When we think of higher education, we tend to think of pleasant things like young adults walking around open campuses; college sports and dedicated fans; new ideas and candid debates; parties, graduations, and a host of other positive memories and ideas. Rarely do most of us think about the daily threats facing higher education institutions – whether physical protests and hostile incidents, consistent network reconnaissance and cyberattacks, attempts to steal intellectual property, or dealing with natural hazards and health threats.
From Charlottesville to Hurricane Michael, the reality is that higher education faces a persistent and complex array of threats. As the community manages these threats, they have a partner in the Research and Education Network Information Sharing and Analysis Center (REN-ISAC). For the past 15 years, REN-ISAC has been helping to enhance both members’ and the broader higher education community’s operational security. As the threat landscape continues to evolve, REN-ISAC appreciates the changes in the overall threat landscape and is applying a broader, more holistic approach to higher education enterprise risk management.
“Research and education networking organizations, such as colleges and universities, represent a range of potential risks including physical, cyber, human, and financial, just to name a few. Organizations must now take a comprehensive risk approach, and the assistance that REN-ISAC can provide them across threat landscapes gives them a leg up.” REN-ISAC Executive Director, Kim Milford, June 2018
REN-ISAC, based out of Indiana University, serves more than 600 member institutions in the U.S., Canada, Europe, Australia, and New Zealand, and openly supports the entire higher education community. As she leads this collaborative effort, REN-ISAC’s Executive Director, Kim Milford, has gained appreciation for the interwoven nature of today’s threat landscape – the variety of threats across the all-hazards environment and the complex and blended threats that higher education is encountering each day. In a recent interview with EdTech, Milford stated, “In this new world we’re in, the threat is not physical or cyber — it’s both… the divide is no longer clear.”
Recognizing this challenge, and the need for effective collaboration within organizations and across peer institutions, this year REN-ISAC planned a series of workshops around the United States to see, as Milford put it, “if REN-ISAC could take our expertise in the cyber world and help people who are more focused on physical threats.” Working with representatives from higher education institutions around the country, six events were conducted from June through October in Indiana, Arizona, North Carolina, Oregon, Massachusetts, and Florida. The workshops brought together senior leaders, security personnel, information technology staff, emergency management, student affairs, law enforcement, local venue partners, fusion centers, homeland security personnel, and others from each region to deal with the complexities of events featuring controversial speakers combined with a persistent, activist-led cybersecurity threat.
“What we’ve found so far is that cybersecurity people were getting together with their physical counterparts for the first time ever, or they were getting together with people they knew, but they didn’t really understand their roles,” Milford said. Participants discussed a number of challenges, opportunities, and best practices, all of which are being captured in a series of reports now being developed and distributed to members.
Risk management is broad process with many important aspects. To help inform risk management activities, REN-ISAC maintains a comprehensive awareness of the threat environment, helping to focus reporting and collaboration on those issues that pose the greatest risk to higher education institutions.
“REN-ISAC will always have at its core a strategic understanding of the issues facing security professionals at research and education networking institutions,” Milford said in June.
Understanding threats and risks is critical to effective risk management, especially in organizations constrained by both time and resources. REN-ISAC is building off that understanding and taking action to help address those greatest and newly emerging risks, working with members and other partners throughout critical infrastructure on a daily basis. REN-ISAC’s threat and risk awareness informs daily and incident reporting from the ISAC and among the member community via secure, trusted communications. Preparedness efforts like this year’s workshops are another way to educate, collaborate, and enhance the ability of higher education to contribute to national security and resilience via the five mission areas supporting the National Preparedness Goal: prevention, protection, mitigation, response, and recovery.
“True risk management is not sensationalized. It’s more cyclical than episodic and can help an institution look at the risks and make conscious decisions. Are we going to accept the risk, mitigate the risk or transfer the risk? Universities usually take action in all three of those directions at some point or another. Often, they do it unconsciously. True risk management allows them to document that, so the whole organization knows what to do and can prioritize resources,” Milford said in EdTech.
As the United States recognizes Critical Infrastructure Security and Resilience Month this month, REN-ISAC accepts the opportunity to continue to consider how to help further enhance the threat awareness and risk management of the higher education community. In September, REN-ISAC leadership met with U.S. government officials from the Department of Homeland Security and the Federal Bureau of Investigation in Washington to discuss opportunities to help them enhance their higher-education missions and effective engagement with the community. Those discussions, continued outreach and engagement, the completion of the exercise reports (and the start of a like series planned for 2019) and other ongoing conversations and activities will continue as they conclude the year. REN-ISAC looks forward to helping higher education institutions further enhance their capabilities – individually and collectively – and to move the community forward in its ability to apply “appropriate measures to enhance our national security and resilience” and to reduce the risks facing higher education and the nation as a whole.
About REN-ISAC: “The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) has two primary roles. REN-ISAC also serves over 540 member institutions in Australia, New Zealand, Canada, the UK, and the United States. For a modest annual fee, member institutions gain access to services and benefits to aid and promote cybersecurity operational protection and response within research and education communities. The second role is serving as the computer security incident response team (CSIRT) supporting the R&E community at-large, including non-members. In this role, we work with trusted third parties to notify higher education institutions of infected hosts and suspicious network traffic. REN-ISAC also serves over 540 member institutions in Australia, New Zealand, Canada, the UK, and the United States.” Read more.