The cyber security practices of Australian universities are in the spotlight after the Australian National University (ANU) reported last week it had been the target of a serious attack. Hackers – reportedly based in China – infiltrated ANU’s networks some time last year and have proven difficult to remove.
According to the Australian Cyber Security Centre’s 2017 Threat Report:
Targeting of the networks of Australian universities continues to increase. Universities are an attractive target given their research across a range of fields and the intellectual property this research is likely to generate.
Anecdotal information suggests university performance in cyber security is quite weak. The problem is not widely studied by scholars. But there are things they can do to improve.
It’s important that they do because university networks hold important intellectual property data; sensitive political, business, and social data from background interviews and surveys; and valuable personal information about students who go on to become political, business and national security leaders.
This is a global problem
Cyber attacks targeting universities aren’t limited to Australia.
Chinese universities were among the major victims of a global ransomware attack involving the Wannacry malware in 2017. The attack, which locked up user files and demanded a ransom, came just on the eve of submission of final theses for the academic year in Chinese universities. Social media reporting suggests the disruption was serious.
Indeed, universities figure rather prominently as victims of cyber attacks in China. In 2016, according to a Chinese study, the country’s universities accounted for the highest proportion (40%) of targets of the most serious form of threat.
Known as Advanced Persistent Threat (APT), this form of attack is usually associated with government intelligence or military agencies. My own work suggests that in general the institutions targeted had bad security practices – either by not installing software updates on the day of issue or by using pirated software.
Better reporting is required
So how good are Australian universities at cyber security?
There is scant public evidence assessing the cyber security practices of Australian universities so it’s hard to say. According to a senior official of a small regional university who I spoke to last month, his institution simply has not been equipped, staffed or funded in the past to engage with the challenge.
What about the country’s top universities?
To answer this, some consistent and public reporting on security incidents would be required. If we had information on the size of security staffs, the type of outsourced security arrangements, and the total annual budget for cyber security in our universities we could make a reasonable judgement. These types of data are difficult to find, but we can make judgements in other ways.
First and most simply, do universities utilise two-factor authentication? Do they prohibit staff and visitors from bringing their own devices and USBs? Most Australian universities probably fail these two basic tests.
Second, since most Australian universities don’t insist on mandatory training in simple security measures, such as how to avoid “phishing” emails that carry malware, we can assume serious vulnerabilities exist.
In 2018, the University of New England released a comprehensive three-year information security plan. It is an impressive assessment of the threats, risks and challenges for the university – and it updated a previous plan for 2015-17. The scale of the challenge is well captured by one sentence in its executive summary:
…yesterday’s security defenses are not effective against today’s rapidly evolving threats.
Not all Australian universities have such an easily accessible and comprehensive plan.
What is to be done?
Mature organisations in the corporate world do not leave cyber security management in the hands of the information technology managers. Rather they place responsibility in the department of risk management, directly under the CEO or Board of Directors. One reason is that cyber security is a socio-technical problem, not just a technology problem.
There is an additional option uniquely available to universities: to ensure that those who manage security of networks and data work closely with those who research and study the same problem.
This happens in Oxford University, where the academic staff in the field are seen as part of the solution. Oxford convenes a monthly meeting of its Information Security Special Interest Group (SIG) and its members help manage the university’s annual baseline cyber security assessment.
Oxford also has its own Computer Emergency Response Team (CERT), a type of organisation used globally, though often only at the national level, to manage certain aspects of cyber security. The CERT is developing the university’s own security analytics platform (SAVANT).
In December, the Canadian universities and colleges association issued a workshop report on what their member institutions needed to do to address this problem. It advocated, among many other steps, a national university-based cyber security network.
Participation in a shared Australian network of this kind will be the only solution available to Australia’s smaller universities with low security capability, but also an essential component of the cyber security work for our largest.