A high school student submits an application to Harvard. An undergraduate at the College receives a prescription from Mental Health Services. A professor collects data on nuclear power for a research project funded by the Department of Energy. All of this information is recorded electronically and stored on Harvard University's computers and servers.
From Social Security numbers to health records to research, countless pieces of information valuable to faculty and the student body get stored in Harvard's computer system.
This very system undergoes a barrage of cyberattacks every single day.
What makes Harvard's technology infrastructure so appealing to hackers is not simply the information that passes through the system. If effectively breached, Harvard's servers are powerful enough to be used as a weapon against other cyber systems, can be repurposed to store outsiders' sometimes illegal data, and can be destabilized to shut down crucial components of the University's operations. And of course, if a hacker is simply looking to embarrass an American institution that is both powerful and prestigious, Harvard certainly fits the bill.
The types, targets, and sources of assaults on the University's system remain unclear, but one fact is certain: They are relentless.
“We're seeing things in the tens of thousands a day,” said Christian Hamer, Harvard University IT Department's chief information security officer.
What exactly those “things” are, and how many tens of thousands of them occur, are facts shrouded in mystery, as are many components of the University's apparatus for defending against them.
And while governments and corporations alike experience similar cyber threats, universities like Harvard face a unique test: how to balance an academic mission demanding an unfettered flow of information with the need to protect valuable data and computer systems. As the problem of internet attacks grows more formidable, the University will have to decide where to draw the line between securing the system and preserving an open campus.
UNDER ATTACK
One morning in September 2011, as high school seniors began thinking about their college plans, visitors to Harvard's website were greeted not with images of professors or students participating in community service projects, but rather a photograph of Syria's President Bashar al-Assad. The Syrian Electronic Army, a group of hackers that has gained notoriety by defacing prominent websites to show support for the Syrian government, had altered the University's website, so that it read “Syrian Electronic Army Were Here,” and displayed al-Assad's image.
While this particular incident may be no more than a minor embarrassment, it's a reminder of the constant attacks on the Harvard technology system, the number of which has been skyrocketing in recent years.
The first computer worm, created by a Cornell student and released from MIT in 1988, caused thousands of dollars in damage and shocked the high-tech world. Twenty-five years later, the quantity and sophistication of cyberattacks have grown beyond anyone's imagination. As cyberwarfare extends from shutting down stock markets to destroying nuclear facilities, few of society's institutions have escaped the wrath of hackers around the world. Universities are no exception.
“The fact is that today versus 10 years ago, we are so much more connected, we are so much more networked, we have so many more assets in cyberspace communicating, moving, talking to each other, creating trails… They are vectors of engagement, of exchange, of commerce, and of exploitation and attack,” said Zachary Tumin, who manages a project on technology, security, and conflict in the cyberage at Harvard Kennedy School's Belfer Center for Science and International Affairs.
Harvard has twice reported breaches of cybersecurity in recent years, both of which could have resulted in leaks of very sensitive personal information. In March 2008, an unauthorized person accessed a Graduate School of Arts and Sciences website that contained applicants' personal information, including Social Security numbers and test scores. Later that year, client data from a law school clinic was misplaced. The University was required by law in each instance to send a letter detailing the breach to the Office of the Attorney General of Massachusetts.
Though Harvard officials say their electronic systems are assaulted relentlessly, in the past decade just a handful of those attacks have been publicly acknowledged by the University or reported by mainstream media outlets.
Admitted leaks of personal information at Harvard have flown relatively under the radar, unlike some other American universities that have made national news after experiencing similar but perhaps larger data breaches. In July, an attack believed to originate overseas breached Stanford University's information systems, prompting administrators to ask all users of Stanford's networks to change their passwords. Emory University issued a similar directive in August after disks containing health records of 315,000 patients were misplaced. In both instances, university officials said that they did not think personal information had fallen into the wrong hands—but remarked that they could not be sure.
These recent incidents dragged the threat of cyberattacks from the depths of server rooms and IT Offices into the public eye.
“[Universities are] handling, developing, creating intellectual property that is potentially valuable,” said Ryan Ellis, a research fellow with the Belfer Center's project on technology, security and conflict in the cyber age. “They're handling health records and personally-identifiable information that we want protected.”
Tumin, who has held various technologyrelated positions in wide-ranging fields such as criminal justice, education, and financial services, has witnessed this rise in cyberattacks first-hand. “It's a new fact of life for us,” he concluded.
Hamer of HUIT agreed that cybersecurity presents a growing problem. “I think the most important thing about that is that it is certainly rising over time,” he said, while noting that cyberattacks had always been an issue of concern.
While Hamer declined to comment on the specific number of attacks that HUIT discovers, computer science professor J. Gregory Morrisett said that some of them—perhaps the most dangerous—could fly under even the IT Department's radar.
“That's what scares me,” Morrisett said. “The really smart attackers break into your system, own your machine, but don't let you know it.”
Rodney Petersen, director of the cybersecurity program at Educause, an IT-focused collaboration of schools and companies, said that the apparent escalation in attacks could be due, in part, to an enhanced ability to detect them.
“We have to be a little cautious to report what more attempts to access systems means,” Petersen said. “The reality is, we've changed our ability to monitor and detect those [attacks].”
Still, Hamer concedes that while detection capabilities have improved, the number of attacks is undeniably on the rise. “I think that some of the characteristics of the attackers may have changed and evolved over time,” he continued. “And certainly the tools have evolved, and I think that's a contributor to the increasing number [of attacks]. I think [those tools] are more accessible and available to people.”
Hamer and other Information technology experts interviewed for this story noted that unwanted intrusions into servers, computers, and websites could be divided into very different categories—some far more dangerous than others. Some attacks are designed to disrupt computer systems, some steal information, and some, such as the incident masterminded by the Syrian Electronic Army, simply adjust the content of websites to make a political statement or embarrass a target.
Lucas Kello, a fellow with the same Belfer Center project as Tumin and Ellis, said that the type of web defacement such as the Syrian Electronic Army intrusion signified “a very low-spectrum example of this attack,” particularly in comparison with cyberexploitation that involves stealing privileged information from a computer system.
“It's really kind of across the board: people just looking to send spam, people looking to compromise servers to send spam or to host malware, and sometimes people after specific information,” Hamer said, referring to the various kinds of attacks.
Though he refused to detail specific targets of the attacks, Hamer admitted that some intrusions have been successful. “We certainly have seen servers be compromised, and I think that's about as far as we can get into that,” he said.
Not only do these attacks come in a variety of forms with a range of intended effects, but also the parties responsible for launching the assaults are largely a mystery.
While media outlets have suggested that many of these attacks originate in China, Hamer remained cautious about implicating any particular country due to the difficulty of identifying perpetrators and the ease with which one user can pose as another. “The most sophisticated people are really good at that kind of thing, so it's a little hard to tell exactly where they're coming from,” he said.
Whether or not critical information has been taken from Harvard, people have undoubtedly tried. The goals of cyberattacks here vary as widely as their origins: stealing Social Security numbers, to hijacking Harvard's massive servers and bandwidth, to accessing research that could one day yield lucrative patents.
ON THE DEFENSIVE
On the bustling, colorful streets of Harvard Square, the offices above Bank of America on Mass. Ave. are remarkably nondescript. With not a marker in sight other than the 1414 above the door, you have to know where you're going in order to end up there. But though HUIT's office lacks the grandeur typical of Harvard's campus, what goes on inside is nothing short of vital to Harvard's operations.
Of HUIT's 600 full time employees, 11 work within its information security department. Hamer and his team are assigned to secure information systems in the Faculty of Arts and Sciences, Harvard's central administration, and the Medical School, Dental School, and Divinity School, said HUIT spokesperson Kevin Donovan. The University's other schools handle their own IT security.
In the complex and covert world of hacking, with little information known about the hackers themselves and what they're after, it seems fitting that the University's security force is also an enigma. Hamer refused to give specifics on virtually any aspect of the University's cyberdefenses.
Some basic facts are clear. As the role of technology has rapidly evolved on Harvard's campus in recent years, the University has moved toward a centralization of its information technology. In 2011, FAS IT and University Information Systems combined to form HUIT. Since then, services at some schools, such as the School of Engineering and Applied Sciences, have shifted to the central office. Still, there are a multitude of technology services groups across the University, and Harvard's size and segmentation may make fending off cyberattacks more difficult.
“Harvard has tried to make more of a push towards [centralization] with the formation of HUIT, but there are so many different systems and so many different administrators,” Morrisett said. “So there's going to be a lot more success for attacks in this environment.”
Beyond the University's sheer size and expanse, perhaps the greatest threat to security comes in the form of countless laptops and other devices connected to the network 24 hours per day, seven days per week, by students, faculty and staff. Every time a student connects to the Harvard University wireless network, he creates a pathway into Harvard's system, one that could be potentially exploited by a hacker.
“I'm more worried about the average student and average faculty staff member's machine, which isn't controlled by some central IT group,” Morrisett said.
In an attempt to plug the potential holes created by thousands of individual devices on Harvard's network, HUIT distributes advice on how to keep personal computers free from intrusions.
“Whether that's having strong passwords, keeping their operating systems and software up to date, making sure they avoid suspicious websites, emails, [and] links… I think those are really the most important things that the community can do,” Hamer said.
Although Harvard's information technology resources make the University's security systems among the top in the higher education sector, the effectiveness of these precautions and safeguards are effective remains unclear. The rapidly evolving field of cybersecurity, and the strong economic incentive driving increasingly-advanced attacks, create even tougher foes for Hamer and his team.
Morrisett offers a candid assessment of Harvard's ability to protect its computers. “It's a losing game in the long run, because the malware never goes away, and there are still versions of viruses from 15 years ago floating around that you have to protect against,” he said. “And the attackers get more clever about crafting the attacks so that they're not easily recognized by simple scanning.”
Some targets within the University are both more coveted and more protected than others. And in some cases, defending data is required by law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Family Educational Rights and Privacy Act (FERPA) of 1974, contain strict requirements about securing health records and student records, respectively. Experts explained that health, student, and financial records—which can be kept under lock and key far more easily than a professor's research, for example—are generally safe.
“Things on that administrative side are pretty well secured,” Morrisett said. “Harvard would have a lot to lose in terms of face if it leaked information about [students], and there are federal laws and so forth to abide by.”
Petersen, the cybersecurity expert at Educase, said that universities are learning to separate data that most requires protection. “First and foremost, institutions have begun to think seriously about the type of data that they need to protect,” Petersen said. “There are a lot of measures on campus to try to improve information security. I'm not entirely discouraged that we can't keep up.”
Along with securing personal information about students and faculty, HUIT must combat illegal uses of its technological infrastructure. In some cases, federal law enforcement can assist in that effort, especially when attacks might have some serious criminal element.
“We collaborate with them when we need to,” Hamer said, but declined to elaborate on the nature or frequency of that collaboration. Morrisett said that the Federal Bureau of Investigation might be involved were a Harvard computer or server to be taken over and used for illegal activities. He recalled a specific instance where an old SEAS system had been taken over by intruders and used to store illegal files.
“There are a few things—child porn is a good example—where law enforcement would be called in right away, and a concerted effort would be made to identify who the perpetrators are and ideally trace it back to the originators,” Morrisett said.
The idea of Harvard's servers being used to store child porn might surprise the average student, but the servers' capacity to store huge amounts of data makes them ideal for such illicit purposes.
In the past 10 years, the FBI has angled for an increased presence in computer security among higher education institutions. Bureau Director Robert Mueller created the National Security Higher Education Advisory Board in 2005 to facilitate partnerships between law enforcement and universities. The FBI did not return repeated requests for comment on this story.
Despite the FBI's occasional involvement, Harvard must fend for itself when it comes to most threats. The distinction between academic research intended to be published and administrative data concerning individuals—which might even be legally protected—creates tensions between cybersecurity and open access.
Unlike the government or a typical privatesector company, Harvard's interest in fostering an open, educational environment make HUIT's job even more tricky to navigate.
PICKING BATTLES
Sitting in his second-floor office of the Maxwell Dworkin building, in the heart of Harvard's School of Engineering and Applied Sciences, Morrisett pointed across his office to the large Apple computer sitting on his desk.
“It could get hacked, I'm sure, pretty easily,” said the chair of the Harvard Faculty of Arts and Sciences Standing Committee on IT, who is also a member of Microsoft's Research Technical Advisory Board, as well as the Intel/Berkeley Science and Technology Center for Secure Computing Advising Board.
Morrisett, perhaps unsurpassed in cyber-security expertise at Harvard, recognized “the futility of modern firewalls and other kinds of border defenses.” He noted that a hypothetical targeted attack by the Chinese or the National Security Agency, for instance, could easily access his machine.
Unlike a typical corporation, where management can impose top-down regulations on computer security, Harvard must grapple with the University's professed dedication to—and faculty's insistence on—an open flow of information.
“HUIT must contend with the fact that a university is meant to be a fundamentally open place, and a churn of new students and community members coming in, along with the mismatch of paranoid security practices (such as special twofactor security keys) to that openness, means that the University must strike balances that private sector companies need not worry about as much,” Harvard Law School professor Jonathan L. Zittrain wrote in an email.
According to Morrisett, this distinction signifies one of the key differences between Harvard's fight against cyberattacks and that of private sector companies. While a business executive might be unable to access company data from home or abroad, professors generally have free reign over where and how they interact with their research.
“We're open as much as we can be,” Morrisett said. “The whole idea is to make information available. And so we can't afford to put everything behind a big giant firewall and impose dramatic security conditions....It just wouldn't work.”
Hamer agreed, saying that HUIT keeps those principles in mind. “In some corporate environments, it's easy to be very controls-focused and come up with a big list of things that people are not supposed to do,” he said. “That's not something that works well here, nor should it. It means we have to be more collaborative with folks and work with them and look at this as a shared responsibility.”
The very nature of a university requires that control over information cannot be exclusive to one office, or even the entire administration. “I don't believe there is any one person who brings the hammer down and says this is how we are going to do business,” Tumin said. “A university is essentially comprised of a faculty of scholars who must be involved in these kinds of deliberation.”
In many ways, Harvard's open research philosophy of publication means that professors are less worried about cyberattacks that target research, particularly given the security measures already taken—however basic they may be.
“We are mostly interested in sharing our data, so we're not actually concerned about information being taken,” astronomy professor Charles R. Alcock said. “There is some concern over someone going in there and corrupting the data. As long as there is good or even reasonable firewall protection, we feel fairly secure.”
Mitzi I. Kuroda, a professor at Harvard School of Public Health, said that she had never considered the possibility of an outside attacker breaking into her computer and accessing her research data.
“I guess it never really occurred to me that someone could make enough out of what we have in all of our files to reconstruct something useful,” she said. “So far we feel safe. In basic research, it hasn't been a big issue for us.”
The existing security precautions taken by Harvard's administrators interfere very little with the user experience, according to several professors. “Cybersecurity has not actually been much of an impediment to our research,” said Alcock, who frequently uses large data sets accessed online. “The ordinary institutional protections are adequate for our needs and have not really gotten in our way.”
Yet this lack of intense security oversight by the administration may leave individual computers more susceptible to attacks from the outside world. According to Morrisett, “Universities are target-rich environments because they're not so locked down and a lot of students' [computers] can be owned rather surreptitiously, and that leads to a problem.”
Given the decentralization of Harvard's information technology, Hamer said that individual community members must work together to protect the system. “Theres no one technical control or big thing we can throw at it; we all have to work on it together,“ Hamer said.
As attacks become more sophisticated, however, HUIT may be forced to implement more rigorous security measures to protect the entire system from the vulnerabilities of a single computer. Any step taken to combat potential attacks must be weighed in the context of Harvard's greater mission as an institution of higher education.
“This place should be open, and if security's getting in the way of me teaching, or you guys studying or doing whatever you want, then it's bad,” Morrisett said. “And I worry that we're swinging too much towards taking bureaucratic steps for compliance that don't really address real problems and yet get in the way of usability of the systems.”
—Staff writer Dev A. Patel can be reached at dev.patel@thecrimson.com. Follow him on Twitter @dev_a_patel.
—Staff writer Samuel Y. Weinstock can be reached at weinstock@thecrimson.com. Follow him on Twitter @syweinstock.