How should we address cyber-security?

Susie Winter headshot

You could do worse than to follow the advice of an iconic 90’s rapper, writes Susie Winter

The Scholarly Networks Security Initiative (SNSI) brought together an expert panel at this year’s STM Spring Conference to discuss the threat cybercrime is posing to universities and research institutions, individuals, and the wider scholarly ecosystem; the conclusion of the discussion being neatly summed up by panellist Dan Ayala’s final words of advice: to stop, collaborate and listen. 

Often seen or portrayed as a publisher problem (perhaps because of Sci-Hub, the largest pirate website which uses, among other methods, stolen or shared library log on credentials to illegally harvest research articles and books), the panel, which consisted of a librarian, a publisher, a higher education chief information security officer and a network security provider, exposed how the threat posed by pirate websites goes far beyond that of facilitating illegal access to licenced e-content.

Don Hamparian, from OCLC, explained that when a libraries customers’ log-in details are stolen and shared, a lot more than licensed e-content can be accessed. Personal email accounts, personal financial information, university research, department budgets and confidential information about personnel all become accessible using these stolen credentials. Tips to mitigate this security risk and protect patrons included having (and enforcing) password policies, making security information and education readily available, having secure remote access options setup for staff and robust IT and vendor policies. 

The panel was equally clear that such wide-ranging threats make cybersecurity a matter of concern to many audiences across higher education, so it is only via collective action, with librarians, information security officers and publishers working together, that these threats can be effectively combatted.  

However, to do this, a number of challenges were identified. Daniel Ayala, a strategic information security and privacy consultant and former chief information security officer within higher education institutions, provided a useful overview of the challenges inherent to securing the research lifecycle. 

Areas identified included the on-going relationship building between IT, security, libraries, researchers, publishers; the tug between security and privacy requirements and ideologies; significant outside ‘interests’ in accessing and disrupting research, and the data that comes out of it; completeness and ease of use of illicit tools vs. approved tools, including those used for search and discovery. Dan was clear that as none of these challenges were in the hands of information security officers to be able to solve on their own, working in partnership had to be the way forward.   

This theme of collaborating to find solutions was brought to life in the presentation given by Juan Denzer, a librarian from Syracuse University.  When at Binghamton University Libraries, Juan worked on developing an EZproxy script to combat breaches from Sci-Hub users. This worked to provide librarians with a better, more supported workflow, helping them to identify breaches so publishers were not required to suspend content access – a benefit, Don explained, OCLC have now embedded in its latest version of EZproxy.  This new version positions librarians as security leaders and provides them with a plethora of new tools and dynamic workflow which will allow them to detect and disable compromised credentials in real-time. 

Working together to find solutions for what is clearly a collective problem goes to the heart of what the Scholarly Networks Security Initiative, SNSI, is seeking to do.  

Sari Frances from Elsevier also co-chairs SNSI’s University Relations Group, which brings together publishers, librarians and solution providers to raise awareness of the threat caused by sites such as Sci-Hub and promotes new ways of partnership working. Like Dan, Sari pointed to the recent City of London Police Intellectual Property Crime Unit (PIPCU) statement specifically warning universities of the threat from Sci-Hub.  

According to PIPCU, Sci-Hub obtains academic papers through a variety of malicious means, such as the use of phishing emails to trick university staff and students into divulging their login credentials. Given this threat, they went so far as to advise IT departments to block the website on their network in order to mitigate the security risk. A number of them, Manchester University and University College London included, have acted on this and issued such warnings.

With publishers and librarians having successfully worked together before, for example on Crossref and most recently GetFTR, SNSI believes that such collaboration could reap benefits here too. But to do that all need to work together to bridge what can be seen as a clash of priorities. According to the panellists, Information security officers worry about being left out of conversations. Librarians are hesitant to speak up in conversations about phishing emails, for example, as it is out of their core area of responsibility.  

How can this be addressed? Juan’s final advice was to encourage librarians to get involved in organisations such as SNSI with Sari echoing this call to publishers.  Dan urged institutions to go from ‘no’ to ‘know’ and help facilitate rather than block – in addition, of course, to ‘Stop. Collaborate. Listen’.

The Scholarly Networks Security Initiative (SNSI) brings together publishers and institutions to solve cyber-challenges threatening the integrity of the scientific record and scholarly systems. By working sustainably and effectively together we believe we can achieve our shared mission – the safety and security of personal data. Members include large and small publishers, learned societies and university presses and others involved in scholarly communications. Visit www.snsi.info for more information.

Susie Winter is director of communications and engagement at Springer Nature and co-chairs the SNSI communications working group 

Back to top