Everybody is talking about the need to train more cybersecurity specialists and invest heavily in research and development related to cryptography, machine learning and AI–all necessary ingredients in cutting edge cybersecurity systems. Academia is destined to play a crucial role in this effort, both in training the next generation of scientists and cybersecurity professionals, and in developing new technologies to fight cyber crime.
Israel’s Ben-Gurion University and Germany’s Fraunhofer Institute, for example, are renowned both for their theoretical research and for spinning off (or incubating) cybersecurity startups to commercialize such technologies.
But a lesser known fact is that academia is also a very lucrative target for cyber criminals, nation-state hackers and cyberpunks. More than 1,150 intrusions into UK university networks were recorded in 2016-17, and universities all around the world are experiencing similar attacks. But why are academic institutions being targeted, and by whom?
The Academic Security Catch
Universities are large, IT-heavy organizations housing tens of thousands of employees, students and contractors, most of whom require some access to its networks. Universities also hold an array of information that is of interest to hackers, such as personal information on employees and students, including payment details, bank accounts, personal identification information (PII), academic scores and more. These institutions handle large sums of money as well, including admission fees, payroll, R&D, and ongoing budget.
Most importantly, universities have intellectual property–the holy grail of every nation-state hacker. Former NSA chief Gen. Keith Alexander famously stated that cybercrime constitutes the “greatest transfer of wealth in history.” Although he was referring to Chinese state-sponsored hackers stealing the trade and IP secrets of US corporations, the statement is equally relevant for academic research, which is often closely linked to the defense, high tech and semiconductor industries.
In addition to IP theft, universities are easy prey for fraudsters and ransomware. Handling large amounts of data and funds, they are often scammed by phishing and business email compromise (BEC) schemes. And because universities have large staffs processing massive amounts of internal and external communication (mostly via email), they often fall prey to ransomware, crippling their IT systems and requiring them to use expensive backup and recovery services.
They are also vulnerable to DDoS attacks, which can seriously impair their ability to conduct academic research and communicate with employees and students. Some universities also require the use of an internal email system and IT systems for taking exams and submitting research papers, a capability that would be seriously impaired by DDoS attack.
Plus, the universities themselves are not the only victims of cybercrime; their students–young and generally less aware of cyber threats–are also prime targets for cyber theft, identity theft and fraud schemes.
Are Universities Really that Different than Other Organizations?
Most of the factors mentioned above are actually true for any medium or large organization in the western world. But there are some peculiarities of the academic world that set universities apart, and not in a good way:
Need for Openness
Academia has long prided itself on openness and the sharing of information.
Unfortunately, academic freedom comes with a price: security is much more difficult when you need to have a “no borders” policy. For instance, commercial enterprises can decide to block their employees from accessing certain websites (gambling, porn, etc.). But academic researchers need to have access to these sites, so most universities impose very lax (if any) restrictions on web browsing.
In addition, with thousands of employees and tens of thousands of students all accessing the web, sending and receiving information constantly, it becomes extremely difficult to identify attacks, which usually exfiltrate information in small chunks over time.
Lack of Regulation
Universities are not regulated in the same way that critical infrastructure or financial institutes are. As such, they employ security means according to industry best practices, rather than following more stringent, binding regulatory requirements (such as the demand to block certain IP addresses, consume threat intelligence or isolate users from the web).
This is not the case with state or defense industry-affiliated research facilities, but these are a minority among academic institutes. Most do the bare minimum in terms of security, just like most private citizens and commercial entities do.
Lack of Awareness and Funds
Universities tend to invest most of their resources into academic research, facilities and student/staff well-being. Since universities are not especially security-minded, small IT staffs are forced to handle large-scale security operations with very limited means.