of the threat posed by APT attackers and the fact that, for cybersecurity purposes, a risk to what appears to be an isolated system at only one location may in some circumstances create risk across locations or units.
In recognition of these realities, President Napolitano has initiated a series of system-wide actions to strengthen the University’s ability to prevent, detect, and respond to such attacks. I believe these efforts are consistent with the reasonable expectations of the University community —our students, faculty, staff, patients, research sponsors, and academic partners— that we undertake serious efforts to protect sensitive data from malicious attacks. I also believe these actions are fundamental to realizing the University’s commitment to privacy. The following actions were taken:
A leading cybersecurity firm was engaged to assist the University in responding to the cyber attack, in part by analyzing network activity at all UC locations to detect and respond to any APT activity; Every location submitted a 120-day cybersecurity action plan to harden systems and improve administrative and physical safeguards; A Cyber-Risk Governance Committee (CRGC) was established, with representation from across the system, including the Academic Senate, to oversee and guide system-wide strategies and plans related to cybersecurity. The CRGC has met several times already and is identifying key ways to strengthen our security posture while honoring the University’s commitment to academic freedom, privacy, and responsible fiscal stewardship; A system-wide incident escalation protocol was developed to ensure that the appropriate governing authorities are informed in a timely way of major incidents; and Mandatory cybersecurity training was rolled out to all UC employees by October 1, 2015.
Several faculty members have requested detailed, technical information about the UCLA attack and the specific security measures taken in its immediate aftermath. I understand that some are concerned that such measures may have exceeded the University’s policies governing privacy. I believe such actions were well within the operational authority of the University and in alignment with policy. It is regrettable that as long as the UCLA incident remains the subject of pending legal matters, I cannot publicly share additional information that might correct some of these misimpressions. As a policy matter, however, I wish to address the privacy and governance concerns that arise in the context of data security, without any express or implied reference to the UCLA attack.
January 19, 2016 Page 4
violators are subject to discipline.^2 With respect to storage, much data collected through network analysis may already be stored elsewhere within the University’s network ecosystem (or even with third party cloud or other providers), independent of any network analysis activity. Data collected or aggregated specifically for network security purposes is only stored for a limited time, segregated in a highly secure system, and forensically obliterated thereafter. In some circumstances, a preservation of certain data related to litigation may be required by law, which may result in a longer storage period for a limited amount of network analysis data subject to such a mandate. With respect to third party requests for such data, the University has a long history of defending against improperly intrusive requests, including requests under the Public Records Act.^3
Governance is also a critical aspect of this discussion. Ensuring that all stakeholders are fully enrolled in developing the University’s cybersecurity policies going forward is essential. As you know, the President has launched a coordinated system-wide initiative to ensure that responsible UC authorities are appropriately informed about risks, that locations act in a consistent and coordinated way across the entire institution, and that the University can sustain action to manage cyber-risk. A number of structures have been put in place to elevate the importance of cybersecurity within University governance, some of which I described above but elaborate here for emphasis:
The President asked the Chancellors to each appoint a single executive to lead efforts to review and improve cybersecurity at their location. These positions are the Cyber-Risk Responsible Executives (CREs), and each position reports directly to the Chancellor or location chief officer. A single escalation protocol has been implemented across the UC system to facilitate appropriate notification and handling of cybersecurity incidents. The protocol is intended to drive consistent analysis and response to cybersecurity incidents. It is being piloted and will be reviewed for effectiveness by the CRGC after six months. In addition to establishing the CRGC described above, the President has appointed a Cyber-Risk Advisory Board, composed of six internal and external expert advisors, to support the CRGC and provide information and advice about emerging issues and best practices in cybersecurity, and to help develop aggressive and effective approaches to managing cyber-risk, consistent with UC’s teaching, research, and public service mission. Finally, a Cyber Coordination Center is being launched to help coordinate a variety of activities across the locations.
With specific reference to faculty governance, the President has reinforced with senior management the need for ongoing dialogue with our faculty and Senate leadership. The Senate has a robust presence at the CRGC, and I believe the CRGC is the best forum to develop mechanisms and policies for further ensuring that Senate leadership is fully engaged in policy development and briefed in a timely way regarding ongoing security matters and practices.
(^2) The ECP creates a specific exception for circumstances where an employee incidentally observes
obvious illegal activity in the course of performing routine network security activities. (ECP, IV.C.2.b (defining exception for disclosure of incidentally viewed evidence of illegal conduct or improper governmental activity).)
(^3) Public Records Act requesters may seek far more intrusive access to the content of faculty or staff
records than what the ECP permits for network security monitoring. The limits on the University’s own access to electronic communications under the ECP do not apply to Public Records Act requests.
January 19, 2016 Page 5
I also welcome a discussion about how to harmonize broader cybersecurity efforts with existing, campus-specific information governance guidelines. Some campus-level guidelines, established as part of system-wide information governance initiatives, limit the specific technologies and methods that may be used for network security activities, including some methods in ordinary use at other University locations and use of which may be necessary to comply with legal duties or to effectively evaluate a specific threat that may implicate multiple locations.
Given the difficult and shifting challenges worldwide in terms of cybersecurity, there is no monopoly on wisdom here. It is my intention to approach these issues with humility and openness, believing that our efforts will only be enriched by an exchange of ideas and viewpoints. I welcome your engagement on these issues and look forward to a deeper, joint effort to protect the privacy of our users and the security of the University’s systems.
Sincerely,
Rachael Nava Executive Vice President - Chief Operating Officer
cc: Academic Senate Vice Chair Jim Chalfant Vice President Tom Andriola Deputy General Counsel Rachel Nosowsky Associate Chancellor, Nils Gilman UCB Professor of Business and Economics, Ben Hermalin
