< Back to Main Site

EDUCAUSE review onlineEDUCAUSE review online

Presidents and Campus Cybersecurity


© 2005 Joy R. Hughes and Jack Suess

EDUCAUSE Review, vol. 40, no. 6 (November/December 2005): 118–19.

Joy R. Hughes is CIO and Vice President, Information Technology, at George Mason University. Jack Suess is Vice President of Information Technology at the University of Maryland, Baltimore County. Comments on this article can be sent to the authors at jhughes@gmu.edu and jack@umbc.edu.

CIOs cringe when they hear about the latest security incident at some other college or university. They know that their colleagues at the other institution are being besieged by anxious students, parents, alumni, faculty, and staff—all of whom are angry that the institution has betrayed their trust by allowing access to private data. The CIOs know that the federal agencies that provide research dollars to the institution will be calling to find out if research data were at risk and may lose confidence in the institution’s ability to protect that data. They know that if the college or university is a state institution, there is bound to be a resolution (or two) introduced in the state legislature to allow greater control of the institution’s IT systems. They also know that the same security problem that led to the reputation-harming press coverage for the compromised institution exists on their own campuses. Even though their own campuses may not have suffered a major infiltration by a criminal or malicious hacker—yet—they know that the issue is not “if” but “when.” This knowledge keeps CIOs awake at night, planning strategies for convincing their campus administration that the threats are genuine, serious, and immediate and that much money, time, and culture change will be needed to prevent similar damage at their own institutions.

Most college and university presidents are confident that their major computer systems are secure. And indeed, most of the systems centrally managed are reasonably secure. However, the central staff needs both money and time to install and monitor an increasing array of expensive detection and protection systems in order to keep them that way. In addition, at most institutions, many of the servers, desktops, and laptops that store private data are not under the control of the campus CIO. The data on these machines often come directly from the central administrative systems.

The campus meal plan server, the housing server, the parking services server, the campus police server, and the international students office server are examples of servers that store confidential data, that are not usually managed by central IT, and that have been hit by hackers in highly publicized incidents. Often, the people administering these servers wear many hats and do not have the time or the expertise to keep the servers secure. The hardware may be old and the operating systems too outdated to be made secure.

Higher education institutions expend enormous effort and money to secure central systems, but then they allow departments and individuals to download data from these systems and store the data on insecure servers, desktops, and laptops. When one of these machines is hit, it does not help for the CIO to say: “That machine doesn’t come under my area of responsibility.” Such an excuse is not acceptable to the students or alumni whose data were violated. All they know is that the institution and its leadership failed to keep their data secure.

Presidents of colleges and universities are taking action in response to these threats. In an open letter to the campus community on April 4, 2005, Robert J. Birgeneau, the chancellor of the University of California–Berkeley, vowed that UC-Berkeley would do all that it could to safeguard personal data stored on campus computers. He wrote: “As Chancellor of the Berkeley campus, I was stunned to learn of the theft of a laptop computer in the Graduate Division, which contained personal information for approximately 98,000 current and former graduate students as well as persons who applied to our graduate programs. Our students, staff and alumni expect us to protect the information they have given us confidentially, and we have not maintained that trust. This incident revealed serious gaps in our management of this kind of data. The campus has been instituting new policies to address these issues for several months, and we will do much more. Accountability for this effort ultimately lies with me.” Birgeneau promised to “engage one of the nation’s leading data-security management firms to conduct an immediate external audit of how the campus handles all personal information. This firm will examine the security of the systems, the policies and practices regarding access and use of such information, and the policies for insuring that such data are gathered and/or retained only when imperative.” He also pledged to “move quickly to require the full encryption of all personal information stored on departmental computer systems.” He added: “We will also require all units on campus to review again personal data stored on departmental machines and to remove all unessential data.”1

Freeman A. Hrabowski III, the president of the University of Maryland–Baltimore County (UMBC), is passionate about auditing. A state audit in 2001 identified network security vulnerabilities. Hrabowski seized the opportunity presented by major campus construction projects to authorize a major redesign of the university network around security. In 2002 the network was redesigned to include such security features as firewalls, intrusion prevention, and virtual network segmentation. These changes provide real-time protection against intrusions and ensure that traffic is segmented so that machines that should not be accepting network connections from the outside are protected from doing so. In 2001 Hrabowski also authorized the funding for a new ERP system that eliminated the use of Social Security numbers as identifiers in payroll, and the university is now focused on eliminating Social Security numbers throughout the campus.

In November 2002 Alan Merten, the president of George Mason University, formed a Privacy and Security Compliance Team (PSCT), chaired by his chief of staff and composed of representatives from the major academic and administrative units. The PSCT developed a data-stewardship policy that holds unit heads accountable for securing confidential data. Merten also directed all unit heads to appoint a security liaison to work with the CIO on preventive measures. Like Hrabowski, Merten allocated resources to implement systems that enabled the university to stop using Social Security numbers as identifiers.

Presidents Hrabowski and Merten collaborated with their CIOs (the authors of this article) to produce a provocative video on the responsibility of college and university presidents to ensure cybersecurity. The moderator of the discussion is Frank Sesno, a former senior vice president and Washington, D.C., bureau chief for CNN, who is now a member of the faculty at George Mason and continues to produce specials for CNN. In the video, Frank challenges presidents and CIOs to articulate what they have done to fulfill the trust their constituencies have placed in them, why their actions matter, and what more can be done. (To view and/or download the video, see http://www.educause.edu/library/resources/cyber-security-campus-executive-awareness-video)2

In some states, laws and regulations have already been enacted that forbid the use of the Social Security number as a primary identifier, that require sensitive data to be encrypted, that call for certain network protections, and that set strict guidelines for when people must be notified about a security incursion. At the federal level, laws have been introduced, but not yet enacted, that would set much stricter and more expensive standards for customer notification in the event of an incident.

Institutional leadership, especially presidential leadership, is essential for campuses to navigate the changing legislative and regulatory landscape. In a time of flat or declining resources, college and university presidents must exert strong leadership to provide the additional funding, staffing, and changes needed to keep sensitive data secure.


1. “Chancellor’s Message on Personal Data Security,” http://idalert.berkeley.edu/chancellorletter.html.

2. Additional security resources for higher education are available at the EDUCAUSE/Internet2 Computer and Network Security Task Force Web site: http://www.educause.edu/security.


Joy R. Hughes

Dr. Hughes is the Vice President for Information Technology and the Chief Information Officer at George Mason University. She is also a professor in the Volgenau School of Engineering.

Her areas of responsibility include computing and network services, instructional technology, the university libraries, GMU-TV, and university related wireless television companies, profit and not for profit.

She is the executive sponsor of the Confucius Institute at Mason and represents the university on various global initiatives.

She is the Executive Director of 4-VA, a collaboration of Mason, James Madison, UVa, and VTech, organized by the university presidents to sponsor collaborative projects that will increase access to higher education, decrease costs, and increase research competitiveness.

Dr. Hughes was named by Computerworld as one of the U.S's top 100 CIOs and was named to Rider University's Science Hall of Fame.

George Mason's Technology Across the Curriculum program has won state and national awards for its transformative effects upon student learning. The Governor of Virginia gave a technology excellence award to Mason for its exemplary implementation of a new ERP system. The Capitol Connection, a wireless cable company in Dr. Hughes' unit, has returned over 7 million dollars in profit to the university.

Dr. Hughes formerly held CIO positions at Oregon State University and SUNY-Potsdam.


John J. Suess

Jack Suess is VP of Information Technology and CIO at the University of Maryland Baltimore County (UMBC). He spent the first 17 years leading the systems programming and network engineering group, was named director in 1997 and CIO in 2001. During his tenure at UMBC he has led projects that developed the campus network and system infrastructure on campus, identity management and single sign-on, and is presently focused on support for cyber infrastructure and the campus ERP implementation. He was principal investigator for UMBC’s vBNS award and served on a number of NSF panels. He is an active participant in the Internet2 middleware initiative, and was co-chair of the EDUCAUSE/Internet2 Security Task Force from 2003-2006. He presently chairs the REN-ISAC Executive Advisory Group, serves on the InCommon Steering Committee, and is a member of the Internet2 Applications, Middleware, and Services Council (AMSAC).


Stay Up-to-Date

RSS Email Twitter

Share Your Work and Ideas

Issues coming up will focus on top 10 IT issues and adaptive learning. Share your work and ideas with EDUCAUSE Review.

E-mail us >


EDUCAUSE Members: $4.00
Non-Members: $4.00