How is cybersecurity impacting digital transformation within Higher Education

By Kuldip Sandhu, Thu 12 October 2017, in category General

cybersecurity

  
@

The provision of reliable and enabling technology is increasingly becoming a key differentiator for Higher Education institutions on the backdrop of increasing expectations of students and staff encompassing research, teaching, and learning, and for running effective University administration. Technology is a key enabler for the transformational change to succeed.

In a recent CIO survey 2017 carried out by Harvey Nash / KPMG showed that the Education sector has not been able to make as significant changes as the private and for profit sectors. This has been driven by funding pressures as many jurisdictions have sought to control spending and tuition fee increases, yet maintain accessibility. At the same time, costs continue to rise. This is causing real pressure, increasing the inflationary gap, which in turn will limit the potential investment in future technology. The impact of this is profound as at the same time there is growing demand from students for an enhanced experience that reflects latest technologies, with the proliferation of mobile devices across campus a clear example. They do not find it acceptable to use software that is not equipping them for the world of work. As seats of learning and innovation, the sector should be leading the way for the minds of tomorrow. The Education sector needs to innovate and change to create operational efficiencies and keep pace with learner expectations from technology. The case for change must be made for long term sustainability, but with increasing shortage of skills, this is not an easy task. Clear technology leadership and innovation is a vital component moving forwards.

It is clear that the identity of technology within Higher Education is amid a seismic shift thanks to the myriad developments in technology, student expectations, academic research support needs and business best practice. These developments include:

The Higher Education sector is particularly ripe when it comes to cyber attacks where huge amounts of personal information from their students, staff and alumni and the research data from academic, commercial and Government research projects which they hold, along with the vast amounts of money they handle, means that Universities provide an attractive target for every hacker on the planet.

The individuals, groups, and organisations responsible for hacking computer systems have myriad different reasons for doing so. These range from the merely curious through revenge, to financial, economic, military, and political gain and in general, these Threat Actors target completely different organisations. In Higher Education and more specifically Universities these actors all operate.

The first thing we found in researching cyber-attacks on Universities is that this is not a new trend. The first we identified was a single attack in 2002 and is rather amusing. In an academic version of corporate espionage, Princeton University hacked into Yale's website to find out about its admission decisions.

2003 has only a couple of hacks, again into US universities and again aimed at harvesting personal information on students and staff for later resale. But in 2004, things start to get interesting as the State of California introduces the very first ‘Data Breach Notification’ law which essentially mandates that every organisation in California suffering a data breach must formally report any breach. That year Californian Universities reported 3 data breaches which together reached very nearly two million individuals’ records.

Similar laws were enacted through the US over the next few years and, not surprisingly, the numbers of breaches reported by US universities soared. Universities in 23 states reported breaches in 2005, in 27 states in 2006 rising steadily until mid-August 2017 when there have already been 217 Cyber Security incidents reported at 187 US universities in 43 states.

But cyber-attacks on Universities is not just a US issue. 2004, the year that the Californian Breach Notification laws were introduced, also saw the first recorded cyber-attack on a non-US university when Nanyang Poly in Singapore had personal details of its alumni stolen. But there are no effective ‘Data Breach Notification’ laws outside the US, and so reports on Non-US universities are sparse until 2011 when universities in Australia; Canada; India; Italy; Pakistan and the UK were all hacked. Between then and mid-2017, universities in 45 countries as diverse as Norway and New Zealand; Belgium and Bangladesh or Mexico and Morocco had all been hacked.

The motivation for many of the 1200 plus attacks we’ve analysed between 2002 - 2017 appear to be criminal, namely the theft of large quantities of personal data that can be sold for a profit. By the middle of 2017, over 13,930,000 e-mail addresses and passwords relating to US universities alone have been found for sale on Dark Web sites. Some of these attacks have been opportunity led whilst others suggest organised criminal intent. For example, a Russian hacker known as Rasputin has reputedly hacked at least 30 universities worldwide including the University of Delhi, UWE and the University of Mount Olive and then sold the details he stole.

Some attacks have been by relatively young and inexperienced hackers out to make a name for themselves. These are usually manifested in web-site defacement or stealing user names and passwords and leaving a small selection on a public website such as pastebin.com as proof of the hack. In May 2013, Makabylie’ a 15-year-old Algerian hacked two French universities just because he could. Interestingly, one of the two was Lille University, reputedly the 10th time it had been attacked that year.

There have also been a considerable number of politically motivated attacks. In the US in 2016, Andrew "Weev" Auernheimer, a right-wing extremist, hacked the print servers of several universities including Princeton, Brown University and the Universities of California and Massachusetts causing them to spill out racist propaganda. The ‘Cyber Armies’ of Pakistan and India regularly deface each other’s university web sites and in the UK, a group supporting Julian Assange targeted Cambridge and Leeds Universities in 2012.

At the extreme capability end of the scale, research data at several universities has been targeted by Nation States with Iranian hackers aiming for Israeli nuclear information and Chinese hackers reportedly targeting military related research at the National Defence University in Taiwan; the University of Virginia and Pennsylvania State in the USA.

But not all attacks come from outsiders. In 2012, a candidate for president of the California State University student body was charged with tampering with the University computers to alter the election results and in September 2015, an ex-member of staff at the University of London launched a cyber-attack against the senior manager responsible for his dismissal.

Over 75% of the 1285 attacks we’ve recorded since 2002 have been against US universities with the UK ranking second with 43 incidents. India is in third place with 28, mainly tit for tat attacks from Pakistan, followed by a clutch of countries including Australia; Canada; China; France; Germany; India; Italy; Japan and Turkey, each with between 10 and 20 recorded attacks.

The vast discrepancy between the US and the rest of the world is largely due to Reporting Bias since US universities legally must report all breaches which is not the case elsewhere. There is also an element of Search Bias in our results as we are essentially dependant on reports being made available in English as opposed to any other language. For instance, we could only find one report of an attack on a Spanish university although there are at least 80 in the country and Spain is statistically the fourth most attacked country in Europe.

Conclusions

The requirement to inform individuals that their personal information had been compromised has had several effects in the US Higher Education sector. Most notably:

The introduction of the new EU General Data Protection Regulations (GDPR) is liable to change the statistics substantially, at least in Europe and the UK. There are over 1,200 universities in Europe compared to approximately 1500 in the US. Once the obligation to report all data breaches is in force post May 2018, we would expect to see broadly comparable breach data statistics within 2-3 years with the other changes we noted above also being reflected across the UK Higher Education sector.

The changes described above form the base that defines the digital business age. To enable today’s enterprises to focus on current priorities around cybersecurity, maintaining BAU and managing technology risk, they need a dependable service partner to drive their technology needs in this ever-changing digital economy.

Learn more about Keyrus’s technology advisory expertise and innovative service offerings and how they are helping enterprises to propel themselves towards digital and cyber security transformation