The Diversity of Security Challenges in Higher Education

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 173 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Security professionals at institutions of higher education face a broad spectrum of challenges, from protecting the internal networks of their organizations, to securing intellectual property of research groups, to protecting the personal information of thousands of students and staff every year.

Our guest is Bob Turner, chief information security officer and director of the office of cybersecurity at the University of Wisconsin, Madison. He shares insights from his experience leading a team of professionals and students who are tasked with protecting a wide variety of information and systems. Stay with us.

Bob Turner:

I started out my professional career 15 days after my 18th birthday, where I went to Navy boot camp. And I ended up in the submarine force as a radioman. Radiomen in the submarine force are the information security experts. We had all the files and we had the transmission media, the encrypto and all of that kind of stuff. And we were very happy on my submarine that we had the satellite channel that transmitted at 2,400 baud.

Dave Bittner:

How decadent.

Bob Turner:

We were smoking fast back then. And so that's my foundation and security is really back there in those days. And 23 years later, I decided not to make the Navy a career. I had actually done a lot of really fun stuff in the military. I was on two submarines. I got to teach at the submarine school. Then I went to the surface world as a communications officer. And I had two large deck amphibious platforms where I was a communications officer department head on, as well as tested satellites, which was fun. I deployed a mobile communications van and all of the security that goes with that to Operation Desert Shield. And then I deployed on one of those big deck carriers in Operation Desert Storm. Following that, I got to do interesting testing of satellite systems. And then I got six years, two different tours managing high visibility executive communications outfits for NATO and the U.S. Navy.

So security has always been woven in and out of everything we do, my entire career. And getting into the world of information security in the cyber age, that really started as I was testing that satellite. And this was back in the mid-nineties. In a lot of what I did following that, I was a consultant with one of the major consulting firms in not only the defense industry, but commercial practice. I mainly focused on cybersecurity as my stock-in-trade. I had a team that did risk assessments. I had a team that was doing cybersecurity inspections. And we also did some interesting stuff for a couple of agencies and other activities focused on understanding the executive question, what do I do in a cybersecurity event. And so that really has shaped my career desires.

And then about six years ago, I said, "Gee, I want to do something different." And the opportunity to be a higher education CISO appealed to me because, hey, they get a chance to think about it and do it right the first time. Whereas in government contracting, there's always somebody willing to pay you to do it over again. And here I am today, five and a half years later, at a top research university with a growing cybersecurity team. I have about 60 folks on staff, which includes 20 or so student workers who come in and help us run our security operations center, do a little bit of our secure database access authorization work, as well as helping our risk management and compliance area.

Dave Bittner:

Can you give us an overview of the types of things that fall under your charge. I mean, what's the breadth of responsibilities that you and your team have there at the University of Wisconsin-Madison?

Bob Turner:

Well, I am the official designated to be in charge of cybersecurity at the university, which means that I get to report to the UW system level. The University of Wisconsin constellation of campuses includes 13 four-year institutions, two of which are also doctoral granting institutions. And then we have another 13 two-year institutions, which are all spread throughout the state. So that's a pretty significant grouping.

Now, the two-year institutions a couple of years ago were realigned so they each report to one of the four-year institutions, and Madison itself also handles the Wisconsin Public Radio, as well as what they call extension offices, and then some other research stations throughout the state. So it's pretty large overall. Madison has 44,000 students on average per year. We have 23,000 staff. But when you take vendors, affiliates, and other users of our network, I'm probably in the 70,000 user range for our services.

Dave Bittner:

Now, what is it like? Every year you have a new batch of students coming on board and they all want to connect to your network. I mean, what's the reality of that situation from a security point of view?

Bob Turner:

It is a lot of prep work over the summer time, a lot of repair and refine and replace things that aren't doing well. And then when we get about two weeks out from classes starting, which this year is September 2nd, so we're in that zone right now, that's when we're making sure that everything is working in its optimum capacity and capability. Following that, it's let's continue planning for whatever is going to happen next.

We started the winter spring term in January this past year and nobody anticipated COVID. I'm sure that there was some anticipation because the fun part of that is we actually did a pandemic tabletop exercise in the Division of Information Technology, which is the central unit on campus. We did that in the fall of 2019. So we had already worked through some of the communications challenges and the organizational challenges. So when it came time to do the transition from in-person courses to online courses, we were able to do that in a very short time. And that included transitioning 3,700 core courses from in-person delivery to online delivery.

Dave Bittner:

So that really served you well.

Bob Turner:

Yeah, and it was the preparation time and it was the understanding of what we would need to do. And it was also checking those channels. I've done some business continuity work in my past and a business continuity plan that is never exercised is not a plan. It's a bunch of stuff on paper. So we were able to walk through and validate that, and that's the kind of work we do during the school year. We take our slow down periods, so at the beginning of summer, everybody takes a deep breath and then we exhale and get back to work. Sometime during the summer, I like to encourage my team to have a little bit of time off, but when September goes in and the students arrive, we try to work really hard to get them through. And then we take our break at the winter holidays.

Dave Bittner:

What kinds of things are you and your team defending against? Who's coming at your network?

Bob Turner:

It's the usual array of threat actors. Think about the things that research is doing. We're doing a lot of research in the area of COVID right now, and that's just we have the capability, we have the expertise, we have the researchers that want to do that. But we also have a School of Medicine and Public Health. We also have a School of Nursing and a School of Pharmacy. So healthcare education is important, and that has just a treasure trove of highly valuable information in it.

But we do engineering work and some of that work is patentable work. So that's probably attractive. We do a lot of business-influenced work. We have a Data Science Institute, which is trying to figure out the better ways to understand the magic acronyms of AI and ML, artificial intelligence and machine learning. And that's attractive information. Not only that, 44,000 students, 23,000 staff, that's a treasure trove of marketable information.

Dave Bittner:

I always wonder, as someone in a situation like yours, where certainly you're going to have some students, and I'm thinking of, oh, I don't know, folks in computer science and other sorts of places, who are going to look at the campus system or the university system as their own personal playground. They're going to want to test their own skills against yours. I mean, is that an annual thing? And how do you not be adversarial? How do you support the educational aspects of those students, while still keeping things up and running. What's your approach to those sorts of things?

Bob Turner:

Well, first we are establishing some really good partnerships with the Academy, with the professors and researchers that are interested in studying the cybersecurity arts and sciences. We've had a relationship with the Information School, which is part of the College of Letters and Sciences. And now they're part of what's been amalgamated as the School of Computing, Data, and Information Studies. So CDIS. And in doing that, I mean, the partnership is, if it's data, and if it's doing things, if it's working or resting, or if it's needing to be analyzed, we have people that are very much interested in that.

So I've had my department be intentional about establishing those greater relationships. We have researchers doing anything from identity access management research, to data analytics, to cybersecurity metrics. And then we have others on campus that are doing great work in high throughput computing, great work in engineering, the next greatest computer technologies, and other side trips. We have a researcher that is working on autonomous vehicle research, and there's an awful lot of cyber in there too.

So having those kinds of relationships is the real multiplier here. And this is not unusual, by the way, for a university. This is nothing super special we're doing. It's just that there's a lot of cybersecurity programs out there where they're NSA certified, Center for Academic Excellence certified, and we're going to get there eventually, I believe. But right now, we're just supporting the researchers and the courses that are being taught. I have been a guest lecturer in one of the business school courses that has an information security course as part of its core. That's been fun. I enjoy doing that. I did a little bit of that as an adjunct at a university prior to my coming here.

Dave Bittner:

What about threat intelligence? What part does that play in your organization's defenses? How do you ingest those sorts of threat intelligence feeds?

Bob Turner:

So three ways, actually. We have tools that we have on board and they come with threat intelligence, indicators of compromise, what we call conditions of weirdness, COW. That's Wisconsin, it fits. We get the indicators across, and that's an intel source for us. In getting that machine intel, so machine-to-machine transfer, we get a lot of really good data, but we also have services. For example, we have a CyberWire subscription and we get the daily report from them. We also get some other contract services daily reports. Maybe a different flavor of intel, but it is useful, especially when it comes with the aforementioned indicators of compromise or vulnerability identification information. And then we have subscriptions with the InfraGard organization. We have the research and education networks, Information Sharing and Analysis Center, the ISAC. We have big 10 academic alliance relationships where we are sharing data. We have a SIFs architecture that has been used.

I learned a long time ago that you're never going to have enough intel, but you have to have a way to process the intel you do have. My desire and concern for my team is to make sure that they have all the intel they need. We do have a regular routine. We run a playbook every day. And amongst the things in that playbook is analysis of the intel that we have coming in from all those sources. And usually, what we're able to do is pick out a couple that are relevant to the university. And then, if the information is worth sharing with the rest of the university, we'll do that. We'll also share with others that we have data sharing agreements with.

Dave Bittner:

What is your own leadership style? How do you go about heading up your team?

Bob Turner:

I do not have the skills I once had, so I really depend on the team. And I like to empower the team as a whole to do great and wonderful things. I am gifted with three absolutely superior assistant directors and they are all mission-focused. They are all understanding that this is an important business for the university. And all of them, independently, have some skills that I would just not want to do this job without.

I have a deputy who has been with the university for 20-some odd years and has been in the information security team the whole time. He was pretty much one of the first that was hired specifically for his information security skills. And he's currently my deputy. We just anointed him that in the earlier part of the year when another one of my directors left to become a CIO. And the other two directors are both seasoned professionals in the IT business, as well as having experience in security. And they're just, they're running three major domains.

So we have a risk management, compliance and security engineering domain that has one of those assistant directors. And that's the group that is doing the risk analysis. So we do a NIST modeled analysis framework. We assess applications before they're purchased when we know about them. And we have a regular process for understanding risk. And I think the program that has that is going to be a whole lot better off. That's the start of your risk register.

And then you throw in the next domain, which is our cybersecurity operations center domain. And that really has two teams in it. One is specifically incident response, forensics, and running the daily business. And the other we call testing and cyber-defense, and their real mission is vulnerability management. So they run the scanning tools. They run the security tools that are focusing on the business. Endpoint management, endpoint security-type tools are the things that they worry about. And they also do penetration testing. They do a little bit of defensive information operations. We haven't quite gotten the offensive side of it down because there's some real interesting legal twists in that, but we're trying to be that full service operational area.

And the last major domain is what we call common systems cybersecurity, which is our ERP systems. HR information, student information, financial transactions that go on. And we do it for the university system as a whole, as well as focus on the things that are going on on campus. And every one of those systems needs to have somebody watching out after access control, access management. And so that's a feature of that group as well.

Dave Bittner:

You mentioned that, as part of your team, you bring on students every year. How important is that to you to be able to be in that mentoring position, to help nurture that next generation of cybersecurity pros?

Bob Turner:

Yeah, I think that's always been a draw of mine is to make sure that we're growing and evolving, not only the current staff, which we have some interesting ways to do that. But also it's, I don't know what the latest numbers are, but there's a lot of unfilled positions because there just is not a strong enough pipeline, supply chain, to provide those experts. We graduate a handful per year, and if they've been with us for three to four years of their college experience, they're coming out with a computer science degree from the number 11 computer science program in the nation. How much would you pay for that person if you knew they also had four years of cybersecurity experience? And I think that that's one of the things we do.

But we also give them opportunities to grow and learn. And in fact, a lot of the processes in our SOC have been automated by the students. And of course, the other aspect of it is, we do tell them, right up front, their primary responsibility is earning that diploma. I don't want working for the SOC to get in the way of that, but it also, I find that it actually compliments it. So the student who's in a programming curriculum gets to do a little extra work and learn more. And that's a great thing.

One of our students was a legal studies major, and he worked in all of the teams, he's now working for one of those wonderful consulting firms because he had a very wide breadth of experience in cybersecurity. So at the end of the day, we are growing that pipeline, maybe not in leaps and bounds like some of the universities that have the full blown program, but we're contributing.

I think it's important to share that higher education is often thought of as, oh, you're just teaching. That doesn't require a whole lot of extra security. But it does. I would challenge somebody who said that a research university higher ed CISO is not dealing with our problems. I'm dealing with diversity every single day. Use cases are so diverse. The Academy is so diverse. The average user is a portrait in diversity of background experience, ability, and understanding of security issues. Our leadership is extremely diverse in their thought processes, but we've been able to use that diversity as a strength. And I think that, when we talk about diversity in its truest sense, we have the input, we have the ears, and we have the resources made available to us to do the right work. And honestly, yeah, this is my first CISO job, but I would say that it is probably one of the best.

Dave Bittner:

Our thanks to Bob Turner from the University of Wisconsin-Madison for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.