From campus to cloud: Yale’s strategy against the growing AI cyber threat
In September, Yale’s Information Security department gave insight into the risks that they are combatting and students are facing today.
Jessai Flores
With the rise of AI, Yale is taking steps to protect its students and combat cybersecurity threats.
Today, Yale’s Information Technology Department reported a rise in high-quality phishing, an online scam where people are deceived into revealing personal information, attacks due to artificial intelligence. In this announcement, Yale higlighted two initiatives: Bee SAFE, Not Sorry and Click with Caution.
Additionally, Yale announced that they will bolster existing security measures to counteract the rising threats against students’ data.
“The ‘Bee SAFE, Not Sorry’ initiative emphasizes recognizing, reporting, and responding to cybersecurity incidents,” Jeremy Rosenberg, assistant vice president for IT and chief information security officer wrote to the News. “The ‘Click with Caution’ campaign focuses on recognizing phishing attempts and social engineering. We try to educate the community as we learn about new threats and techniques and that’s what this campaign was designed to do.”
Some Yale students think it is important to educate others on how to prevent their information from being stolen.
One student commented on what he thinks Yale should do to encourage students to stay safe.
“Spreading awareness about certain tactics that are commonly used to exploit people or campaigns to just spread good awareness and practices that students should partake in,” Daven Yadav ’25 said. “I think that could be very helpful.”
However, these education programs have not been able to reach some Yale students.
Students answered whether they were aware of these campaigns and if they would attend them.
“No,” John Weber ’26 told the News. “Unless I was provided with some strong incentive, like if they said, ‘This is what you’re at risk of having happen to you if you don’t inform yourself with these workshops.’”
Some students already feel confident in their ability to keep themselves safe online. Some have adopted practices to ensure they minimize the harm that can be caused.
“I would like to think that I’m fairly careful when it comes to sharing sensitive information.” Yadav said. “I try not to have passwords be saved on websites. And I don’t always click ‘accept all cookies.’”
Some may not have been aware of these information campaigns, but many are confident that Yale is doing a good enough job of protecting their data. Many students think that Duo Mobile and two-factor authentication are enough to make them feel safe online at Yale.
Duo Mobile authentication is one of the strategies that Yale uses to protect student data. This authentication method prevents third parties from logging into a student account without confirmation from a trusted device only the student has.
But aside from Duo Mobile, some students know little about what goes on behind the scenes in Yale’s Information Security department.
According to Rosenberg, Yale’s information security program is a risk management program, based on the National Institute for Standards and Technologies Cybersecurity Framework, or NIST CSF. The NIST CSF is a set of government guidelines for industry, government agencies and other organizations to manage cybersecurity risks.
Yale’s approach, according to Rosenberg, takes a comprehensive approach to managing cyber threats by focusing on the areas of greatest risk. Yale classifies data by risk and availability, and applies security controls accordingly. Additionally, everyone handling high-risk student data is required to operate within these strict controls.
As the cybersecurity landscape continues to evolve, so do Yale’s initiatives for securing data. New attacks that come up force Yale to respond and change the methods that we protect our data.
“When we launched MFA (multi-factor authentication) everywhere in 2020, SMS was a standard method for receiving Duo MFA codes. Today we have disabled SMS entirely.” Rosenberg wrote. “The people phishing Yale have developed social engineering techniques that have allowed them to defeat SMS protections, so we are constantly reviewing these attacks and adjusting our responses accordingly.”
Today, cyberattacks are becoming more dangerous with scams like phishing attacks used to create realistic emails that bind people into clicking.
“I think it could be very easy, or it could be in the future, AI could be used to kind of act as some other individual when they’re not that person,” Yadav said. “I’ve heard cases of over the phone of people using AI to replicate people’s voices to sound like family members or friends in order to send information or money.”
As AI improves, it is becoming harder to distinguish between what is real and fake online.
Yale’s Information Security Department is aware of this threat and claims to be responding with its own combative measures.
“I think we need security for AI, and we need AI for security. Our information security teams are implementing new techniques and technologies to meet novel challenges presented by AI’s rapid growth,” Rosenberg wrote. “At the same time, members of our team are evaluating AI security tools that can help us better manage Yale’s risks. An important part of our work is trying to detect anomalies among billions of daily network events. AI is well suited to assist in that job and we are investigating those capabilities as they are released by our vendors.”You can visit Yale’s cybersecurity website here.