The University of Hawaii says it needs $1.9 million to tighten its Web security and lessen the chance of future data breaches of individual privacy.
In addition, the 10-campus system would need about $764,000 a year to maintain and operate the upgraded system, said David Lassner, the university’s vice president for information technology.
"Information technology at UH is highly decentralized," Lassner said yesterday at a state Senate informational hearing at the Capitol, "because as an academic institution, we have lots of people generating information, disseminating it, and over 600 Web servers throughout the UH system."
The hearing was held in response to three data breaches in the UH system last year. A report by national watchdog group Liberty Coalition said UH was responsible for 54 percent of all data breaches in Hawaii since 2005, compromising 259,000 records.
The latest breach occurred on the West Oahu campus. The Liberty Coalition said in November that a now-retired faculty member had uploaded information to a server he thought was private.
Since then UH has scanned its 600 Web servers for any personal information. Lassner said only one instance was found: a Social Security number on an online comment board, which has since been deleted.
Lassner said any overhaul of information security must involve the 10 campuses. There are a number of legacy database systems scattered throughout the system that still contain Social Security numbers, he said.
The money is needed to pay for five Web security staff as well as purchasing software that will help with data loss and malware (malicious software) prevention and ongoing scanning of servers.
Sen. Jill Tokuda, chairwoman of the Senate Education Committee, asked whether the university could find cost savings within the estimated $20 million it spends every year on information technology.
"We are actually already more centralized than most institutions," Lassner said. "It’s plausible we can achieve other savings with greater centralization, but we haven’t identified a specific source of new cash outlays to free up that amount of cash."
Lassner said a national adviser on higher-education information security visited the campuses recently and told UH officials that security was being underinvested.
Gordon Bruce, the city’s information director, said the city receives about 190,000 attacks on its information system each day. This includes malware, adware and hostile networking attacks.
Tokuda and other senators looked for help to the recently created Cabinet-level position of chief information officer for the state. The job requirements are still being fleshed out, but Tokuda said that director can spearhead a statewide effort to improve information security.
David Maeshiro, chief information officer for the state Judiciary, said his biggest challenge is impressing to employees the importance of information security.
"You’re dealing with people’s behaviors, and the education piece is one of the most important things that must happen, to sensitize people that they are responsible for someone else’s credit," Maeshiro said.