Guest Speaker Presentation —

Ed Hudson, KU Chief Information Security Officer was the guest speaker. He made the following comments.

Background. He is new to KU and joined in January 2023. Previously, he was the Chief Information Security Officer for the California State University system, which has twenty-three campuses. He started at the Chico State campus after ten years in the private sector.

Ed is tasked with building, maturing, and setting the strategic direction for cyber security for KU. He stated there is a fair amount of work to do. IT did an extensive penetration test to build a baseline. Recently IT completed a security maturity assessment. This helps set the direction and how IT can best support teaching and research. There are two types of security cyber:  barrier and supporters. Ed leads with what is the problem you are trying to solve. He hopes that there will be regular opportunities to meet with Senates to discuss what IT is doing with technology, and security, and get feedback about challenges.

One of the things that is valuable is to attend academic senate meetings to get up to date. We are still building what the approach would be. He opened the discussion for Questions (Q) and Answers (A).

Q.  Kokobobo. I am interested to hear where you are with this user plan and what is the process and timeline for that. Another question, as a faculty member, it is a nightmare to think about getting hacked. What is their first stop? Or are there other individuals to get in touch with?

A.  My role is to safeguard the university environment. That includes intellectual property and research. As a research university, we are constantly under attack from the outside. We see this in various forms. The most prevalent out there right now is nation, state threat actors. They try to steal credentials to steal other research. At Cal State, 9 of 23 campuses had thirty faculty who had been phished. They were phished with the aim to get into repositories and steal research. If something happens during the workday, reach out to me, Ed Hudson. Jake Kauffman is Ed’s deputy. If after hours, reach after hours personnel.

Do we have data classification? Do we have appropriate policies? What Ed found is that we have good processes on campus in an ad hoc way. They are not managed or documented. Our policies are out of date. We will update the policies—including faculty review and governance. As we build these things out, we will have faculty input and review, and sign off. We have established a baseline of where we need to go.

Q.  Our IT training module, is that something you will update?

A.  The module is good. One of the things IT wants to expand is specialized awareness training to different groups of people, Medical and credit cards. The training is good, but that is not where the education stops. How do we do other awareness efforts? Examples are posters, signage, and contests. We need to raise awareness of FERPA.

Q.  Chappell. About FERPA. I do research with people who provide information that needs to be confidential. There are more rigorous disclaimers as an employee. As employees using machines, we must assume we are subject to observation. I am being more challenged to guarantee that information is secure. How should we think about that?

A.  One leg of a three-legged stool is confidentiality. The data should have integrity, not altered in any way. Availability, you, and researcher can get to it when you need it. When we say data is confidential, we put controls in place to alert us when someone accesses the data who is not supposed to. IT is looking at network traffic, not the content. Ed suggested faculty to reach out to him and talk about their specific challenges so they can use technology and feel secure.

Q Ani. How do you balance freedom of information (intellectual freedom) and managing risks.

A It is a balancing act, as an RO1. He gave an example from his past work of someone who had confidential research information on laptop that was unsecured. We found the transfer technology was not friendly and they were emailing the date. Tests run to see what is on devices can only be done by Security Office. In past example, he said access was limited. They sent a prior notice we were doing this.

Q.  Blumenstiel. We discussed AI recently and I was wondering about phishing and AI.

A.  When media attention about ChatGPT and it was interesting to see the reactions at different institutions. You could see the reaction correlate to political environment. There is a place for AI. I am interested in research around it. I read that ChatGPT cannot do metaphors. It is the future. I saw a presentation by first CIO of White House. She said her concern was the rise of AI, especially as it comes to Chatbots. These AIs can talk to each other and elevate another AI’s access without any gatekeeping. That will be one of our challenges to build monitors and controls, so it is used for good.

Comment, Blumenstiel. It is going to be a big challenge, but especially phishing attacks and email conversation with AI bots. There is synthetic voice.

A.  We have seen the deep fakes out there. What you see with machine imitation, it is constant. This is differentiation from the normal traffic. They will get better at it, and we will have to get better at it.

Q.  We have been talking about ChatGPT and academic misconduct. Because this is all so new, we are handing this over to one of our committees. What are preventive measures around ransomware?

A. We look to raise awareness for phishing and malware.

Ed Hudson encouraged all to reach out to him

University Senate Report

Ani reported the following. One thing that is new is an invitation to the final COACHE forum. It will be around specific areas:  compensation, nature of work, leadership, and governance, working conditions, recognition, and family policies. We will present those recommendations. It will be at the Welcome Center, Adams Alumni Center. Ani said she hope all can join the forum.