It's Academic

Hello Everyone!

Just a reminder, there are still spots available!

The College & Research Division of the Pennsylvania Library Association is pleased to invite you to register for “Engaging with the ACRL Framework.”

https://www.palibraries.org/event/2021CRD_ACRLWS

As a virtual event, it will take place over three (3) half-days which will allow time in between for the required asynchronous activities.  With this workshop being offered virtually, and grant support, the registration fee for this is an incredibly low $30 for members and $45 for non-members for nine (9) hours of continuing education!

Act quickly! The workshop is limited to only 60 participants, and we know the topic is of high interest!

Thank you.

On May 20, 2021, ACRL presented the webinar “Gone Phishing: Service Continuity after a Cyber Attack,” which was sponsored by the Scholarly Networks Security Initiative (SNSI). Addressing the increasingly commonplace threat of cyber attacks on higher education institutions, this webinar discussed how many academic libraries are not prepared to handle cyber attacks, whether large-scale or small-scale, the impact such attacks have on operations, and the lasting repercussions on both people and services. Three librarians discussed an initial incident of a cyber attack at their institution, the impact it had on their library (and elsewhere), the lessons learned while recovering from such an attack, the emotional toll inflicted upon the library and its community, and the long-term changes and repercussions once recovery had been obtained.

DID YOU KNOW? The National Cyber Security Center in the United Kingdom places the education sector as the third largest target for cyber attacks – ahead of retail! This is due to the fact that most universities routinely store a tremendous amount of personal data.

The panel of librarians were Erin McCaffrey, Dean of the Library and Director of the Center for Student Success at Regis University; Kristina Vela Bisbee, Journalism and Government Information Librarian at Columbia University; and Romel Espinel, Web Services and Instruction Librarian at Stevens Institute of Technology. Melissa DeWitt, Research and Instruction Librarian with Regis University, served as the moderator. The archived webcast recording is available at: https://www.youtube.com/watch?v=krKOwhZmqYI.

First up in describing a cyber attack experience was Erin McCaffrey. In the early hours of August 22, 2019, Regis University was struck by a cyber attack. All of the technology systems were brought down as precautionary measures, which included telephones, emails, websites, all online programs, and university-owned computer hardware, of which the employees were not able to use for quite some time. There is never a “good” time for a cyber attack, but this one occurred at a particularly busy time for the university, as summer courses were coming to an end, and it also coincided with residential students moving onto campus in preparation for the fall terms. As a result of this attack, summer courses were extended by a week. Residential students started their new semester on August 26^th as planned. The university’s residential Wi-Fi network was restored a few days later, causing online and accelerated term courses to be delayed by about a week. On September 1^st, the university’s online learning management system was restored, allowing for those online and accelerated term courses to start on September 3^rd.  Regis University also quickly established an alternative website which was used to communicate information to the university community. At the time of the cyber attack, McCaffrey reports, the university had approximately 100 applications or services that were in regular use, with almost 200 services being supported in the library’s data center. All of these were brought down by the cyber attack. Five months later, it was learned that it was a ransomware attack, and the university paid the hackers. There is no evidence that the library’s data was compromised in the attack. Federal and third-party investigators were unable to determine the root cause of the attack, although it did originate from outside the United States. McCaffrey stated that their back-ups were attacked first. Regis University’s institutional continuity plans that were already in place were based on having those back-ups. Since those were compromised in the attack, it resulted in the university’s IT department making the decision to rebuild and update systems. As a result, the road to recovery for Regis University was a long one.

Romel Espinel spoke next of his cyber attack experience. Like McCaffrey’s, the cyber attack occurred in the month of August, but happened a year prior, in 2018. Seventy-five campus members received a ransom message upon logging into the Stevens Institute of Technology’s network. As a result, IT shut everything down, and classes were about to start in three weeks. No printing, scanning, or accessing the institute’s computers could be done. Employees had to work off of their smart phones and use their own data plans and Wi-Fi. Each of the institute’s computers had to be taken offline, cleared, and scanned for viruses. What was really a challenge, says Espinel, was not having computers or Wi-Fi to use on campus, so it was certainly taxing to find things to do during this time, such as making signs. He compared it to a blackout in that it took time, slowly, for operations to resume. The institute was able to get back online with its Wi-Fi in time for the start of the fall semester, but the lasting effects of the cyber attack continued to linger right up until the COVID-19 pandemic hit in March of 2020. Espinel joked that it was like jumping from one crisis to the next!

Lastly, Kristina Vela Bisbee relayed her cyber attack experience, which was really a unique experience. In May of 2019, hackers tried to access and alter military intelligence that was provided to Columbia University by the libraries. This was done by impersonating a Columbia student, and by using the library’s various channels for research support to gain access. The very channels which the library relied upon to make itself accessible to its users, such as virtual reference and email reference web forms, was what made it vulnerable to this cyber attack. The database which was compromised – which Vela Bisbee would not disclose – was prominently featured in the library guides and its publicly indexed website. She hinted that it was not your typical library vendor. It is an industry database which is very resourceful for expert faculty in international affairs and political science, but it would not prove to be very useful for your typical undergraduate student who is thinking of majoring in political science.

Someone claiming to be a Columbia University student was trying to access this particular database by contacting the vendor directly for assistance. In an email copied between Vela Bisbee, the vendor, and the “student,” Vela Bisbee learned that she was the primary contact for relations between this database in the university. In a separate email thread between just herself and the vendor, the vendor alerted Vela Bisbee that it believed that the hacker was spoofing the university’s IP address. At first, the hackers emailed Vela Bisbee directly. As she ignored their requests, the hackers began to email other librarians at Columbia University and drop her name to give leverage to the requests that they were making. Some of the requests Vela Bisbee was getting were for high resolution images of aircraft carriers or maps of military bases. In several instances, there were requests for the library to actually reach out to the vendor to change or alter information in this database, such as technical specifications for drones and surveillance devices being used in the Middle East. Despite this database not being used primarily for academics, Vela Bisbee says, “This resource was really a feather in the library’s hat. This was our way of showing that we are legitimate to our users. And it was also something that we had been using for a very long time without any issues, so this was something that kind of blindsided us.”

Over the course of two weeks, the library had about twenty different referrals from the same user through a variety of channels. The hackers were emailing individual librarians and librarians at different locations on campus and filling out online reference help forms. Most chilling to Vela Bisbee was the hackers’ usage of the library’s chat reference: “They were speaking to a librarian in real time and troubleshooting access. Because our library system is so decentralized, some of these attempts came pretty close to a security breach, especially when the hacker was speaking with students or staff who don’t normally work with patrons in this area and therefore may not have recognized the threat.” It was an abbreviated and intense amount of time in which the hackers were testing all the library’s defenses. It was also not just one student being impersonated; it was multiple, currently-affiliated students whom the hackers were impersonating. The cyber attack resulted in Columbia University canceling its subscription to that database. Vela Bisbee even contacted the FBI about this but has not heard back from them.

The emotional impacts of the cyber attacks were also widely felt throughout the libraries and their campuses. Vela Bisbee recalled feeling awe, embarrassment, and frustration at the ideal that her name was being evoked in the hackers’ correspondence and afterwards; she felt responsible. McCaffrey felt dismayed at not being able to serve the students the way the university should. Like Espinel, McCaffrey and her co-workers had to use their personal devices for a while, in which case some reached the limits on their personal data plans. Eventually, Chromebooks were purchased for the library; McCaffrey made sure that every department had access to these once wireless access had been restored on campus but before the employees all had their university computers returned. Espinel spoke of the four stages of emotional impact after a campus-wide cyber attack. The first stage is shock: shock that an attack of this nature can shut down normal, everyday, mundane operations such as calling a co-worker on their office telephone. Everything comes to a halt, and you can overlook that a cyber attack not only has huge repercussions, but smaller nuances as well. The second stage is uncertainty. When will things get back to normal? How are the powers that be resolving this issue? How can we be better protected from a cyber attack? When are we going to get our systems back and operational so we can provide services for the students to ensure their success? Frustration, and sometimes even anger, is the third stage. Why has this not been resolved? Were there emergency plans in place beforehand in case of an attack? Lastly, the fourth stage is continued uncertainty. It resonates for a very long time. Espinel said that it makes you think of how we can be ready for the next attack should it happen.

Is there a silver lining to this experience? Absolutely. Who could have predicted that just over the horizon, a pandemic was brewing that would disrupt basic day-to-day services globally and completely turn the academic world upside-down? The actions taken to effectively combat a campus-wide cyber attack, such as creating a communication chain (something as simple as having each other’s personal telephone numbers) and establishing electronic back-ups, can only have better prepared these institutions for handling the COVID-19 crisis.

The latest issue of Pennsylvania Libraries: Research & Practice is now available at palrap.org 

Articles include:

• In the PaLRaP Spotlight: Michael Lear
• Collecting Pennsylvania Political Twitter Data
• Feedback Loops: Algorithmic Authority, Emergent Biases, and Implications for Information Literacy
• Affording Access: Pathways to Reducing Textbook Costs
• Reducing Barriers to Access in Archival and Special Collections Public Services
• Negotiating Open Access Journal Agreements: An Academic Library Case Study
• Noteworthy: News Briefs from PA Libraries

Bryan McGeary & Danielle Skaggs, Co-Editors

The College & Research Division of the Pennsylvania Library Association is pleased to invite you to register for “Engaging with the ACRL Framework.” Find more information about the event here: https://www.palibraries.org/event/2021CRD_ACRLWS

As a virtual event, it will take place over three (3) half-days which will allow time in between for the required asynchronous activities. With this workshop being offered virtually, and grant support, the registration fee for this is an incredibly low $30 for members and $45 for non-members for nine (9) hours of continuing education!

Act quickly! The workshop is limited to only 60 participants, and we know the topic is of high interest!

If you have any questions about this virtual workshop, please contact CRD Chair, Bryan McGeary, at bjm6168@psu.edu.

Some academic librarians are on 10-month contracts, which is fabulous and, I hope, restorative!

For the rest of us, summer is often “project season,” as the pace of academic life slows and we finally get a chance to catch our breath. At least that’s the theory! (Summers used to feel slow and long, but I’ve noticed the pace of May-July shifting. I have meetings scheduled every day this week, which would have been unheard of in June even five years ago.)

One of the biggest summer projects which we undertake at my library is our “information fluency assessment project.” (We use the term “fluency” because we believe it denotes a higher level of ease and facility than “literacy” does.) With this project, we attempt to rate the level of information fluency skills demonstrated by our first-year students and by students who have received several years of a Seton Hill education.

This project was approved by the university’s IRB and begun in 2017, and we have continued it every summer since then. A librarian contacts all instructors of the first-year writing course and asks them to send us their students’ final research papers. We also contact the instructors of all 300- and 400-level courses which seem likely to contain a significant research component, and we ask them to send us their students’ biggest research projects. 

Our circulation assistant anonymizes the papers, redacts any potentially identifying information, and pulls a random sample of 60 papers from the first-year writing courses. She then does the same for papers collected from the upper-division courses. She keeps a coded record of which papers came from which course and which academic school, but this information is not shared with the librarians until after all of the papers are read and scored. 

The sample papers are divided into three batches, and each of the three librarians is assigned to read and rate the papers in two of these three groups (each batch contains a mix of first-year and upper-level papers, with no indication which is which). We developed a rubric which assesses resource pertinence; source integration; source validity; source currency; use of primary sources; the engagement with different viewpoints; and whether or not the sources seem to have been accessed legally and ethically. That last category is an all-or-nothing rating and was added after a few students listed bootlegged films in their bibliographies!

This gives us a snapshot of where our first-year students’ information fluency skills are at the end of the first-year writing course. It also gives us a similar sense of where our juniors’ and seniors’ skills have or have not developed. And, while we are careful to not directly compare different academic schools to one another, it is helpful for liaison librarians to see the specific skill areas in which their liaison schools are strong or weak. Faculty have been very interested in the results of the project, and especially in how their own academic schools perform in the evaluation. We have several instructors who choose to not have their classes participate, but on the whole the buy-in has been good. 

Our results indicate that, in the course of their Seton Hill education, our students significantly improve their ability to integrate sources into their own discussion of a topic; make better use of primary sources; and use fewer outdated sources. We are working with our institutional researcher to further analyze the results and to think of more ways that we can use this information to improve the learning and development of our students. So far it has helped us as librarians to see where we need to be improving our instruction, creating more “point of need” learning resources, or spending more time talking about particular aspects of information fluency.