A recent cyberattack at Penn State by Chinese hackers may be part of a much broader attempt to steal intellectual property at universities nationwide.
In May, the College of Engineering at Penn State shut down its network for several days in response to a cyberattack, making it the latest in a long line of higher education institutions to suffer network breaches in recent years. But this particular attack may not be over. In fact, the Penn State incident is likely just the tip of an ongoing espionage effort to infiltrate similar schools nationwide, according to Ken Westin, senior security analyst at Tripwire, an Oregon-based cybersecurity company.
“It doesn’t look as if Penn State initially detected this attack itself—it was actually notified by the FBI,” said Westin. “That’s usually a sign that the attack is part of a larger campaign that has been detected.”
According to a statement released by Penn State, a Chinese hacking group is behind one of two known attacks at the university. Eric Barron, president of Penn State, described the group’s activities as typical of “well-funded and highly skilled cybercriminals…in search of sensitive information and intellectual property.”
If that’s the case, colleges and universities nationwide should assume that they too are in the hackers’ crosshairs. “It’s very rare that a group is going to target one particular institution,” said Westin. “Usually, they will target an entire industry or a network looking for intellectual property. If they’re going after Engineering at Penn State, odds are it’s part of a larger campaign targeting similar departments and groups in higher education.”
Indeed, Westin believes that the FBI is already working with other institutions that have been breached. Considering the initial intrusion at Penn State dates back to September 2012, the hackers may have spent years developing cyberattacks elsewhere.
(Next page: Unpublicized attacks and vulnerabilities)
In fact, it’s important that institutions not be lulled into thinking this was an isolated attack simply because Penn State is the only school to have announced a breach. For obvious reasons, schools want to protect their brands. A lot of the work at research universities involves private-public partnerships that could be damaged by perceptions that a school does a poor job of protecting IP. In the case of Penn State, some of the stolen data included personally identifiable information (PII), so the school’s hand was forced: The law requires it to notify anyone whose information has been compromised.
If PII is not involved, however, schools can keep mum. “If it were intellectual property or if it were unrelated to information such as a social security number or a credit card number, then schools wouldn’t necessarily have to tell the press that a compromise occurred,” explained Westin.
Another reason for universities to keep silent about an attack sounds more Le Carre than College Park: It allows schools and authorities to monitor the attackers without alerting them that the jig is up. “That’s definitely a possibility,” said Westin, who noted that Penn State waited six months to go public for that very reason. “If you’re able to cordon off parts of the network or ensure that your data isn’t completely compromised, you can have that intrusive function as a honey pot, and you can learn more about some of the tools and techniques that the hackers are utilizing.”
Vulnerable to attack
Before a university can take action, though, it has to know that a breach has occurred in the first place. Unfortunately, many schools are unprepared to stop an intrusion—or detect it after it has occurred—making higher education an inviting target.
“Financial services companies and banks allocate a lot of resources to private security, but higher education doesn’t necessarily have those resources available to them, ” said Westin, who fears that some of the Chinese attacks on higher education have not yet been detected by the FBI. “Universities don’t have the ability to pay the higher salaries for experienced security folks. In general, I don’t think their IT programs are quite as sophisticated.”
The culture of higher education also makes it difficult for IT to impose the kind of security discipline that is often required in the corporate world. “First of all, a lot of universities don’t think they are targeted,” said Westin. “And it can be really difficult telling professors what to do—there’s sort of a do-it-yourself security mentality that can actually put your network at a bit more risk.”
While the attack on the College of Engineering was undeniably sophisticated, higher education’s reputation for lax security attracts wannabe hackers, too. “For a lot of espionage groups, higher education is usually their training grounds, where they may work with some of their younger or more junior hackers,” said Westin. “Higher education networks are usually a lot easier to penetrate, and there’s less likely to be blow-back if a school is somehow able to reveal an IP address.”
Improving network security
The good news is that a first-rate cyber-security program on campus doesn’t have to cost a fortune. “A little bit of effort can make you a lot more secure,” said Westin, who believes that spending on security measures follows the law of diminishing returns. “There comes a certain point where throwing money at the problem is only going to make you incrementally more secure.”
The most important step is to put the right security policies in place and follow them. For many schools—particularly smaller institutions—outsourcing certain services can also improve their security posture. “If schools outsource websites and other services like that, a third party will manage security for them, handling patching of the web server and so on,” explained Westin.
Westin also encourages schools to review the security frameworks available from organizations such the Center for Internet Security and the National Institute of Standards and Technology. “That’s a really good place for IT organizations to start,” he added. “They offer an executive brief that covers some of the top things they should focus on in a security program.”
And, given the prevalence of research partnerships between universities and corporations today, any security review must encompass the entire “attack surface,” in the parlance of cybersecurity. “It’s really important to look at the third-party venues and partnerships—how networks are connected and who might have information on the network,” said Westin. “There is a huge risk, not just for the university but also for those companies doing business with it.”
Ultimately, though, Westin believes higher education needs to learn how to communicate better about the joint threats universities now face. As a model, he points to FS-ISAC, an information-sharing group developed by the financial services sector to disseminate information about global security threats.
“Universities could actually exchange information about attacks they are seeing on their networks,” he said about the possibility of a similar higher education group. “They may find some common tools or IPs are being used in an attack that indicate it’s part of a larger campaign—that can help the FBI and law enforcement. It’s something they could even get their students involved with.”
Andrew Barbour is a contributing editor with eCampus News.