U Internet security needs work

A $78 million project for 2017 will help protect the school’s network from cyberattacks.

Youssef Rddad

With aging network infrastructure and increasingly sophisticated cyberattacks, the University of Minnesota is looking to bolster its defense against hackers.
Starting next year, the University plans to undergo a $78 million project to upgrade its main network system, which is nearing the end of its life cycle. Without a regular security updates, it could become more susceptible to cyberattacks, said school officials.
Information such as health records, personal information and ongoing research could be a tempting target for cybercriminals, said Brian Isle, a senior fellow at the University’s Technological Leadership Institute.
“A lot of times, cybercriminals are looking for something they can monetize quickly,” he said.
To help fund the upgrade, the University is requesting $19 million from the state Legislature this year to help pay for firewalls, monitoring and other security operations. 
The cybersecurity upgrade is the largest of three additional requests the University made after the state announced a $1.2 billion budget surplus last month.
Network usage at the University has more than doubled in the past five years and is expected to grow exponentially in the following years, according to a report presented to the Board of Regents in December.
“It seems each and every day we hear of a system that’s been hacked, and we believe you can never be too safe,” said board Chair Dean Johnson. “We need to protect our data to the best of our ability.”
Last year, the University reported 22 data breaches, which resulted in the loss of 4,500 records. The majority of the breaches were related to health care and Social Security information.
Regent Michael Hsu expressed a similar concern, adding that he would like the University to report breaches and potential threats more often.
“It shouldn’t just be a yearly or quarterly update,” he said. “We should have procedures in place to act on the breaches and need to be up-to-date on all the threats out there.”
Still, BerryDunn, a firm that analyzed the University’s security risks for a September board meeting, found the University was above average in protecting secure information compared to other colleges and universities.
Nationwide, hackers have made off with millions of dollars in stolen health care records recently because they often contain credit card numbers and other information that criminals can use to fraudulently file for rebates, Isle said.
Though it is likely less valuable to hackers looking to make a quick buck, ongoing University research could also be targeted by foreign countries that sometimes sponsor attacks on various institutions, he said.
“The U of M produces a tremendous amount of intellectual property, and the research that’s being used to start corporations or is being licensed out to corporations needs to be protected,” Isle said.
In 2014, the education sector saw 10 percent of reported cyberattacks in the country — the third most behind health care and retail, according to Symantec, a California-based technology company that specializes in cybersecurity.
Brian Dahlin, the University’s chief information security officer, said the core network is at the end of its lifecycle, and new equipment will soon become incompatible with older equipment — some of which is more than a decade old.
“As it gets to the end of its life, it’s like Windows XP getting off of support, and they’ll no longer provide updates,” Dahlin said, adding that the University constantly updates its systems to ward off new potential threats. “Keeping up with that is very important.”
Cyberattacks on colleges and universities are not uncommon and in the past have sometimes been easy targets.
Last year, Pennsylvania State University reported a pair of breaches. In one of those, the personally identifiable information of about 18,000 individuals was reportedly accessed.
One of the attacks caused temporary disruptions to Penn State’s engineering school, which was forced to disconnect from the internet while its system recovered from the attack.
Network upgrades for the University of Minnesota will likely be completed within two to three years, Dahlin said.
The Minnesota Legislature will review the University’s financial request for the project in the coming months.
“I think our request is reasonable,” Johnson said. “Hopefully the Legislature will give an honest look at them and be supportive.”