It would appear that Covid-19 isn’t the only type of virus that universities should be concerned about.
Last week, the UK’s National Cyber Security Centre (NCSC) issued an alert to the sector regarding a spate of recent ransomware attacks on academic institutions. A recent freedom of information request suggests that at least a third of UK universities have been subject to ransomware attacks.
But the UK is not alone. In June, the University of California, San Francisco paid $1.14 million (£860,000) to regain access to its data. This is a worldwide phenomenon; the consultancy CyberEdge has estimated that 62 per cent of organisations around the world have been affected by ransomware in 2020, compared with 56 per cent least year.
It is anticipated that the Covid-19 lockdown will have fuelled this rise as hackers moved to exploit vulnerabilities exposed in the rapid transfer to remote working. Much of the problem lies in the use of personal devices with unpatched software, insufficient virus control and unencrypted wifi connections. However, the vulnerabilities are often more human than technical, with credentials gained from recycled passwords or phishing attacks; purportedly Covid-related emails have a particularly high likelihood of being clicked on.
Institutions have moved quickly to implement multi-factor authentication and upgraded firewalls, and review vulnerability management, patching and backup processes. For some, though, this has been too little or too late since hackers have already encrypted their corporate data or threatened to release it unless their ransom demand is paid.
Such attacks can paralyse an organisation as it weighs up concerns over prolonged business interruption, reputational damage and data protection responsibilities against the financial impact and the ethical implications of capitulating to the demands. The decision to pay or not to pay is very much the question – especially when university budgets are so tight.
The advice of the NCSC, as well as Jisc, is very clear: do not pay! A range of reasons are cited, but the prime one is the inability of institutions to be sure that the hacker will undo the damage and not exploit the data breach at a later date. Those who pay up justify doing so on the grounds of business criticality and expediency. They also rely on the “honour among thieves” paradigm that hackers will stick to their word so that victims of future attacks will also feel confident in paying up.
The cybersecurity industry now goes much further than antivirus software and technical defences. Specialist companies employ trained negotiators who can advise clients on whether the hacker can be “trusted” and if they have a track record of keeping their word. They also operate on the margins of the Dark Web, using “white hat” hackers to infiltrate chat rooms and listen out for data trades.
Assessing the risk of paying up also depends on understanding the hacker’s motivation. A “black hat” criminal motivated by financial gain may not think it is worth the effort to piece together data that is encrypted or fragmented across complex data structures. The same is true of the hack itself. The more difficult it is to gain entry, the less likely it is that you will be targeted in the first place.
On the other hand, a cause-driven hacktivist or state-sponsored infiltrator will be much more tenacious. In CrowdStrike’s “Global Threat Report 2020”, the cybersecurity firm’s chief executive, George Kurtz, writes: “While criminals are relatively predicable in their tendency to always choose the path of least resistance, the activities of nation states are frequently more relentless and sophisticated – and as a result more challenging for cyberdefenders.”
So why are universities in particular being targeted? The hackers may be seeking access to intellectual property on cutting edge research, especially related to a potential Covid-19 vaccine. Alternatively they could be looking to access personal data for subsequent identity or qualification fraud. Last year, Jisc’s co-authored report with the Higher Education Policy Institute, “How Safe is Your Data?”, showed a correlation between cyberattacks and term dates, suggesting that hackers also exist within the student community.
The recent, well publicised attack on Blackbaud, the supplier of fundraising software, is an example of how universities can also be indirectly affected, highlighting the importance of ensuring that cybersecurity mitigations and notifications are defined in third-party contracts. The Blackbaud incident also exposed the complexity of GDPR responsibilities between data processor, data controller and data location, occurring at a time when the European Union’s Privacy Shield agreement with the US, which is meant to allow US companies to transfer and store the personal data of EU citizens, was invalidated by a ruling in the European Court of Justice.
With the world now more reliant than ever on technology for every aspect of our lives, universities would do well to heed the advice of the NCSC to increase awareness of cybersecurity issues within our communities and invest in making our system more robust.
As institutions move to revise their digital strategies to improve their support for distance learning and working, they must also consider their resilience to cyberattack. Better to invest now on defence than, later on, to have no choice but to line the pockets of criminals – or endure the bad PR and hefty fines that come with data breaches.
Chris Cobb is pro vice-chancellor (operations) and deputy chief executive at the University of London. He will shortly be leaving to take up a consulting role.