Monday, February 1, 2016

NYT on Napolitano: No Interview, but Another Book 'Review' Thing


Academeblog now posts a letter from Napolitano to UC Faculty:

https://academeblog.org/2016/02/01/privacy-data-security-and-shared-governance-at-the-university-of-california/


The following letter (minus attachments) from UC President Napolitano was just released to faculty:
Dear Colleagues:
A group of faculty members at the Berkeley campus has articulated concerns regarding some of the security measures we adopted in the wake of the UCLA cyberattack last year. The concerns focus on two primary issues: whether systemwide cyber threat detection is necessary and whether it complies with the University’s Electronic Communications Policy (ECP); and why University administrators failed to publicly share information about our response to the cyberattack. The Berkeley faculty members have shared their concerns with colleagues at other campuses and with various media outlets. Unfortunately, many have been left with the impression that a secret initiative to snoop on faculty activities is underway. Nothing could be further from the truth.
I attach a letter from Executive Vice President and Chief Operating Officer Nava explaining the rationale for these security measures. As you know, leadership at all levels, including The Regents, Academic Senate leadership, and campus leadership, has been kept apprised of these matters, including through the establishment and convening of the Cyber Risk Governance Committee (CRGC). The CRGC, comprises each campus’s Cyber Risk Responsible Executive (CRE), as well as a representative of the University’s faculty Senate, the General Counsel, and other individuals from this office with responsibility for systemwide cybersecurity initiatives. I encourage you to share Executive Vice President Nava’s letter with your faculty.
While we cannot share every detail of the actions we took in direct response to the UCLA incident (we are defending 17 class action lawsuits demanding millions of dollars of damages), or of the security measures we have instituted since that time (disclosure of details of our cybersecurity infrastructure and our readiness posture would only facilitate exploitation of identified vulnerabilities by those intent on attacking us), I have from the beginning directed my staff to make every effort to actively engage with all stakeholders and to minimize to the extent possible the amount of information that is not shared widely. I have also now asked that a website be created this week to further disseminate relevant information and developments.
In the meantime, I hope that you will convey to your local communities the following information:
  1. Institutions of higher education are a prime target of cyberattacks. We create, collect, store, and use valuable information about our research and discoveries, our employees’ personnel information, our students’ educational records, and more. These attacks pose a serious risk to individual privacy, to the valuable intellectual property we create, and to our financial position. It is our legal and our moral responsibility as stewards of the data we maintain to protect it. When, notwithstanding our best efforts, a security incident threatens that information, we are exposed to enormous legal, financial, and reputational risk. The UCLA incident alone will cost us many millions of dollars before it is fully resolved, millions of dollars that we will not be able to invest in our research, teaching, and service mission.
  2. At the system level and at every individual campus, we have subjected every proposal to enhance our ability to prevent and detect attacks to evaluation against industry standards and to analysis under the University’s Electronic Communications Policy, and we are absolutely committed to doing so going forward. Also attached is a document that describes how cyber threat detection generally, and our implementation of it both in the wake of the UCLA cyberattack and going forward, is entirely consistent with the letter and the spirit of the ECP.
  3. When we announced the UCLA cyberattack, we very publicly disclosed some of the measures we had taken in response, including engagement of a leading cybersecurity firm to actively monitor our network.
  4. Personal privacy and academic freedom are paramount in everything we do. But we cannot make good on our commitment to protect individual privacy without ensuring a sound cybersecurity infrastructure. While we have absolutely no interest in the content of any individual’s emails or browsing history, we must accept that active network monitoring is a critical element of a sound cybersecurity infrastructure and the interconnectedness of the University and all of its locations requires that such monitoring be coordinated centrally. Executive Vice President Nava’s attached letter and description of how cyber threat detection initiatives are implemented at the University set forth in more detail the kind of monitoring that might be performed and the extraordinary efforts the University makes to avoid any intrusive measures or, when those prove absolutely necessary, to minimize them.
  5. A Faculty Senate representative is and has since its inception been a member of the Cyber Risk Governance Committee. In addition, Senate members are among the industry leaders we have invited to participate on the CRGC’s expert Advisory Committee, and Executive Vice President Nava and Chief Information Officer Andriola are actively engaging with the Chair and Vice Chair of the Academic Senate, the Senate’s Academic Computing Committee, the Chair of the Berkeley Senate, and others.
I invite further robust discussion and debate on this topic at upcoming meetings of the CRGC and COC. In the meantime, please direct any questions to Executive Vice President Nava or to Chief Information Officer Andriola.
Yours very truly,
Janet Napolitano

President
ORIGINAL POST
See:
At Berkeley A New Digital Privacy Protest by Steve Lohr
http://www.nytimes.com/2016/02/02/technology/at-ucla-a-new-digital-privacy-protest.html

(and this, her latest book review there:
Janet Napolitano Reviews Peter Bergen's new book, are book reviews considered key items on bio-bibs?)

One might want to note: She is a member of UC Berkeley faculty through GSPP, does that mean she has certain responsibilities there at Berkeley re: disclosure to other UC Berkeley faculty on that UCOP new implementation discussed in the story at the top? Any additional responsibilities she has to Cal to fellow Berkeley faculty? --rather than if she was just holding the position at UCOP? (Didn't Yudof, Dynes etc wait until after their UCOP presidency to become UC Berkeley faculty after being President, or? If so, is there a particular reason for waiting to do so?
____

University of California: campus monitoring concerns raised
New system that has ability to monitor emails and use of computer networks on campus raises eyebrows
https://www.timeshighereducation.com/news/university-california-campus-monitoring-concerns-raised
"As to the secrecy, Montiel added: "We try our best to avoid broadcasting sensitive security and legal matters. It's good common sense, and we want to avoid giving a road map for potential attacks on our network. UC policies are very clear that network security is a basic feature. Now that steps are under way to expand network security efforts for a longer horizon, briefings were scheduled, including one planned at UC Berkeley for the middle of next week.""


No comments:

Post a Comment