Protecting the Scholarly Infrastructure: Key Takeaways from a Cybersecurity Summit
Last month, Scholarly Networks Security Initiative (SNSI) hosted its first virtual Security Summit with the goal of broadening the discussion on security threats to the research ecosystem. Key topics included how to engender closer collaboration between librarians, publishers, academics, and scientists dealing with the security challenges surrounding online research, as well as the further reaching implications of institutional IT network security breaches.
Panelists of the 4-hour summit included Corey Roach, CISO at the University of Utah, Crane Hassold, Sr. Director of Threat Research at Agari Data, Inc. and former FBI cybercrime analyst, Linda Van Keuren, Assistant Dean for Resources & Access Management, Dahlgren Memorial Library at Georgetown University Medical Center, Joseph DeMarco, Partner, DeVore & DeMarco LLP, and Tim Lloyd, CEO of LibLynx. The Q&A roundtable was moderated by Rick Anderson, University Librarian at Brigham Young University.
Attended online by over 160 viewers, the summit drew registrants in 16 countries and represented 56 universities, 16 publishers, and 13 other businesses. As stakeholders in the scholarly ecosystem, they recognize IT security is imperative—especially during the pandemic, as news reports of hackers targeting universities in the US, Canada, and the UK abound. The corporate sector has also seen a rise in reports of security breaches concerning theft of COVID-19 vaccine research.
Addressing a wide range of topics in a complex field, the speakers gave a clear and succinct purview of security threats, as well as opportunities for collaboration in combating them. From the academic perspective Corey Roach and Linda Van Keuren outlined library patron security and why it’s important. As Crane Hassold dove into the global threat presented by Sci-Hub and other state-sponsored or individual bad actors, Joseph DeMarco delineated on interference in academia.
Publishers’ initial previous concerns had surrounded theft of data, the reduction of its value, and disruption of a publishing model. However, their deeper investigation into the dilemma has revealed knock-on and downstream effects at the university level with regard to security and personal privacy, and at the national security level with regard to public health and safety.
In addressing possible solutions, including technology tools and security practices, Tim Lloyd and Corey Roach acknowledged that we’re struggling to upgrade systems that were built a decade ago, when people were accessing content uniformly. Today, there are a multitude of ways that users can authenticate, especially for publishers who are selling to different channels. Both academia and government are facing these very real access and security issues. Everyone involved should recognize that investment is required to keep up, but it’s not always obvious from where it will come.
During the Q&A overseen by Rick Anderson, more key steps toward solving the problem of cyber threats were discussed in an open forum with audience participation. Here are three key takeaways:
Security Technology Has its Limits
Panelists agreed that Authentication and Federation identity management solutions help reduce risks, but they don’t eliminate it. Although there’s an entire industry sector focused on identity and access management, even the biggest tech companies still struggle with unauthorized access (e.g. the recent Twitter hack).
A key weakness the panelist brought up is that all these systems rely on credentials. And within the research community, people often look for ways to get around barriers like two-factor authentication. Many find it a waste of time, complain about it—and in the end, publishers drop it.
At many institutions, for example, it's not uncommon to see sticky notes with usernames and passwords in plain view and rampant credential swapping. The panelists noted, however, that even though many IT experts discourage writing down passwords on paper, doing so is not the biggest issue. It’s not very likely, for example, that an international hacker will come to your desk and steal your password. The primary threat is unknowingly going to a malicious website that steals your credentials.
Security Training is Helpful, but Uneven
To prevent staff from being tricked into going to malicious websites, some organizations provide periodic security training. In some cases, employers may even follow up with “tests,” where they send phishing emails to staff, attempting to dupe them into clicking on a potentially malicious link that could compromise their account passwords—or even the business as a whole. Strict security training and testing can be extremely helpful.
The problem is, while big global publishers may have the ability to fund information security departments, many smaller organizations do not. A big risk, according to one panelist, is that many smaller organizations’ systems are a generation behind—”and those are the loopholes that are harder to close.”
Community Response is Critical
The idea of building community emerged as an essential element for addressing the industry’s security challenges. But fostering the level of collaboration and coordination between various entities, many of whom might be competitors, is easier said than done. Yet, the panelists were hopeful. Pointing out that security is definitely a shared concern, they noted that even competitors would benefit from working together to build a better security infrastructure. Regardless of what side of the authentication transaction an organization is on, for example, security hacks hurt all sides.
The biggest barrier to community collaboration across the industry seems to be creating inertia. Many libraries, for instance, simply aren’t that motivated to invest in the security tools and technologies available. Resources are already stretched, and the connections between library breaches and bigger institutional losses isn’t always clear. As such, inspiring the level of community action required to solve these big security issues might come down to risk sharing and/or incentivizing between publishers and other organizations.
In his closing remarks, Steven Inchcoombe, Chief Publishing Officer, Springer Nature, urged participants to, “Interact with colleagues and peers….to share with them what you've learned and to have an open debate about behaviors and actions which could be improved.” In asking attendees to consider the common significant risks, Inchcoombe added, “Inform your own strategies, your plans and your actions on tackling the cyber threats, which ultimately are a threat to the whole research enterprise. We're all interconnected.”
In this blog post, we were not able to cover the full scope of topics presented in the summit. If you’d like to view the summit recording, you can access it here: Cybersecurity Landscape - Protecting the Scholarly Infrastructure.
Research Solutions is a founding member of SNSI and is dedicated to the cause of keeping safe the Version of Record (VoR) and finding novel ways of helping publishers disseminate copyright-compliant versions of their research output in order to accelerate and advance scientific breakthroughs.