Balancing Privacy and Security (FAQ)
Did UC secretly take steps to monitor network traffic across the UC system?
Following a recent cyber-attack, UC publicly announced that President Janet Napolitano had engaged an external cybersecurity group to assess UC systemwide security posture and to inform a broader UC-wide cybersecurity plan. At the subsequent meeting of the UC Board of Regents, President Napolitano affirmed her priority to prevent, detect and mitigate against such attacks.
UC has installed a threat detection system that is reading all emails going across the UC system; is this correct?
No, the threat detection system is not being used to read the contents of people’s emails. Use of this system did not require or cause changes to the way the university handles email or email security. UC has no interest in reading anyone's email. This system simply identifies “malware.” In addition, email is often encrypted in transit across our network, and this system does not decrypt email traffic.
UC appears to be overreacting to advanced persistent threats to cybersecurity.
UC is taking appropriate steps to prevent cyber attacks by advanced persistent threat actors. An advanced persistent threat actor, or APT, generally emanates from an organized, highly skilled group or groups of attackers that orchestrate sustained, well-planned attacks on high-value targets. Institutions of higher education are increasingly targets of APT attacks because academic research networks hold valuable data and are generally more open. Cyberattacks are a serious risk to personal privacy. They present reputational and financial risks as well..
Privacy is being compromised in the interest of more robust data security.
The university’s Electronic Communications Policy permits routine analysis of network activity and network traffic. This policy is consistent with fair information practice principles and the university’s duties under laws and regulations that require the use of physical, technical, and administrative safeguards to secure sensitive information. Privacy is compromised when basic information security is absent. The university takes great care to ensure its practices reflect the balance of privacy and security required by the policy. University policy forbids the university from using data collected through network security analysis for non-security purposes, and violators are subject to discipline.
The UC Office of the President has acted unilaterally and without input from campuses on cybersecurity.
President Napolitano established the Cyber-Risk Governance Committee, with representation from across the system — including from the Academic Senate, campuses, Lawrence Berkeley National Laboratory, and Agriculture and Natural Resources locations — to oversee and guide systemwide strategies and plans related to cybersecurity. There is and has been ongoing faculty and campus consultation regarding steps taken to counter cyber threats to locations across the UC system.