Even though Dalhousie University plans to hold many in-person classes next fall, the university’s future, like many post-secondary institutions, is looking undoubtedly more digital for years to come. But a digital realm doesn’t just open up new opportunities for Dal. It also exposes the university to a constantly evolving world of cyberthreats.
At a recent Dalhousie Student Union (DSU) council meeting on Jan. 28, 2021, councillors met with members of Dal’s Digital Strategy Steering Committee to discuss the university’s Digital Strategy Initiative, the digital portion of the university’s strategic plan.
When it came time for questions, councillors turned the consultation into a discussion about cybersecurity at Dal and the security of students’ personal data within Dalhousie systems.
“I hope that the university and specifically the committee that presented was able to understand that [cybersecurity] is an issue that students care about,” Aaron Sophocleous, faculty of management representative, said in an interview with the Dalhousie Gazette.
Increased cybersecurity at Dal
Aparna Mohan, one of the DSU’s board of governors representatives, began the conversation at the council meeting around data security by asking how the university plans to increase protections around students’ privacy as a part of the new plan.
Joshua Leon, Dal’s assistant vice-president of information technology (IT) services, said in the meeting that Dal currently has one privacy officer and will soon have another to meet the increasing workload.
“As more things are online there’s simpler access to data. It just creates more and more hoops to jump through,” Leon said in an interview with the Gazette. “Every [digital tool] that comes in, we have to evaluate it to make sure that it’s safe.”
While the privacy officer evaluates the legal ways different software companies may be attempting to access student or staff data, Leon said, the IT office’s cybersecurity officer ensures no one is attempting to access that data illegally. Dal is in the process of hiring another cybersecurity officer, Leon said.
The cybersecurity officers attempt to prepare the university for everything from small-scale email scams (known as phishing attempts) to international hacking.
“We do have accounts hacked every day through phishing,” Leon said. “Because Dalhousie does do a lot of research, there are countries that are doing significant espionage on Canadian universities to steal research data. So we spend a lot of time tracking that.”
In 2013, a cybertheft campaign backed by the Iranian government successfully accessed the data of 42 Canadian universities. Dal was not compromised by the attack, Leon said.
Who can access student information?
“Right now, I have no idea who has access to my data,” Mohan said at the meeting. She asked how students can gain some insight into its security.
In an interview with the Gazette, Mohan said, “I know that there is a policy somewhere that describes how our transcripts and our B00 [student] numbers and all of these different pieces of information are managed. But the average student doesn’t really know that.”
At the meeting, Leon acknowledged the university needs to better educate students on these policies, something he said the university will work on in the future.
“It’s really nice to be heard and have these contributions kind of validated within the moment. But as for follow-up and action afterwards, I haven’t seen that translation just yet,” Mohan said.
According to Leon, Dal maintains a simple principle when it comes to managing student data: “Nobody should see any data about an individual unless they have a reason to do so for their job,” Leon said in an interview with the Gazette.
Even though classes are online, the university limits faculty access to information to the level that would have existed in a pre-internet world, according to Leon. Faculty have access to a student’s name, photo and grade in the class, Leon said.
“[Faculty] used to just get a paper list with [student] names on it, now they get an electronic list with [student] names on it, but nothing more than that,” he said.
Access to student information does slightly increase with seniority, Leon said, as department heads have access to a student’s entire transcript.
According to Leon, student data is the responsibility of the registrar’s office. They hold the keys to information students can access through the Dal Online website, such as personal phone numbers and addresses.
“Within the Registrar’s [office] there’s a pretty small list of people that have access to individual student records,” Leon said.
At the council meeting, Susan Spence, Dal’s vice-provost of planning and analytics, expanded on Leon’s point. Spence said there is a Data Access Committee within the Registrar’s office who have a strict application process for those at Dal requesting data who don’t have access to it.
“The only people that need the keys are those who need to walk through the doors,” Spence said at the meeting.
Increased digitization requires increased advocacy
Mohan said the DSU needs to maintain an active role in advocating for students’ safety throughout this process of digitizing Dal, to ensure students are not left behind. Mohan said this is already happening.
In December, when Dal first presented the Digital Strategy Steering Committee to the DSU, there were no students included in the committee, Mohan said.
When the DSU asked why no students were asked to join, they were told the committee believes students have too much on their plate to take part in these discussions, Mohan said. After efforts by the DSU Jad Ghiz, vice-president (student life), was added to the committee.
“To not even know what it is that we don’t have enough time for is incredibly frustrating,” Mohan said. “As much as they’re doing several rounds of consultation, I think it shouldn’t be lost on us that they didn’t have a single student on there until the DSU asked for it.”
In an email to the Gazette, Lindsay Dowling-Savelle, a communications advisor at Dal, said the committee was made up of employees and “not intended to be representative of all stakeholder groups during the early stages.”
Dowling-Savelle said members of Dal’s Student Affairs Office who were on the committee provided input on student-centric concerns. At a Board of Governors meeting in November 2020, DSU President Maddie Stinson asked for a student representative to be added to the committee. After that meeting, Dal “immediately reached out to the DSU to ensure there was representation from the DSU on the committee,” Dowling-Savelle said.
Advocacy surrounding student safety online needs to come from Dalhousie as well, said Mohan.
“We keep talking about the university, and what Dal should do and all of these things as if we’re in a bubble, right?” she said. “And we’re not in a bubble. We’re so interconnected and integrated with the world.”
As the university becomes more reliant on technology developed by large companies focused mostly on turning profits, universities should use their cultural sway to advocate for the safety and security of student data within these programs, Mohan said. She raised this idea in the meeting. In response, Leon said the internet began on university campuses and didn’t become mainstream until someone realized they could make a profit off of it. So he supports putting it back in the hands of universities, he said.
In an interview with the Gazette, Leon said, “I don’t know if Dal is lobbying, per se. Certainly, people within Dalhousie have been active in encouraging governments to invest more in cybersecurity for students.”