The mandate of the CERN Computer Security Team is simple: to protect the reputation and operations of the Organization from cyber risks. But this simple sentence can quickly become complex: what is the risk? What risk must be controlled and what can be accepted? What are good and reasonable protective measures? What is appropriate? What is overdoing it? In particular, in the academic environment of CERN, the academic freedom of research, with CERN’s reputation as an open laboratory welcoming people from all around the world, an acceptable equilibrium needs to be found between “security” and the aforementioned academic freedom, as well as the operation of accelerators and experiments.
The right balance is highly important. CERN is not a bank with money to protect. CERN is definitely not a military site nor engaged in military research. Tilting the balance too much towards bank- or military-style computer security might block academic freedom and the creativity behind it, as well as rendering the operations of the accelerators and experiments much more difficult. The mindsets of our people are accustomed to openness, communication, creativity and freedom of thinking. Too much unreasonable security raises questions and suspicions, and leads to creative ideas as to how to bypass the measures implemented. Rules without enforcement are not taken seriously. On the other hand, being soft on computer security means that evil-doers can sabotage or bring to a halt CERN’s operations or negatively impact its reputation. The right balance is therefore key. The right balance must be able to mitigate real risks, not perceived ones, and not just be a sort of security theatre. And the right balance needs to be transparently communicated and opened to discussion. So here goes:
The “cyber risk” is proportional to the threat scenarios, the vulnerabilities and weaknesses inherent to computing systems, and the consequences of losing those systems and the data stored on them. Like any other organisation, institute or enterprise, CERN is permanently under threat. Our webpages are probed for vulnerabilities, attempts are made to crack passwords, users are approached to click on malicious links in order to get their laptops and PCs infected. The corresponding attackers stem from many different areas: script-kiddies trying out their skills to deface CERN webpages, cyber-criminals trying to extort money or blackmail individuals (https://home.cern/cern-people/updates/2018/03/computer-security-malware-ransomware-doxware-and), attackers interested in misusing our computing power or that of the Worldwide LHC Computing Grid, for example for crypto-currency mining (https://home.cern/cern-people/updates/2018/01/computer-security-computing-power-professionals-only), jealous insiders trying to sabotage the scientific work of others, potentially even nation states, as CERN is a melting pot of people from all over the world, so why not attack people while they are in an open environment (instead of in a cyber-locked down country)? The threats are therefore not negligible and are real (and all incidents of the past are well documented in our monthly report; https://cern.ch/security/reports/en/monthly_reports.shtml).
Secondly, as is the case for any other user of information technologies, CERN’s hardware and software stack is prone to vulnerabilities and weaknesses. This is an inherent problem of IT. More particular for CERN is the freedom to choose. Within the scope of their work, staff and users can use, test, develop and deploy any kind of application and technology they deem relevant – on the condition that they assume full responsibility for the related computer security. The CERN IT department provides the relevant software platforms for this: centrally managed software packages (https://home.cern/news/news/computing/computer-security-when-free-not-free), virtualisation platforms (“Openstack”), databases-on-demand, web application frameworks (“Drupal, “Twiki”, “Sharepoint”), but their usage is up to the full discretion of the end user. Similarly, the office network is open to accommodating any kind of (vulnerable) devices, through the so-called principle of bring-your-own-device (“BYOD”). Hence, the phase space of potentially vulnerable and weak devices, applications and webpages, etc. is immense.
Finally, there are many consequences. Reputational. Operational. Financial. And legal. Finding a naked teddy bear posted on one of our home pages will lead to negative publicity; malicious mass deletion of physics data or cyber-sabotage of experiments or accelerators can bring our research programmes to a complete halt (http://cds.cern.ch/journal/CERNBulletin/2013/08/News%20Articles/1514590?ln=en); theft of money (“CEO Fraud”) or confidential information has financial implications; and the abuse of computing power to attack external bodies can trigger legal actions against CERN.
In summary, CERN is under attack. CERN’s hardware and software is vulnerable. The consequences for CERN can be immense. The risk is not zero nor negligible. If you are a regular reader of our Bulletin articles (https://home.cern/tags/computer-security), this should not come as a surprise. The CERN Computer Security Team is committed to controlling and mitigating any risk where it is financially and technologically reasonable to do so and leads to an improvement (and avoids any security theatre). Certain risks have been acknowledged and accepted by the CERN Management not to be mitigated (as they are too intrusive to our academic nature or the benefits do not justify the costs). Implemented measures are well documented on the Computer Security Team’s home page (https://cern.ch/security) and in our Privacy Statement (https://cern.ch/security/home/en/privacy_statement.shtml), and are discussed at the IT users forum (http://information-technology.web.cern.ch/about/meeting/it-technical-users-meeting-itum), the CNIC meeting (https://indico.cern.ch/category/691/) or here in the CERN Bulletin (https://home.cern/tags/computer-security). Just recently, CERN’s computer security stance has been audited and was largely found to be sound, adapted to CERN’s academic environment, and well-balanced with our operational needs. But you might think differently, so were are interested in your feedback. Where are more cyber-security measures needed? Where are we doing too much, making it too restrictive? Where do you need help? Write to us via [email protected]
Link to Lueders’ commentary: https://home.cern/news/news/computing/computer-security-vs-academic-freedom