UNC faculty member held responsible for security breach

I don’t know any details beyond what’s published here but it seems to me that the prof probably has a point about being scapegoated.  It’s unlikely that she personally set up all the computer systems involved in her research project – at least, I hope she didn’t, she got paid too much to fiddle with that.  Judging from intimate experience with working with faculty, I find it equally likely that she just wasn’t told about issues, or that she was and overrode staff protests.

If she wasn’t told, then shame on the staff, particularly if she’s correct and “everybody knew but me.”  (I would hope though, that if “everybody” included other faculty members, that they tried to impress the scope of potential issues on her; often faculty who won’t listen to staff will listen to other faculty.)  If she was told but overrode the concerns, then I don’t think the discipline was enough – she should be fired.  If she wasn’t told, she shouldn’t be disciplined; the people who didn’t tell her should be dismissed.

However it actually happened, it feels like something is missing from that story, there’s detail missing about interaction between her, her group of researchers, and the support staff involved.  That detail is what would allow the informed reader to judge whether or not the discipline she received was fair.

3 Responses to “UNC faculty member held responsible for security breach”

  1. Daniel Allen says:

    Thanks for this. Chilling. http://chronicle.com/article/UNC-Chapel-Hill-Researcher/124821/ has more detail. Looks like IT staff at the university didn’t do their part. And a perfect argument for why your (and tmT’s) positions should exist.

    “Science and Cybersecurity

    Chancellor Thorp said on Tuesday that Ms. Yankaskas did not attend a
    2006 meeting about security issues and that, as the mammography
    study’s principal investigator, or PI, she should be held accountable
    for the breach.

    “The PI is responsible for the security of data in studies like this,”
    he said.

    Her lawyer, Raymond D. Cotton, counters that scientists can’t be
    expected to be cybersecurity experts.

    “We have communications from the chancellor’s office and the
    medical-center technology office all noting potential and actual
    problems with the security of the computers, but no one notified her,”
    he said. “If they had done so, she would have fixed the problem in
    2006.”
    [...]
    The provost also accused her of assigning server-security duties to an
    inexperienced staff member, who failed to install important patches
    and upgrades, and of not providing the staff member with the training
    needed. Ms. Yankaskas countered that the staff member, who has since
    left, had worked for the university’s technology office and that the
    employee never submitted a formal request for additional training.

    “I had an employee who I trusted who told me things were OK,” she
    added. “I would have no way to get on the computer and tell if it was
    secure. Unless I assumed my employee was lying to me, I don’t know
    what I could have done.”
    [...]
    Ms. Yankaskas appealed her firing to a faculty-hearings committee,
    which found in June that the problems resulted from systemwide
    security flaws, and not the actions of an individual researcher.

    It said the case “revealed a weakness in the linkage between
    campus-security professionals who understand and monitor computer
    networks and the computer researchers who acquire and use confidential
    data.”

  2. dan says:

    You know, it’s even a little more complicated than, “if she was told, she should be fired.” If she was told how serious it was, by someone who could actually communicate this to her, then, she should be fired. “You know, there are some security flaws in the current version of Snogrosim that we’re using, but we don’t have time to do the upgrade, so which do you want me to do, X or Y?” is not an uncommon communication, and even then, I would argue that it’s still the staff member’s error: part of what I pay them for is for the judgment to tell me when I’m supposed to care about something like this.

    Versus, “there’s a very serious security upgrade we must install; I realize you can’t afford to take the computers down for a day, but I can’t afford not to”. Part of professionalizing IT staff is, well, treating them like professionals in all senses of the phrase.

  3. MikeP says:

    Yes, there’s a ton of the story missing. I found a bit more of it, which I’ll fill in later, but really, there’s a whole pile of fail here. The problem is if you disperse responsibility, nobody gets held accountable (that’s why we like committees and groups so much!) but you still get breaches.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>