The term 'cybersecurity' is used to ubiquitously reference the rapidly evolving security threats we see to a digital society. At the same time as our digital reliance is expanding, so too are the cyber threats which expose us to further risk at an unprecedented rate. The situation is exacerbated by the increased frequency, ease, sophistication and automation of attacks.
Australia's social, education and economic models are directly impacted by cyber threats. With education our fourth largest export and universities actively embracing digital models for education and research; our higher education (HE) institutions are very much targets.
Coming to terms with the impact, and developing and implementing appropriate responses within the higher education sector is not trivial. This is highlighted by the Council of Australian University Directors of IT (CAUDIT) identifying the need to holistically address cybersecurity as its third highest sector-based issue within its 2016 ranking of the top ten technology issues.
Accordingly, universities need to significantly broaden their current approaches and respond to threats via participation in partnerships between government, business and the community on a national and international level to be effective in addressing the issue.
This involves a balance of awareness, communication, research and strategy, technology and appropriate processes. Importantly, the human element is as much a key to the solution as are technology-based controls.
Australia's higher education sector enjoys a solid international reputation and is a significant economic and social contributor through teaching, learning and research. Universities hold student, staff and third party online identities which equate to an online currency in the cyber underground.
A significant portion of university systems are internet-facing and are therefore attractive targets for either professional criminal, nation-state or student-based explorative hacking. Ransomware and phishing incidents are major threats to universities and continue to evolve and become more insidious.
Research is increasingly important to Australian universities and sharing relationships between Australian and overseas counterparts such as USA, UK, Singapore and Japan rely on adequate digital trust. These countries have emphasised the protection of intellectual property through strong cybersecurity strategies.
Australia sits around 5th place in the USA-UK-Asia Pacific cybersecurity maturity capability ranking – moving forward this needs to improve in order for Australia to continue to enjoy the benefits of these data sharing relationships.
To add to the complexity of university systems, 'academic freedom' must be balanced with a tight 'corporate' application of security controls. The environment where 'open access' sits alongside security and privacy presents unique challenges to securing university infrastructure and systems.
It would be easy to think that universities have similar if not the same requirements as each other or the corporate world when it comes to cybersecurity. However, a combination of centralised vs decentralised IT environments, differing technologies, operational silos, varying risk appetite postures, non-standardisation of security control applications, differing cybersecurity governance frameworks and implementation nuances means that requirements are organisationally specific.
Add to this equation, differing levels and sources of resourcing and funding, the requirement for collegiality within negotiated cybersecurity approaches and a desire for operational stability and it can be seen that the challenges of securing Australian universities are significant.
While attacks on the HE sector in Australia currently lag behind the USA and UK in terms of frequency and intensity, one only need observe that the USA identified cybersecurity as its number one national threat to understand where our future is headed. With a close relationship and cultural ties to both the USA and UK, Australia's profile for cyber-attacks will certainly follow this trend and increase over time.
Cybercriminals are leveraging increasingly available and sophisticated tools and methods for exploitation which operate in stealth mode and through obfuscation. Detection of modern attacks can be very difficult and recognition is likely to be low in Australian universities due to a lack of focus on awareness, resourcing and Security Incident Event Management (SIEM) systems which show network and system based attacks.
Some fundamental differences between the USA and Australia make the level of 'noise' regarding cyber-attacks less audible. There are currently no mandatory data breach laws in Australia (although this is highly likely to change in the future). This means when a data breach does occur, unless it is leaked to the media, there may be no disclosure even within the affected institution.
Also, a culture of 'need to know' and reputational conservatism regarding cybersecurity within the HE sector means cybersecurity incidents, breaches, impacts and unmanaged cyber risks are discouraged from being openly discussed.
Lastly, unlike the USA and UK, Australia currently has no national or sector driven trusted community information sharing strategy, such as a HE Information Sharing Analysis Centre (ISAC). Therefore, the actual level of attacks and incidents in Australia broadly is not well known and discourse on disclosure is minimised.
Let's examine some specific, high impact overseas examples before highlighting some local Australian incident types.
Recently the University of Calgary in Canada received international press coverage regarding a ransomware attack. The attack crippled many of its key systems and tied up a large number of IT technical staff for well over a week. Systems impacted included authentication systems (logging onto systems was impacted) and access to email, research data and network drives was blocked. After a significant unsuccessful effort to decrypt the infections, the University agreed to pay the $20k ransomware in bitcoin.
Earlier this year, the 'Janet' network in the UK (which provides the Internet feed to UK based universities, schools and government) was subjected to a cyberattack type known as a Distributed Denial of Service (DDOS). This type of attack sends a very large amount of internet traffic to institutions so that they are blocked from receiving or sending information and hence are effectively taken offline. This particular attack lasted for several days and significantly impacted universities.
Similarly the Massachusetts Institute of Technology (MIT) in the USA has incurred at least 35 sustained DDOS attacks this year alone. California's Berkeley University incurred two major breaches recently, one exposing the login details and education and private information of up to 80,000 students, alumni and staff.
Pennsylvania State University were required to take all of their Engineering department servers offline following advice from the FBI that Chinese hackers were sifting through their servers. In this case the Engineering department were developing sensitive research technology for the U.S. Navy.
Australian incidents are kept more under wraps. However, there have been multiple instances of website defacements, Facebook hacks, data breaches, account credentials leakage, server compromises, ransomware, successful phishing attacks, malware infections and other incidents directly against Australian universities.
Cybersecurity plays a key role in the digital enabling platform and is an essential key to assisting organisations to reach their business goals. This is achieved through protecting identities, data and systems, thereby facilitating the capacity for broader partnering and relationships based on digital trust.
University leadership must recognise that cybersecurity is an essential business function that provides context to the institution's risk-reward approach. As we move towards digital models, so too our digital risks follow. However, simply increasing cybersecurity funding and resourcing is not a solution without a clear strategic alignment to business goals and a 'designed-in' approach.
In line with CAUDIT's high ranking of cybersecurity within its Top Ten list, it is essential that cybersecurity is viewed as a 'board-level' matter, replacing the outdated perspective of being solely the 'IT Department's responsibility'. While the IT Department remains the resident expert on technology based controls (and is strengthening security teams), cybersecurity needs to be recognised as a cross-sectional issue involving technological, social, legal, economic, cultural and process aspects.
A key strategy for universities to undertake to ensure cybersecurity effectively enables the business is to appropriately implement a security framework with associated technical controls and processes. This not only provides reasonable assurance of a business led approach to cybersecurity protection, but also allows benchmarking against a recognised and measureable level of compliance and standards.
Segmenting this, structured information and actionable threat intelligence sharing now plays a crucial role in cyber threat mitigation. This is an area in which Australian universities currently fall significantly behind when compared to the USA. The sector is working to address this by establishing this essential function and encouraging broad and open participation within a sector-based trusted community.
Importantly, the human element of cybersecurity is often the weakest link and cannot be overlooked. From executive engagement and leadership to [technology] design to ensuring that phishing threats are understood, improving the level of awareness, training, communication and digital literacy in universities in relation to cybersecurity is paramount.
Awareness as a key attribute can lead to cybersecurity action that makes a difference. As an example, the issue of fake overseas generated Australian degree testamurs being sold online is a problem which could undermine the reputation and value of Australian university education. The providers offer for a small fee to also hack an institution's student system to add the qualification directly to the database.
In response to this and as a clear example of the role of cybersecurity as an enabler to teach and conduct research safely in a digital world, the ANZ HE sector has initiated the 'Student Digital Data' project. This will ensure digital signing of future degrees to mitigate this type of attack and as a response, significantly improve digital trust for the local HE sector and community
Lastly, universities clearly have a role to contribute directly to the national level of cybersecurity maturity awareness and capability. This can be achieved through the role of providers of education and research to help build a 'Cyber Smart Nation' as per Australia's National Cybersecurity Strategy. The capacity for universities to not only encourage cyber skills development but to foster and promote meaningful and productive engagement and collaboration through partnerships, communities of practice and security programmes is extremely valuable.
Based on international indicators, threats to universities will grow in sophistication, frequency and intensity and therefore ongoing and escalating disruption from the various cybersecurity threat actors is inevitable.
Digital assets and identities make universities attractive targets. Higher education in the USA is now the third most commonly attacked sector; it is anticipated that Australia will follow this trend.
For universities to defend themselves, a considered and strategic approach involving embedding of cybersecurity in the business and embracing Australia's new Cyber Security Strategy is essential.
While technology, design and automation assist as primary controls; engaging in a broad collaborative approach with information sharing, partnering and focusing on the human awareness element is critical.
The notion of helping to protect, defend and respond to current and future cyber threats against the Australian higher education sector is a journey we must all embark on proactively, strategically and collectively in order to assure our nation's digital and economic future.
Driving collaboration across business, industry and tertiary education.
Copyright © 2001-
Business/Higher Education Round Table (BHERT). All right reserved. ABN 80 050 207 942.
Website by Hope Stewart—Website Design & Management