Although FBI experts say Cornell is doing a better job than most universities at cybersecurity, it’s still a jungle out there, and academia has become an increasingly popular hunting ground for digital predators. Cornell is responding with technical and educational defenses.

The New York Times recently reported that U.S. universities see “millions of attacks weekly,” and Cornell is no exception, with some 50,000 attacks per day across campus, said Wyman Miles, director of IT security for Cornell Information Technologies (CIT). “Many of the attacks are sourced from Chinese IP ranges, but realistically, they come from all over,” he added.

Just as foreign governments have hacked into government and industrial systems to steal technical information, universities are now targets, and not just for military and industrial technology. “The goals for most national actors are economic and not simply defense,” Miles said. “Everything from how contracts are awarded to how legislation is written in an emerging nation to high-energy physics has some value. We knew phishing was occasionally state-sponsored and targeted, and we have been providing guidance to traveling university executives for many years. What we didn’t understand is the magnitude and frequency – both are much, much higher than we thought.”

The university budgets about $1.5 million annually for cybersecurity, and there are related legal costs and demands on IT staff time all across the campus, but that’s still not enough, Miles said. “Historically we have underemphasized technical safeguards, he said. “Higher ed is just opening its eyes that there are certain problems that can’t be mitigated by any other approach. The technology is becoming much more flexible and less invasive, and we are learning to deploy technical measures in ways that mesh well with the higher-ed environment.”

“Phishing” – deceptive e-mail messages that trick recipients into giving away their passwords or installing malware – is the most common problem and is becoming more sophisticated. No more broken English. You might receive a well-crafted request that seems to come from a person of authority in your department, based on information from the department Web page. If you open the attachment or click on the link, the malware it installs may be individually crafted to fit your department’s systems, with a one-of-a-kind design that your anti-virus program will not recognize. You can see examples of phishing messages on CIT’s Phishbowl site, and CIT is rolling out a series of brief training videos to help users avoid clicking in the wrong places. Miles hopes that spending three or four minutes with YouTube will be more attractive than “listening to a security guy lecture you.”

Cornellians traveling abroad may be at risk if they use their laptops, tablets or phones on foreign networks. Countries that keep a tight control on their infrastructure may use their power to compromise a visitor’s computer. In some parts of Asia, Africa or the Middle East, connecting to the hotel’s Wi-Fi might result in downloading malware that could spread into a Cornell network when you later log in at your office. CIT offers detailed guidelines for travelers. The essence: “Take a computer, but leave your data at home.”

“In many parts of the world a visitor is confronted with two and only two options: Don’t use an electronic device or have one compromised,” Miles said. “If you need to travel and compute, you have to do it with something expendable and consider your every interaction with university systems and data very carefully.” Some departments, he noted, provide loaners that can be wiped on return.

FBI cybersecurity specialists Miles has consulted say that when they discover a new security issue, Cornell, more than other universities, tends to have already identified the problem and taken action. But a chain is only as strong as its weakest link, and “The weakest link in any security system is the person using it,” Miles said.