- Select a language for the TTS:
- UK English Female
- UK English Male
- US English Female
- US English Male
- Australian Female
- Australian Male
- Language selected: (auto detect) - EN
Play all audios:
The cyber security practices of Australian universities are in the spotlight after the Australian National University (ANU) reported last week it had been the target of a serious attack.
Hackers – reportedly based in China – infiltrated ANU’s networks some time last year and have proven difficult to remove. According to the Australian Cyber Security Centre’s 2017 Threat
Report: > Targeting of the networks of Australian universities continues to > increase. Universities are an attractive target given their research > across a range of fields and the
intellectual property this research > is likely to generate. Anecdotal information suggests university performance in cyber security is quite weak. The problem is not widely studied by
scholars. But there are things they can do to improve. It’s important that they do because university networks hold important intellectual property data; sensitive political, business, and
social data from background interviews and surveys; and valuable personal information about students who go on to become political, business and national security leaders.
------------------------- _ READ MORE: IS COUNTER-ATTACK JUSTIFIED AGAINST A STATE-SPONSORED CYBER ATTACK? IT'S A LEGAL GREY AREA _ ------------------------- THIS IS A GLOBAL PROBLEM
Cyber attacks targeting universities aren’t limited to Australia. Chinese universities were among the major victims of a global ransomware attack involving the Wannacry malware in 2017. The
attack, which locked up user files and demanded a ransom, came just on the eve of submission of final theses for the academic year in Chinese universities. Social media reporting suggests
the disruption was serious. Indeed, universities figure rather prominently as victims of cyber attacks in China. In 2016, according to a Chinese study, the country’s universities accounted
for the highest proportion (40%) of targets of the most serious form of threat. Known as Advanced Persistent Threat (APT), this form of attack is usually associated with government
intelligence or military agencies. My own work suggests that in general the institutions targeted had bad security practices – either by not installing software updates on the day of issue
or by using pirated software. BETTER REPORTING IS REQUIRED So how good are Australian universities at cyber security? There is scant public evidence assessing the cyber security practices of
Australian universities so it’s hard to say. According to a senior official of a small regional university who I spoke to last month, his institution simply has not been equipped, staffed
or funded in the past to engage with the challenge. What about the country’s top universities? To answer this, some consistent and public reporting on security incidents would be required.
If we had information on the size of security staffs, the type of outsourced security arrangements, and the total annual budget for cyber security in our universities we could make a
reasonable judgement. These types of data are difficult to find, but we can make judgements in other ways. First and most simply, do universities utilise two-factor authentication? Do they
prohibit staff and visitors from bringing their own devices and USBs? Most Australian universities probably fail these two basic tests. ------------------------- _ READ MORE: HOW SUPPLIERS
OF EVERYDAY DEVICES MAKE YOU VULNERABLE TO CYBER ATTACK – AND WHAT TO DO ABOUT IT _ ------------------------- Second, since most Australian universities don’t insist on mandatory training in
simple security measures, such as how to avoid “phishing” emails that carry malware, we can assume serious vulnerabilities exist. In 2018, the University of New England released a
comprehensive three-year information security plan. It is an impressive assessment of the threats, risks and challenges for the university – and it updated a previous plan for 2015-17. The
scale of the challenge is well captured by one sentence in its executive summary: > …yesterday’s security defenses are not effective against > today’s rapidly evolving threats. Not all
Australian universities have such an easily accessible and comprehensive plan. WHAT IS TO BE DONE? Mature organisations in the corporate world do not leave cyber security management in the
hands of the information technology managers. Rather they place responsibility in the department of risk management, directly under the CEO or Board of Directors. One reason is that cyber
security is a socio-technical problem, not just a technology problem. There is an additional option uniquely available to universities: to ensure that those who manage security of networks
and data work closely with those who research and study the same problem. This happens in Oxford University, where the academic staff in the field are seen as part of the solution. Oxford
convenes a monthly meeting of its Information Security Special Interest Group (SIG) and its members help manage the university’s annual baseline cyber security assessment.
------------------------- _ READ MORE: DETERRING CYBER ATTACKS: OLD PROBLEMS, NEW SOLUTIONS _ ------------------------- Oxford also has its own Computer Emergency Response Team (CERT), a
type of organisation used globally, though often only at the national level, to manage certain aspects of cyber security. The CERT is developing the university’s own security analytics
platform (SAVANT). In December, the Canadian universities and colleges association issued a workshop report on what their member institutions needed to do to address this problem. It
advocated, among many other steps, a national university-based cyber security network. Participation in a shared Australian network of this kind will be the only solution available to
Australia’s smaller universities with low security capability, but also an essential component of the cyber security work for our largest.
