The threat of cyber-attacks against universities has grown significantly in the past two years, as education went wholly online, costing, on average, almost half a million dollars in each instance. John O’Leary explores the problem.
Universities were already prime targets for cyber-attacks before the COVID-19 pandemic struck. The sheer volume of saleable data that institutions hold, from students’ bank account details to research findings of interest to companies and even national governments, made certain of that.
Their rapid switch to remote learning and the placing of more and more activities online, however, magnified the dangers. Security firm BlueVoyant estimated ransomware attacks on universities alone doubled between January 2019 and September 2020. The most common form of cyber-attack, ransomware, allows hackers to lock individuals or institutions out of their accounts until payment is made. Universities are naturally reticent about disclosing the size of such payouts, but the firm’s Cybersecurity in Higher Education report put the average at almost US$450,000.
Data breaches constitute the other main threat, with hackers exploiting the multiple entry points to university systems and often poor password management. Over a third of these were linked to learning tools and associated apps, according to BlueVoyant, which reports that credential lists are “massively trafficked” on the dark web.
For research universities, state-backed perpetrators are an additional danger. BlueVoyant found 200 such attacks over two years and suspects there were many more. Industrial and defence technology research tended to be the main targets, but medical and biotech data is of growing interest. Even one of the laboratories used for Oxford University’s world-famous COVID vaccine research was attacked in 2021. The university said it soon identified and contained the problem.While security around the most sensitive research projects can be effective, vulnerabilities elsewhere in university systems often provide an avenue for the most sophisticated operators. These types of attacks could result in the loss of competitive grants and place future patent royalties at risk. Reputational damage is as great a concern as immediate financial losses, especially when researchers or other staff are blamed for the breach.
Only in April, the Black Cat ransomware group claimed to have stolen more than a terabyte of data from Florida International University in Miami, and disrupted systems at North Carolina A&T State University. Later in the month, Austin Peay State University, in Tennessee, was forced to suspend final exams and close access to its computer labs while an attack was investigated.
Fitch, the American ratings agency, notes costly attacks have come at a time when many universities are already grappling with financial and operating stress related to the pandemic. Lincoln College, in Illinois, cited the costs of a ransomware attack as an additional reason for its closure in May. “All of our registration systems, our academic files, our finance, our admissions, our fundraising. It was all impacted and shut down,” said David Gerlach, the college president, in the aftermath. It took six weeks of negotiation to get the ransom down to “significantly less than US$100,000”, impacting student recruitment and delaying the start of the next semester.Cyber-attacks are by no means an exclusively American phenomenon. In the United Kingdom, for example, Northumbria University was forced to cancel exams and close its applications hotline during an attack in 2021, while neighbouring Newcastle University saw its IT systems disabled at around the same time. Dominic Raab, then the UK’s Foreign Secretary, told the Cyber UK conference that 80 British schools and universities were hit by ransomware attacks in March 2021 alone.
Andy Youell, a British IT consultant with 30 years experience in universities and national organisations, has seen the threat posed by cyber-attacks rise exponentially despite much-increased security, with university managers showing much greater concern about the dangers they pose. “The attacks have changed as universities have become ever more dependent on their IT systems. A lot of activity has moved to the Cloud, and that is probably a very good thing because those platforms are remarkably good at security,” he told The New York Times.
But Dr Youell fears that the characteristics of academics and students will always make some vulnerability likely. “Universities always find systems very difficult because there’s something inherent in a university that is about not staying on the tramlines. That mindset kicks against IT directors who want to follow rules.” Adding, “There are so many potential threats – from people who just want to create mischief, political or otherwise, and are usually relatively unsophisticated, to straightforward criminals and even foreign powers, who I have heard of doing all sorts of nefarious things. Most university systems are a lot more mature now, but there are plenty of incidents we never hear about.”
Universities are also struggling to match the salaries paid to highly-skilled IT staff in the private sector and to afford some of the more sophisticated equipment needed to update their systems successfully. However, the Ponemon Institute, in Michigan, puts the global cost of a data breach at almost US$4.26 million in 2021. It cites new ransomware trends, such as double extortion, where attackers do not return access to data and threaten to leak stolen data if a ransom is not paid, as a critical further risk.
Both the Federal Bureau of Investigation, in the United States, and the UK’s National Security Centre, have been closely involved in advising the higher education sector. In May, the FBI issued universities and colleges with a 10-point checklist after notifying them that “sensitive credential and network access information” was widely available on online criminal marketplaces. The advice included maintaining strong liaison with their local FBI field office, updating software, training students and staff to raise awareness of phishing, restricting access to accounts and credentials, closely monitoring remote desktop use, and using anomaly detection tools to identify increased traffic and failed authentication attempts.
“The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber-attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services,” the FBI advised. “If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations.”
The National Security Centre (NSC) has issued its own advice, updated during the pandemic, calling for universities to implement a ‘defence in depth’ strategy, drawing up and testing an incident response plan, which includes a scenario for a ransomware attack. The NSC also encourages universities and colleges to sign up to its Early Warning Service, which uses a range of information feeds to notify organisations of malicious activity on submitted domains and IPs.
Many other countries have also stepped up their defences against cyber threats. Singapore, for example, has had a cybersecurity strategy since 2016 and updated it last year. The ASEAN region has now developed its own collaboration in this area.
Private security firms are also queuing up to offer advice to higher education institutions. Sion Lloyd-Jones, Senior Manager for Cyber, Information Protection and Business Resilience at KPMG, for example, offers cyber maturity assessments for universities and the appointment of a “red team” to mount a cyber-attack to expose vulnerabilities and test defences under realistic conditions, identifying weaknesses that may not previously have been obvious.
In the long run, there are hopes for improved forms of cyber security to lessen the risk of attacks. Hexham Courant reported in May that Cardiff University was developing a new tool that could automatically detect and destroy cyber-attacks on computers and other devices in under a second. Inverting the traditional antivirus approach of analysing what malware might look like, the new method considers how malware might behave. The results have been staggering so far. Over 90 percent of files have been prevented from corruption in an average of 0.3 seconds, according to the researchers.
In the immediate future, however, universities will continue to attract hackers with the volume of activity carried out online and the multiple points of entry to their systems. Although face-to-face learning and laboratory-based research have returned across most of the world, students, academics and many other staff still require remote access; often using devices and online practices that encourage vulnerability. While university security systems have improved, poorly funded, often understaffed IT departments struggle to hold the line. Training for students and staff is now commonplace and most institutions are conscious of the need to restrict access to sensitive information, but few institutions are fully confident of their ability to withstand a sophisticated cyber-attack.
This article was from the QS Global Education News Issue 09. Download the full edition.