And this is still going to pay off?

Oh yeah. Intercity fiber is like gold. We expect by the end of January to turn it up and send data down it.

A couple of high-profile schools, UCLA and Texas, recently announced that they had data breaches. I know MIT has not been immune to breaches either, but what do you think when you hear about new breaches like these?

The problem we all have is the Microsoft patch of the week. I hate to say it, but it's sort of the payback for universities not paying attention to security for decades or being sloppy about administrative computing. The mentality goes back to the times of disconnected, batch-oriented mainframes when the Internet was not even on the horizon and the attacks we face today were unheard of. One area in which we've been a little ahead of our peers is not using Social Security numbers for employee and student IDs. That goes back more than 20 years. Having said that, the SSN is used in more cases on campus than it should be, but we're working to reduce that. The fundamental problem behind all of this is that the SSN can be so easily abused. It's easy to learn someone's SSN yet it is viewed as a secret by many institutions so it can be used as an authenticator. This is broken. We need legislation that says anybody who makes decisions based on authentication, which is knowledge of an SSN and a home address, they're taking the risk in the transaction, not the consumer. People will scream: A¢Euro ˜But how are we going to authenticate people?' Figure it out. Part of the solution is to have some sort of mandatory education. If I want to handle data for research on humans I need to be certified. That's [a National Institutes of Health] requirement. I think we need to start with having a certified administrative data handler. There's not a government agency pushing that like NIH on human research, but within institutions like ours, we could do this. I don't think there's a technical solution that doesn't involve training people.

What other headaches are schools dealing with?

CALEA [Communications Assistance for Law Enforcement Act, a wiretapping law; see details at www.askcalea.net/ ] is one. [Industry trade group] Educause did us a great disservice by panicking and screaming that the sky was falling. In my view, CALEA was not targeted at higher ed. What I think it really goes back to is making sure that if the telephone companies have to be compliant then the cable guys do too. But the language used was overly broad and could include universities. The FCC chief of staff told Educause this wasn't about universities and to go away, but Educause wouldn't let it go and asked the FBI. And of course if you ask the FBI if they'd want cameras in every bedroom of every American citizen, they'd say of course, we could cut down on domestic violence. They woke a sleeping giant. For now, CALEA is a source of angst for IT, but the lawyers are busy.

What about dealing with wireless on campus these days?

We have a potpourri of devices on campus. We recently started surveying our community about what mobile devices they are using, how they are using them, etc. We have a team of people worrying about this. We'd like to make recommendations, but how do you do that when the devices are changing so quickly? Security is an issue, though the amount of memory on most of these devices is small enough now that we don't have to worry about people downloading too much and then losing devices. We're not going to have someone lose a Treo with every student record on it, for example. But we already have to worry about laptops and there's been a push for hardware encryption there. I hope the handheld device makers figure this out before they make products that have enough storage to rival laptops.

How do you actually enforce security standards among MIT's departments and network users?

Enforce is not a word you can use at MIT. We try to entice people to do the right thing. We've made a lot of progress. We've removed the financial incentive to run your own network, which used to be cheaper than having us do it. We've been a cost-recovery network since forever now though. At many universities the network is free and they just fund it out of operating costs. It was hard doing it our way at the beginning because we had no income and we ran deficits for the first bunch of years so that we wouldn't have to charge a huge amount of money to the early adopters. Indeed, as we ramped up we did break even and even started bringing in more money, which we've always found a way to spend. Another big university a couple of years ago was told by the senior administration to do everything they did that year and more on half the budget in the next year. Suck it up. That hurts, but we've been immune to that sort of thing.