Universities on Alert for Troublemakers Online

September 3, 1997

As universities open for classes this month, they face an increasing threat from the Internet.

Students and hackers are breaking into academia's relatively open computer systems to steal files, operate criminal businesses, and infiltrate other networks.

The damage wrought by hackers, and legal liability, has university officials beefing up security and reconsidering the bounds of academic freedom. Anyone with online access can try picking just about any lock in cyberspace.

"It's a very serious problem for them," says Michael Overly, a partner and online specialist at the law firm Call, Clayton & Jensen in Newport Beach, Calif.

"Universities try to make their computer-use policies very lenient," he says. But the costs are harsh. Legal bills, theft of computer time, repairing hacker damage, it all costs colleges and universities millions of dollars each year.

At George Mason University in Virginia, for example, hackers last school year repeatedly broke into the engineering department's network. In their worst attack, they destroyed the files of several graduate students, representing weeks of work.

"From our machine, these people had access to the world," says Lloyd Griffiths, dean of the school of information technology and engineering. Police have arrested two former students.

It's not just technical whizzes wreaking havoc online. Even e-mail can deliver trouble. Last year at the University of California at Irvine, a student was arrested for sending anti-Asian hate mail to 60 students by using campus computers.

Often, the attacks don't come from students, but outsiders.

"People are constantly scanning the system on campus, trying to find systems that have holes," says Barbara Skoblick, information-technology security officer at Cornell University in Ithaca, N.Y.

Late in August, Ms. Skoblick found that an outside hacker had set up an account on a student's computer and was selling pirated software from the site.

And in a celebrated case last year, a young man in Argentina was indicted for removing confidential Pentagon files and breaking into computer systems operated by NASA and the Navy using Harvard University's computers as a front.

Serious attackers "do many hops before they get to where they're going," says Patrick Taylor, director of product marketing at Internet Security Systems, an Atlanta network security company. Universities can "become a link in the overall chain."

COLLEGES and universities are fighting back. Internet Security Systems, a three-year-old company, already counts 50 universities as clients. Many institutions have developed student codes of conduct for computer use.

Punishments include bans on Internet use for five University of Minnesota students and community service for a student at University of Puget Sound caught distributing pirated software this spring.

But tighter security runs counter to academic traditions of decentralization. A large university may have dozens of networks run by different faculty departments. For a security meeting at Cornell this summer, 50 administrators attended, and still some were not involved.

Such autonomy, not tolerated in the business world, is common on many campuses.

"It's comparing Fort Knox to a diverse neighborhood where a fair number of people don't lock their doors," Mr. Taylor says. "Odds are you're going to find a way in."

Many university officials believe they can secure their networks without crimping academic freedom.

"I think you can have a balance," says Dean Griffiths at George Mason. "This destruction of student files is unforgivable. [But] our educational process is becoming more and more computer-based. We can't really afford not to have them connected to the Internet."