This post was updated Oct. 16 at 12:17 a.m.

Drake Chang, UCLA’s chief information security officer, sat down with Daily Bruin contributor Catherine Wang to discuss his team’s October campaign for Cybersecurity Awareness Month.

Chang began as a technology analyst for UCLA Humanities in 2011 and was appointed chief information security officer in January, witnessing many changes in the cybersecurity landscape at UCLA. Chang said he hopes to expand focus on the field beyond Cybersecurity Awareness Month and continue engaging with the UCLA community.

This interview has been edited for length and clarity.

Daily Bruin: How is managing information security at a large academic institution like UCLA different from other organizations?

Drake Chang: I think information security in an academic setting is very unique in that our risk tolerance and appetite profile is different than what you would see in heavily regulated industry such as banking or even health care systems. … While we would like to secure everything to the maximum degree, we’re not Fort Knox. We’re not the Department of Defense in our needs to classify and make sure everything is top secret.

The best answer from a security perspective isn’t always the best answer for how we support the university’s mission. That creates a lot of need for healthy dialogue with our faculty and with our Academic Senate to find a balanced approach to cybersecurity and effectively being able to manage the risk, while still enabling them to explore opportunities that we’re finding in AI. … That, to me, is the biggest difference I see when talking to my colleagues who are in more regulated sectors.

DB: What campaigns is your team implementing for Cybersecurity Awareness Month, and why do you think this month is important?

DC: The campaigns we have invested in started on Oct. 1, where we set the table on Bruin Walk and invited anybody with a cybersecurity interest to stop by and take our cybersecurity quiz, which reinforces what I call some basic cyber-hygiene practices and principles. Use passwords, don’t click on links or open attachments that you don’t recognize, don’t pick up a flash drive you found on the floor and plug it into your computer – things like that. … They could spin the wheel, win a prize, and we were able to get some of our swag right out there.

We have an event coming up on the 17th, which is more focused to our campus administrators and our staff members. The LA ’28 Olympics are coming to UCLA in a few years, so we’ve invited the head of cybersecurity for the LA ’28 Olympics to join us for a discussion where he’s just fresh back from Paris, where he was shadowing the cybersecurity team that secured the Paris Olympics. We’re really excited to … partner with them at UCLA because we’re helping host the Olympic Village. … We have our campus chief data and AI officer, who’s also going to be a guest speaker in that panel and look forward to connecting up the cyber and information security practices and ethical use with AI exploration.

DB: What are the biggest misconceptions about cybersecurity that you’ve observed among students and faculty, and how are you planning to address them during this month?

DC: Cyber Awareness Month is really about bringing accessible information down to how everybody can be vigilant and security minded. We think of a more Hollywood-esque cyber picture where there’s a hacker on the other end and there’s a screen full of ones and zeros. Sure, that threat is always out there, but … I think we could actually just be secure through being a little bit more obscure. Do you really need to publish everything on your Instagram or on your TikTok? That information is always getting collected, and it can sometimes be used against you in ways that you don’t anticipate, and I think AI is only going to continue to accelerate that. We’ve seen how easy it is to create deepfakes, where they’re impersonating the voice or the likeness of a well-known figure. That’s definitely a very real danger we’re going to have to mitigate against as AI continues to evolve in our daily lives.

DB: How do you think AI will impact cybersecurity at UCLA?

DC: It’s going to be like an arms race. The cybercriminals are looking at how they can use AI to create more sophisticated cyberattacks and deception lures, like maybe make them write a more convincing phishing email. … But I think on the other end, I see incredible opportunity for AI to accelerate how we can protect the institution … and leveraging the automation aspect of artificial intelligence to accelerate how we can reinforce the posture of our cyber protection mechanisms.

DB: How is AI currently being used in cybersecurity at UCLA?

DC: There are tens of thousands of devices on campus that all connect to this network. … 99.9% of that is just noise. But you’re looking for that needle in the haystack – the sign that a cybercriminal is trying to probe our campus, trying to find a weak point that they can then infiltrate. … AI can help us identify where that 0.1% is.

DB: How do you keep up with new security technologies or cyberthreats that could emerge?

DC: We are so privileged to be part of the UC system. So immediately, I have 10 other colleagues at UC Berkeley, at (UC) San Diego, that we can talk about these common challenges together … (and) strategize together about the best approach.

Through UCLA joining the Big Ten, … I have 11 other CSOs (chief security officers) and counterparts at higher education institutions across the entire U.S. … We have robust information sharing communities where if I’m seeing something at UCLA that is threatening, we have secure ways of sharing that intelligence with our colleagues in these other campuses. It’s kind of like a neighborhood watch.

DB: What cybersecurity advice would you give UCLA students?

DC: Definitely use a password manager and use complex, unique passwords. The second tip is to really take a few minutes and look at the privacy settings you have in your social media platforms. On our Cybersecurity Awareness Month website, we have some detailed resources on how you can manipulate those privacy settings so that you’re not inadvertently releasing more information than you’re comfortable with. … Don’t rush as you’re looking at emails or browsing websites. If it looks suspicious, I encourage every student to share or report that to our Information Security Office. They can do that by sending an email to [email protected], and then we have a team of trained information security analysts who will help review whatever the report is.

DB: Throughout your years at UCLA, what have you noticed were the biggest changes in the cybersecurity space?

DC: Fourteen years ago, cybersecurity was truly an afterthought. It was based on the lack of real-world organized cybercriminal activity. … Even at UCLA, … there were several pretty significant events, attention-grabbing events, that really forced not just UCLA but the entire UC to start thinking more about cybersecurity. … That conversation started at the top with our leaders about building security by design right into the infrastructure, into the services that we offer. That manifested in what we think of as the modern security programs.

DB: How does your team protect UCLA information when students and staff are not physically on campus, such as during the COVID-19 pandemic?

DC: If you think about our previous, pre-pandemic, our security had a border around campus, and as long as we built this perimeter around it, we keep people from penetrating inside of it. But then during the pandemic, everybody went remote. Now they were connecting their university devices from home wireless networks, connecting from Starbucks. … Don’t connect to any open wireless networks because that traffic can be easily intercepted or monitored. … We made a big push to getting security software onto every single university-owned endpoint or workstation or server and move away from security just based off the network.

We saw a lot more laptops get issued during that time, but those could easily be physically stolen. Encrypt the laptop so even if it’s stolen, none of the data can be easily recoverable by whoever managed to get away with that device. … At the start of the pandemic, … there were a lot of open Zoom rooms, and people were just going in for the purpose of being disruptive. And showing people how to set up some basic security settings to manage the people who could enter that room. … I think that a lot of that information is still up on our site. And when we came back from the pandemic, I think a lot of our workforce still is in this hybrid workspace, so still very highly relevant security fundamentals.

DB: By the end of the Cybersecurity Awareness Month, what are some goals that you and your team hope to fulfill?

DC: We’re really making that push for adoption of … 1Password, which is a password management solution freely available to all our campus faculty, staff and students. We’ve been promoting that and really excited to see how many new people we get enrolled into that. … The campus uses Slack for instant messaging and communication, so we set the channel there, and we’re trying to get people to join and just stay up to date.

Cyber Awareness Month is going to come and go, but we want to develop some of these forums where … we continue to connect with the Bruin community and share these cybersecurity tips.