I was invited to participate on one of several panels providing input to the Presidential Commission on Enhancing National Cybersecurity about securing the future of the digital economy. The event took place June 21 at the UCB Center for Long-Term Cybersecurity. Watch this video for some of the flavor of the event. My remarks are posted below:
Good morning. Thank you for the opportunity to participate on this panel and describe the University of California’s (UC) current strategies for managing cyber-risk, as well as to share a few opportunities we see for securing the digital economy through stronger collaborations in cybersecurity.
Overview of UC
The University of California system – composed of ten campuses, five medical centers, and affiliations with three national laboratories – is a global leader in education, research, health care, public service, and innovation. We have more than 238,000 students, 190,000 faculty and staff, and 1.7 million alumni living and working around the world. We offer 150 academic disciplines, 600 graduate degree programs, and have produced 61 Nobel laureates.
Many of California’s leading industries grew from UC research, including biotechnology, computing, semiconductors, telecommunications, and agriculture. We have 12,559 active patents, with 840 startups founded to date on UC patents. As the nation’s largest recipient of federal funding for academic research, we secure $7 in federal and private dollars for every $1 in research funding provided by the state of California. And UC helps drive California’s economy, generating over $46 billion in annual economic activity for the state.
The Open Research Environment
Innovation is the hallmark of any research university, and for UC, innovation defines both our past and our future. We steadily protect the core values of an open environment that we believe fuels innovation – academic freedom, the exchange of ideas, and collaboration among researchers and institutions all over the world. We are committed to maintaining this open environment not only to advance research and scholarship, but also because it serves and ultimately benefits society at large – from patients receiving the latest treatments, to farmers getting new tools to increase their yields, to private citizens breathing cleaner air. Our education, research, health care, and public service mission requires that we balance our responsibility to manage security and protect data with the need to foster a collaborative, innovative academic and research environment.
It is, though, a significant challenge. While maintaining this open environment, we have to comply with state and federal privacy regulations; we must protect our intellectual property, the foundation for our ability to help solve the world’s problems; and we must adapt to their ever-changing threats that exist in today’s connected world.
Our approach, therefore, is to continually prioritize risk and implement strategies across five key areas, recognizing that our needs and focus must change as the digital world evolves:
- Governance. We have convened a cybersecurity governance committee that includes representation from all UC locations and includes executive leaders in academia, administration, faculty, and technology. It is critical in the university culture to engage these voices in the conversations and decisions about managing security, privacy, and the open research environment.
- Risk Management. We have implemented a cyber-risk management approach that is based on international standards and strives for consistent methods of assessing and measuring risk across the multiple units and locations that comprise UC.
- Modernizing Technology. We are now leveraging our unique nature, size, and scale to bring state-of-the art technology to our locations. Higher education is one of the last industries to fully move to digital business, and until now we had not consistently been taking advantage of the latest technologies and services.
- Developing Common Solutions. We are adopting approaches that enable us to collaborate and more strategically work together as a single entity, rather than operating as individual campuses. Coordination translates to better protection. For example, we now can detect the same attacker profiles at multiple locations, and share warnings and strategies in timeframes much more quickly than in the past.
- Culture Change. We are fostering a culture where everyone is aware of their cybersecurity responsibilities. Our greatest risk comes from people not understanding today’s threat environment or how to reduce risk. We have implemented training for all faculty and staff, advanced training for information security personnel, and teamed up with partners to improve our cyber awareness.
New Directions
Given the rapidly changing threat landscape and the reality that resources will always be limited, UC welcomes greater collaboration across sectors as the best means to manage cyber-risk more effectively.
- Information Sharing. Of particular importance is increased intelligence sharing to detect and respond to threats. Certainly a level of sharing occurs today, but impediments to effective communication also exist: Stale information, duplicative alerting, and classification tiers for receiving alerts may delay detection and response; not everyone is in the “circle of trust” who should be. Thus, collaborative arrangements among agencies and institutions should be developed to enable the timely, accurate sharing of threat intelligence.
- Solutions Creation. Collaboration not only enhances our ability to respond to threats but, perhaps more importantly, provides avenues to new solutions. Universities have access to some of the brightest minds in the field and adjacent fields which could add value into the cyber challenge. An example is this very Center for Long-Term Cybersecurity at UC Berkeley. Government and the private sector need to take advantage of this. Greater public-private partnership is needed to enable universities to launch joint research ventures for developing the strategies and tools to combat threats.
- Workforce Development. The current scarcity of cybersecurity professionals in the market, including the high salaries these professionals command, compounds the challenges for public and private organizations alike. By 2019, a global shortage of 2 million cybersecurity professionals is expected, according to ISACA (formerly called the Information Systems Audit and Control Association). Programs should be established to mobilize our universities to assist in the development of the cybersecurity workforce. The environment of advanced research and workforce development working hand-in-hand is essential to staying ahead of bad actors.
For UC, managing cyber-risk is simply the new norm. We supported California through its agrarian, industrial, and information periods. We continue to evolve and support it in the digital age. Cyber-risk is here for the long haul. It is a long-term game. We will continually revise and refine our approaches as threats and technologies evolve. But our best, long-term strategy will always be to work together – across universities, governmental agencies, and the private sector.
It is great that UC has a part in shaping the future of the Digital Economy and we were invited to the table along with Innovative players like Google. Interesting that in his recent Bloomberg interview President Obama also cited the challenge of scarcity of resources in having overall economic growth : “And our goal has been to generate 100,000 more engineers…and to really focus on STEM education. That will help with productivity growth over the long term….”
Is there a contact for the UC System that would be appropriate to approach about the idea of setting up a UC-wide information sharing pool via the vendor Anomali which shares threat information with its customers and allows them to share with each other?
Garrett, thanks for the suggestion. Please contact me (or Josh/Isaac) and we can discuss further.
I shared your name and comment with both Isaac and Josh.