Letter from President Napolitano to UC Chancellors
Feb. 1, 2016
A group of faculty members at the Berkeley campus has articulated concerns regarding some of the security measures we adopted in the wake of the UCLA cyberattack last year. The concerns focus on two primary issues: whether systemwide cyber threat detection is necessary and whether it complies with the University’s Electronic Communications Policy (ECP); and why University administrators failed to publicly share information about our response to the cyberattack. The Berkeley faculty members have shared their concerns with colleagues at other campuses and with various media outlets. Unfortunately, many have been left with the impression that a secret initiative to snoop on faculty activities is underway. Nothing could be further from the truth.
I attach a letter from Executive Vice President and Chief Operating Officer Nava explaining the rationale for these security measures. As you know, leadership at all levels, including The Regents, Academic Senate leadership, and campus leadership, has been kept apprised of these matters, including through the establishment and convening of the Cyber Risk Governance Committee (CRGC). The CRGC, comprises each campus’s Cyber Risk Responsible Executive (CRE), as well as a representative of the University’s faculty Senate, the General Counsel, and other individuals from this office with responsibility for systemwide cybersecurity initiatives. I encourage you to share Executive Vice President Nava’s letter with your faculty.
While we cannot share every detail of the actions we took in direct response to the UCLA incident (we are defending 17 class action lawsuits demanding millions of dollars of damages), or of the security measures we have instituted since that time (disclosure of details of our cybersecurity infrastructure and our readiness posture would only facilitate exploitation of identified vulnerabilities by those intent on attacking us), I have from the beginning directed my staff to make every effort to actively engage with all stakeholders and to minimize to the extent possible the amount of information that is not shared widely. I have also now asked that a website be created this week to further disseminate relevant information and developments.
In the meantime, I hope that you will convey to your local communities the following information:
- Institutions of higher education are a prime target of cyberattacks. We create, collect, store, and use valuable information about our research and discoveries, our employees’ personnel information, our students’ educational records, and more. These attacks pose a serious risk to individual privacy, to the valuable intellectual property we create, and to our financial position. It is our legal and our moral responsibility as stewards of the data we maintain to protect it. When, notwithstanding our best efforts, a security incident threatens that information, we are exposed to enormous legal, financial, and reputational risk. The UCLA incident alone will cost us many millions of dollars before it is fully resolved, millions of dollars that we will not be able to invest in our research, teaching, and service mission.
- At the system level and at every individual campus, we have subjected every proposal to enhance our ability to prevent and detect attacks to evaluation against industry standards and to analysis under the University’s Electronic Communications Policy, and we are absolutely committed to doing so going forward. Also attached is a document (pdf) that describes how cyber threat detection generally, and our implementation of it both in the wake of the UCLA cyberattack and going forward, is entirely consistent with the letter and the spirit of the ECP.
- When we announced the UCLA cyberattack, we very publicly disclosed some of the measures we had taken in response, including engagement of a leading cybersecurity firm to actively monitor our network.
- Personal privacy and academic freedom are paramount in everything we do. But we cannot make good on our commitment to protect individual privacy without ensuring a sound cybersecurity infrastructure. While we have absolutely no interest in the content of any individual’s emails or browsing history, we must accept that active network monitoring is a critical element of a sound cybersecurity infrastructure and the interconnectedness of the University and all of its locations requires that such monitoring be coordinated centrally. Executive Vice President Nava’s attached letter and description of how cyber threat detection initiatives are implemented at the University set forth in more detail the kind of monitoring that might be performed and the extraordinary efforts the University makes to avoid any intrusive measures or, when those prove absolutely necessary, to minimize them.
- A Faculty Senate representative is and has since its inception been a member of the Cyber Risk Governance Committee. In addition, Senate members are among the industry leaders we have invited to participate on the CRGC’s expert Advisory Committee, and Executive Vice President Nava and Chief Information Officer Andriola are actively engaging with the Chair and Vice Chair of the Academic Senate, the Senate’s Academic Computing Committee, the Chair of the Berkeley Senate, and others.
I invite further robust discussion and debate on this topic at upcoming meetings of the CRGC and COC. In the meantime, please direct any questions to Executive Vice President Nava or to Chief Information Officer Andriola.
Yours very truly,