Organisation - May 17, 2018

Data security guards: We must not be naive

Stijn van Gils

The ICT department has its hands full keeping data secure. Not only because there are hackers at large, and laptops get lost. The government too is imposing more stringent requirements on data security. ‘The question is not whether a sizeable data leak is going to occur, but when.’

text Stijn van Gils

Modest and inconspicious is an apt description of the building on the edge of the campus. This is where the WUR's gold bullion is kept: no fewer than 3,500 terabytes of data. Much of which is backed up on duplicate servers. To spread the risk there is also a second location in Wageningen. Just in case.

Housed in the datacentre is the entire genome of the banana and information about how a female great tit chooses her partner. There are figures on the leaching of nitrate on wheat plot 34.1 at experimental farm Vredepeel and the details of all kinds of secret microbiological discoveries that may have patent potential. And personal data too. Student grades. Sensitive information about patients who took part in a nutrition study. Or the personal photos of a student who uses his personal M-drive as a back-up.

The exact value of all this information and which information is the most sensitive? On that topic, no one is prepared to make any statements (see panel).

That Wageningen data attracts interest from illegal quarters is evident from the dozens of attacks repelled by the IT department of Facilities & Services (FB-IT) on a daily basis. ‘Some are very targeted,’ says Raoul Vernède, security officer at FB-IT. ‘As for others, they are more akin to someone checking whether you've locked your bike. If it's not locked, they'll take it.’

Just how successful attacks of this nature are, FB-IT is reluctant to say. Nor can the department say exactly where the attacks are coming from. Has WUR been hacked by Iranians who are supposed to have penetrated a Dutch university last year? Or by other countries? ‘I can't say,’ states Maarten Brouwer, head of the department.

The General Intelligence and Security Service (AIVD) writes in its annual report for 2017, however, that Russian officers have gathered intelligence, some of it in the field of science. The AIVD also observed China make targeted efforts to ‘gather information on economic and political topics’. In a recent report, SURF, the ICT umbrella organization for the Dutch universities, also named Iran as a country engaged in hacking. ‘In general I can say that we must not be naive,’ says Brouwer. ‘We too are under attack. A laptop containing sensitive data, for example, is something no one should consider taking to China.’

As well as espionage by governments, there are other threats. ‘Like anywhere else, we too have some students with malicious intentions. In the past we've had to deal with keyloggers, for example, physical devices connected to a lecturer's PC in order to find out passwords,’ says Brouwer. And consider the employee who stores personal data on an unencrypted USB stick that can easily get lost, or who walks away without locking their computer.
According to Brouwer the question is not whether a sizeable data leak is going to occur, but when. ‘Laptops are stolen here regularly. That is not only material damage, but also a potential data leak. So it makes sense to be well prepared.’

A new aspect of data security has been introduced with the stringent requirements of the General Data Protection Regulation, new privacy legislation that comes into force on 25 May. Personal data may now be collected only when essential. So collecting more research data than is strictly necessary is no longer an option. And which data are being stored must be known to the central administration. If someone turns up at WUR requesting his or her ‘dossier’, WUR has to be able to report within 72 hours which personal data have been collected on this person by any and all of the WUR's 5,000 employees. In addition, personal data must be deleted as soon as they are no longer needed, as a rule after only two years.

In order to keep data more secure, FB-IT is introducing various changes. For example, for some time now it has been standard practice to encrypt the hard drives of WUR laptops. Without a password, it is almost impossible to retrieve the data. The same principle will soon be applied to telephones. And an app is on the way, as a second factor in addition to a password. Employees and students who want to log in will need first to enter their password before confirming on the app that they really do want to log in. Anyone who accidentally enters their password on a fake site won't receive a confirmation on the app. But according to Brouwer, the safe management of data is not the responsibility of his department alone. Every employee must, he believes, be aware of the risks and must handle data with care. This awareness is growing, says Brouwer. Employees understand the risks better and understand the need for a measure like the app.

In the meantime, Brouwer must ensure his services do not become too expensive. Two years ago Resource discovered that some research groups were managing their own data, without the intervention of FB-IT. ‘IT does offer storage, but it is much to costly,’ explained professor Dick de Ridder of Bioinformatics at the time. It was subsequently decided centrally that the costs of data storage had to be subsidized internally. Every year FB-IT now receives 100,000 euros, enabling it to pass on less of the cost. These days De Ridder is so satisfied with the attitude of FB-IT and the new prices that his group's data archives will soon be moved to the central storage facility.

WUR's crown jewels

WUR has all kinds of valuable datasets. In view of this, some of the WUR's data have extra stringent security. But on which data these are, or which research groups tend to produce the sensitive data, ICT staff will not be drawn. Various sources reveal, however, that Wageningen Research has more ‘secret’ datasets than the university. Perhaps only logical given that Wageningen Research does more in the way of contract research and thus also manages more sensitive commercial information, for example.

Ultimately, more information must become freely available. ‘We make our valuable soil data, for example, freely available via open access channels,’ says Bert Jansen, science information officer at Wageningen Environmental Research. ‘After all, this information has been obtained with public money.’

According to Willem Jan Knibbe of the Wageningen Data Competence Center, which supports developments in the field of big data and data science, the value of any dataset is by definition subjective. ‘It depends entirely on what you want to do with it. Sometimes the precise value of a dataset is evident only with hindsight. Coupling a value to an individual dataset also implies that data that are freely available to everyone have no value. Actually, I don't think that's true. Freely available data may well be the most valuable. Nor do I think that data in and of themselves are WUR's most important asset. Rather our ability to understand and interpret data is where our capital lies.’