Helen Norris, EDUCAUSE board chairperson and Chapman University CIO, testified to a Senate committee about higher education cybersecurity challenges and what the federal government could do to help.
On May 18, Helen Norris, the chairperson of the EDUCAUSE Board of Directors and vice president and CIO at Chapman University, testified before the Senate Health, Education, Labor, and Pensions (HELP) committee as part of a panel discussion on cybersecurity issues in the health care and education sectors. The video recording of the hearing and Norris's written testimony are available on the HELP committee website.
The bipartisan committee leadership called the hearing to develop a better understanding of the cybersecurity environment in two of its major areas of jurisdiction. As the higher education representative on the panel, Norris explained to the senators in attendance, both through her direct testimony and her responses to questions, the complex cybersecurity landscape in which colleges and universities operate and how and where that complexity emerges. She noted the incredible diversity of institutional types and resource challenges that characterize the U.S. higher education community, for example. This line of discussion allowed Norris to contrast the difficulties that small, less-well-resourced institutions face in preparing for and responding to ransomware attacks with the problems that large research universities must address in terms of nation-state actors attempting to seize research data.
On another front, Norris highlighted the increasingly complicated data-management and enterprise-systems environments that institutions must maintain, including on-premise technology and cloud services. She discussed how the shift to fully online learning and services during the pandemic intensified these complexities by dramatically expanding the potential attack surface for bad actors to exploit in terms of locations and applications. Mix in the ever-evolving array and growing sophistication of techniques that hackers use to try and compromise institutional systems and the senators could start to understand, Norris argued, the significant cybersecurity challenges that colleges and universities face.
Norris explained how this range of factors leads to substantial and growing costs for institutions, especially as the demand for cybersecurity expertise continues to far outstrip supply. However, she also noted the extent to which the increasing number and complexity of federal and state cybersecurity regulations adds to the costs that institutions must manage. These points allowed her to pivot to steps that the senators could take to better support higher education cybersecurity even as she stressed the degree to which colleges and universities collaborate through organizations such as EDUCAUSE, REN-ISAC, and Internet2 to help themselves.
Norris urged senators to consider expanding funding for the Federal Work-Study Program so that institutions could make more opportunities available for students to work in institutional cybersecurity. Creating more cybersecurity work opportunities for students would provide institutions with cost-effective ways to increase their staffing while also opening doors for students to potential cybersecurity careers, which would help address the nation's cybersecurity workforce shortage. She also encouraged the senators to engage directly with the IT and cybersecurity leaders at the higher education institutions in their state to develop a more concrete understanding of the regulatory complexity with which colleges and universities must grapple. The knowledge and perspective gained from such interactions would help the senators work with the higher education IT community nationally to identify opportunities for lessening existing burdens where possible while avoiding adding new, counterproductive ones.
Another important area for potential federal action that Norris cited concerns the emerging problems institutions face in the cyber incident insurance market. She explained to the senators that the increasing number and severity of cyber incidents have led to a rapid increase in insurance premiums, a significant expansion of the cybersecurity requirements that institutions must meet to qualify for insurance policies (and hopefully lessen their costs), and declining levels of coverage in the event that an institution experiences a cyber incident. With some institutions already priced out of the cyber insurance market, Norris noted that a continuation of current trends could conceivably impact higher education as a whole. Since colleges and universities are far from being alone in facing this problem, finding ways to make affordable, meaningful cyber incident insurance broadly available would be a challenge worth the Senate's time and attention.
The leadership of the HELP committee did not signal what the committee's plans might be for continuing to explore cybersecurity issues related to education and health care. Examples of current legislation discussed at the hearing concern the security of internet-connected health care devices, and a good part of the session focused on ransomware problems confronting health care providers and K-12 schools. That said, the role of higher education in cybersecurity workforce development was a significant topic of conversation, and Norris painted a clear picture of the unique cybersecurity landscape in higher education and where policymakers could have a positive impact on it through dialogue and collaboration with the higher education IT community. Her participation in the hearing should provide a solid foundation for future engagement with HELP members and staff on cybersecurity issues affecting colleges and universities and their stakeholders.
Jarret Cummings is Senior Advisor, Policy and Government Relations at EDUCAUSE.
© 2022 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.