The Cyber Threats in Universities Nobody's Talking About

This week was the back-to-school frenzy. These days, with four boys, the whirlwind is all about survival for me: kindergarten, primary and secondary school simultaneously. This chaos breeds nostalgia. I remember how much I loved the first week of university when I was a student.

People are excited to see each other, you welcome back old friends and new undergrads, no homework and assignments, parties... those were good times.

That was not the case for the University of Michigan this year. A cyber attack ruined the day. The catastrophe followed a data exfiltration incident at neighbouring Michigan State University three weeks prior.

Yet, security events in higher education always seem to fly under the radar. And that's a shame because this sector is in duress.

I feel connected to universities in a unique way. I have spent many years working in academia. My wife has been a lecturer for over a decade. This is why, this week, I look at higher education's unique information security risks.

We keep hearing about the "knowledge economy" or the "information economy". If this matters so much, how can we explain that such hardships strike our most respected institutions? And why aren’t we acting upon the emergency?

Read on to find intricate details about university threats and how to address them. Hopefully, I’m able to raise awareness about the issue.

Here's a dad joke to start us off.

Cyber espionage is real

In the Data Breach Investigation Report (DBIR), Education services ranked third amongst industries for cyber espionage threats, behind oil & mining and public administration. These sectors are well-known targets of Chinese advanced persistent threat (APT) groups, which are more or less para-governmental syndicates of the best hackers in the world. Universities in Canada are sounding the alarm on Chinese-backed agents attacking them, calling their attempts to steal mining research "the greatest strategic cyber threats to Canada".

Universities harbour the most innovative solutions in pharmaceuticals, engineering, and technology. Intrusion attempts will continue. China is ramping up its moon program. Space exploration is where these hackers will strike next.

The internet has no borders. It's nearly impossible to enforce intellectual property rights on foreign spies.

This will become important later: the threat agent to universities has an insurmountable amount of resources and skills.

This makes it worse when you realize universities can be their own worst enemy…

Sign up for ppfosec

InfoSec Made Simple

Subscribe

Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Egos and Echo Chambers

Let me paraphrase a friend who used to work in higher education: university professors have such a large ego that they won't admit their chair website is full of security holes. No, not computer science professors. Philosophy, law, nutrition...

I don't have data to back me up on this, merely anecdotes. Based on my experience, universities run in absolute echo chambers of departments, chairs, and faculties, all operating as isolated businesses. Worse, professors who spent all their lives in this aquarium end up in senior management.

From an information technology perspective, this is a losing battle. Any attempt at centralization will feel like cat herding. How can you implement, say, a data warehouse with unified security permissions? The machine is optimized for research, by researchers, who may not share IT's core principles of efficiency and scalability.

Every Campus is a Village

My local campus hosts over 10,000 students. This is a town in and of itself! It has a medical clinic, a pharmacy, a physical therapy clinic, a legal office, a psychology clinic, a bank, and countless other services. Most of them rely on the University’s IT infrastructure one way or another.

Let that sink in. This means a small university in Quebec or Vermont has to classify its data based on tens or hundreds of different contexts. You don’t have the same laws for health as education or financial services!

I don’t think any other sector must deal with the same level of data complexity in such an overall small IT footprint.

And it gets worse because this level of personal information affects a special population…

Students are Vulnerable Individuals

The majority of students on campuses live for the first time away from their parents. Some of them come from different countries. Many suffer from anxiety or depression. In fact, in 2020-2021, over 60% of students met criteria for mental health problems. They’re young, reckless, and easy targets for cybercriminals.

Combine this psychological fragility with the university keeping sensitive data about them, and you’ve got a recipe for disaster.

Just ask Knox College. In late 2022, ransomware hit the establishment. The cybercriminals turned their demands to individual students, threatening to make public their psychological assessments and medical records. Victims launched a class-action lawsuit against the college in response to the privacy violation.

And that's when the students themselves are not the ones attacking the universities...

Students attack Universities for Fun and Cheating All the Time

A friend, who is not the same person from the previous anecdote, once told me that some campuses' IT teams had "given up" monitoring the networks due to excessive hacking activity. Students were trying so hard to break into their systems that attacks had become everyday noise!

Greeks took it to another level. An individual launched a denial of service attack against the national high school test infrastructure. In the past, students would use fake bomb alerts to delay an exam they hadn't studied for. Now, it's cyberattacks.

As a matter of fact, education is the only sector that has breaches caused by "fun" in the DBIR.

Another reason IT teams might have given up on such attacks? How about underfunding? See...

Identity and Access Management is Beyond Scaling Capabilities

Cybersecurity firm Netwrix recently released a depressing study about the state of security in Education. Netwrix pointed out accounts management as the biggest problem that universities must grapple with. It makes sense. Students come and go every year. Most employees such as research assistants are contractors. Alumni keep ties.

Respondents to the study were unanimous evaluating identity and access management as their top priority. Now, Netwrix does sell an access management solution, so take these with a spoonful of salt. Yet, based on my experience as an IAM nerd, universities do seem to deal with a higher identity complexity than most sectors I've seen.

And of course, they lack the tools to manage them...

Universities Lag Behind In Modern Technologies

Here's the most alarming statistic of this whole article. Look at this:

Education ranks dead last in IT spending. How can you end up behind retail, which notoriously has the thinnest margins?

How does this translate? Let's look back at the Netwrix report, which confirms education mostly relies on "on-premises" infrastructure and lags on cloud adoption. Still thinking the cloud is just "someone else's computer"? Well, education ain't patching its systems so they'd better go to the cloud if you ask me... 75% of user account compromises affect on-premises systems in education, vs. 48% in the other sectors. Malware was over twice as likely to infect universities' on-premises systems versus cloud-based ones.

The Solution Starts With Funding... But it Won't be Easy

The problem we're looking at is:

• A complex, vulnerable population, which comes and goes frequently;
• An institution's IT infrastructure is involved in much more than conventional education services;
• A landscape facing unique threats such as nation states spies and "for fun" hackers;
• Senior management having tunnel vision on research rather than said services (ok, maybe more my opinion than a fact, I admit it) and;
• Chronic underfunding of IT estate.

I remember my days writing for the campus newspaper. Whether you were looking the union, senior management, a student, or a professor, one truth unified them: the hatred for "administrative" duties. Guess where IT budgets land? Administrative as it gets.

Based on:

• the level of complexity;
• the lack of resources;
• the risk to individual's fundamental rights;
• the risk to economic prosperity;

I believe states should allocate public funds to education institutions to improve their IT ecosystem with a focus on cybersecurity. I just don't see any other way for them to get on top of this crisis.

How about you? Do you agree? Let me know in the comments!