U.S. President Joe Biden speaks during a meeting in the East Room of the White House in Washington, … [+]
© 2021 Bloomberg Finance LP
American colleges and universities have a cybersecurity problem, though maybe not the one you’ve already read about.
Ransom attacks at schools do make news. And there’s no question our education institutions remain vulnerable to those types of threats.
But this new threat, experts say, is not coming from malicious actors seeking profit or leverage, but from the people who are trying stop those people. It comes in the form of the cybersecurity, maturity model certification – or CMMC. In short, it’s a high-level security protocol established by and for the Department of Defense (DoD) intended to harden critical or vulnerable digital assets. It requires constant monitoring of networks, an awareness of those who can access data as well as outside audits and certifications of compliance.
And, for defense and other critical infrastructure, that’s good.
But there is a problem.
Helen Patton was the Chief Information Security Officer at The Ohio State University and is now in a similar role, an Advisory Chief Information Security Officer, with CISCO, which provides network security for hundreds of colleges and universities. She says, as good as the CMMC is, it’s about to land on colleges and universities. And that could be a nightmare.
“We’re not at a catastrophic level yet,” Patton said. Her “yet” is not entirely reassuring. “If we were using the 9/11 color codes, I’d say we’re light orange right now,” she said.
The problems, Patton says, will come in a few ways.
One, is that the CMMC will apply to any school that does research or has contracts or grants to work on a Defense Department program or initiative. And while that’s not all that many schools nationwide, it’s already apparent that other major government grant and research providers may be moving in the direction of the CMMC too.
“Energy, NSF, the National Institutes of Health are all coming in now and saying, ‘this looks very interesting’,” Patton said. There’s even talk that student financial aid records – any data or system that touches or flows from federal funds – will be put under CMMC or similar, highly increased security. And that could impact every school in the country – public or private, R1 research facility or community college.
Davis Hake agrees. He’s spent a decade in cybersecurity, at Homeland Security, in Congress and is now Co-Founder and VP of Policy at Resilience Insurance, which advises and insures against cybersecurity threats and has several higher education clients.
“Universities in general are a red alarm on cyber risk,” Hake said. CMMC, he said, “Definitely appears to apply to any university that has a federally funded research center,” adding, “any university with a heavy reliance on ongoing research contracts should defiantly be taking CMMC seriously. They should be taking this opportunity to raise their bar around security.”
And, Hake and Patton agree, raising those bars takes money – money that may be, but probably is not, out there. “I don’t think the funding is going to arrive,” Patton said. “There may be some conversation about funding the needs for the external audits but probably not in terms of the cost of implementing the required governing controls.”
Beyond the cost, CMMC requires full compliance before a school can even apply for a grant or research contract. For some schools, that could be financially ruinous.
Moreover, if CMMC is adopted by other federal agencies and tied to their funding, the requirements could disrupt the flow of information and the review and publication cycles of important research. The portion of CMMC that requires organizations to knowing who has access to data and for what purpose could, for example, seriously limit peer review of research or even crimp open debate of ideas and theories inside schools and among institutions – foreign or domestic.
And university research is not esoteric; it’s a major driver of innovation and economic expansion and a key to competitive advantages in every conceivable market. Slowing it down, dousing it with security controls, while well-intended, could be very damaging.
But those are CMMC outcomes, what could happen when CMMC arrives. Right now, the loudest alarm is that schools aren’t ready for its arrival – in most cases, not even close. “Most [big research schools] have dedicated security officers for research,” Patton said. “The smaller schools, they are a little behind the curve. They are waiting to see what the big schools are doing.”
Even though requiring CMMC or CMMC-similar protocols at schools with government funds and government programs may be two or three years off, the lack of awareness and preparation could nonetheless be a big problem.
“Hopefully cooler heads will prevail,” said Patton, “and we will be able to think more deeply about where we are and the flexibility that will be needed – on both sides.”
But, says Hake, “With CMMC affecting so much of what schools do, it’s well past time and a great wake up call to them that it’s time to invest.”
“This will take an investment of money and is also going to require organizational will and organization focus. Right now, the focus is quite scattered. But there’s no doubt this will rise quite high in terms of c-level attention,” Patton said.
That’s because however and whenever it lands, new security rules will force schools to significantly change how they manage and protect their research projects and digital assets. Schools should be thinking about it, preparing for it and dealing with it now.