UEC Cybersecurity Survey
by George Stephans
In response to cyber security issues, BNL management held a lab-wide security stand-down on October 5, 2006. As input to the ongoing process of evaluating the cyber security situation, the RHIC Users Executive Committee surveyed BNL users a few weeks later to learn their opinions on this important topic. The results, summarized below, were presented and discussed in a series of meetings with lab management late in 2006. As a result of those meetings, adjustments were made in the continuing process of designing and implementing changes in cyber security requirements and procedures. In particular, lab management recognized the need to both better communicate with users about what was being done and why, and also to more actively solicit users’ input to the decisions. One significant result was ongoing meeting and cooperation between the UEC, ITD, and other BNL groups, for example in responding to the recent DOE TMRs (see CSAC story in this issue).
Perhaps the single most significant result of the survey was the overwhelming response, totaling 421 submissions containing 33 pages of comments. In the entire history of the UEC, only a survey on possible creation of a new coffee shop generated more interest. Apparently, caffeine and computers are both highly valued by BNL scientists and staff! The respondents consisted of 40% from RHIC, 30% from NSLS, and 30% from BNL employees.
Among the more positive responses were the importance attached to the question of cyber security in general, and the feeling that BNL was as secure or more secure than other national labs (86% gave this answer). In addition, awareness of the requirements was high with 93% and 90% saying they were somewhat or very aware of the rules for onsite and offsite computers, respectively. Directly relating to the stand-down itself, 75% found the associated all-hands meeting useful and 21% changed some aspect of their computing activities in response to the information presented. About 3/4- 4/5 of respondents felt that official communication specifically regarding the stand-down was timely and adequate, although more than half reported first hearing about the possibility through rumors and other informal channels.
The overall impression of the implementation of cyber security at that time was less positive, with more than half rating the requirements as intrusive and about 1/3 claiming to be less efficient at BNL than at other national labs. Among the comments, there were many strong impressions that the science mission was not adequately considered in the design and implementation of cyber security requirements. In particular, people did not perceive a clear distinction between requirements for computers in areas where high security was appropriate in contrast to other parts of the lab network. The function of individual computers was not seen as a consideration in imposing rules. For example, password-protected screensavers installed on experiment control computers could be potentially dangerous. Perhaps the most serious concern was the widespread impression that it was getting significantly harder to do science at BNL, but people did not feel that BNL was getting any more secure as a result of the new rules and restrictions. The general consensus was that the design, communication, and implementation of the necessary cyber security changes needed to be improved in order to avoid disrupting and/or discouraging the high quality scientific work being done at the lab. These opinions collected in the UEC survey illustrate the importance of the ongoing efforts to improve communication between BNL and ITD management and all BNL computer users. We expect that this work, involving the UEC and the CSAC among other forums, will continue to make a significant contribution to improving the research environment at BNL.