Universities ‘need joint security teams to counter cyber threat’

Universities must create joint cybersecurity teams to protect themselves against ever more sophisticated hacking attempts, according to the vice-president of a Dutch university hit by a ransomware attack over Christmas that forced the institution to pay the equivalent of about £175,000 to criminals.

Maastricht University’s Nick Bos said one of the lessons of the attack was that it was increasingly untenable for universities to each rely on their own security systems.

On Christmas Eve last year, Maastricht raised the alarm after hackers took control of servers critical to email and the storage of research results, initially using phishing emails to break in. It took more than a month to restore all systems – and the payment of 30 bitcoin to the attackers.

In a report looking at what went wrong and how to stop future attacks, Dr Bos called on universities to join up their security systems, pointing to collaborations already under way in Canada and the US.

“It’s not just a question of whether universities can afford it,” he told Times Higher Education. “There is not much choice here; we will have to invest in greater cyber resilience.”

Since the Maastricht attack, Dutch universities have stepped up joint efforts, he said, discussing whether they could collectively monitor their IT networks around the clock, for example. Meanwhile, Dutch healthcare institutions are already setting up their own security operations centre.

There are concerns that universities make relatively soft targets for cyber-attackers, because they host thousands of students using their own laptops, and researchers used to the open sharing of information.

The Maastricht attack was just one of several to hit European institutions in recent months. Last December, thousands of students at Justus Liebig University Giessen had to queue up to receive new passwords manually after a cyber attack. In October, the University of Antwerp’s email and student information systems were affected in a separate incident.

“There is a real race, even battle, going on with internationally operating cyber-criminal organisations,” said Dr Bos, who predicted that universities would have to make “substantial extra investments” in cybersecurity.

Dr Bos pointed to North America, where a number of universities are pioneering collective cybersecurity.

In 2018, Indiana, Northwestern, Purdue and Rutgers universities and the University of Nebraska formed OmniSOC, a joint cyber security centre, arguing that individual university systems were not enough to fend off mounting attacks.

The idea is that the centre can monitor all university networks at once for suspicious activity, thereby detecting an attack more rapidly. The joint centre claims to be the first of its kind.

Six Canadian universities are also trialling a joint security centre explicitly modelled on OmniSOC. In 2018, McGill, McMaster and Ryerson universities, along with the universities of Alberta, British Columbia and Toronto, formed CanSSOC in response to an “unprecedented” increase in the scale and complexity of threats.

“As a result, the associated scope and costs of successful early prevention, detection and mitigation are unsustainable by one single institution,” the group warned.

david.matthews@timeshighereducation.com