How australian universities can get better at cyber security

The cyber security practices of Australian universities are in the spotlight after the Australian National University (ANU) reported last week it had been the target of a serious attack.

Hackers – reportedly based in China – infiltrated ANU’s networks some time last year and have proven difficult to remove. According to the Australian Cyber Security Centre’s 2017 Threat

Report: > Targeting of the networks of Australian universities continues to > increase. Universities are an attractive target given their research > across a range of fields and the

 intellectual property this research > is likely to generate. Anecdotal information suggests university performance in cyber security is quite weak. The problem is not widely studied by

scholars. But there are things they can do to improve. It’s important that they do because university networks hold important intellectual property data; sensitive political, business, and

social data from background interviews and surveys; and valuable personal information about students who go on to become political, business and national security leaders.

------------------------- _ READ MORE: IS COUNTER-ATTACK JUSTIFIED AGAINST A STATE-SPONSORED CYBER ATTACK? IT'S A LEGAL GREY AREA _ ------------------------- THIS IS A GLOBAL PROBLEM

Cyber attacks targeting universities aren’t limited to Australia. Chinese universities were among the major victims of a global ransomware attack involving the Wannacry malware in 2017. The

attack, which locked up user files and demanded a ransom, came just on the eve of submission of final theses for the academic year in Chinese universities. Social media reporting suggests

the disruption was serious. Indeed, universities figure rather prominently as victims of cyber attacks in China. In 2016, according to a Chinese study, the country’s universities accounted

for the highest proportion (40%) of targets of the most serious form of threat. Known as Advanced Persistent Threat (APT), this form of attack is usually associated with government

intelligence or military agencies. My own work suggests that in general the institutions targeted had bad security practices – either by not installing software updates on the day of issue

or by using pirated software. BETTER REPORTING IS REQUIRED So how good are Australian universities at cyber security? There is scant public evidence assessing the cyber security practices of

Australian universities so it’s hard to say. According to a senior official of a small regional university who I spoke to last month, his institution simply has not been equipped, staffed

or funded in the past to engage with the challenge. What about the country’s top universities? To answer this, some consistent and public reporting on security incidents would be required.

If we had information on the size of security staffs, the type of outsourced security arrangements, and the total annual budget for cyber security in our universities we could make a

reasonable judgement. These types of data are difficult to find, but we can make judgements in other ways. First and most simply, do universities utilise two-factor authentication? Do they

prohibit staff and visitors from bringing their own devices and USBs? Most Australian universities probably fail these two basic tests. ------------------------- _ READ MORE: HOW SUPPLIERS

OF EVERYDAY DEVICES MAKE YOU VULNERABLE TO CYBER ATTACK – AND WHAT TO DO ABOUT IT _ ------------------------- Second, since most Australian universities don’t insist on mandatory training in

simple security measures, such as how to avoid “phishing” emails that carry malware, we can assume serious vulnerabilities exist. In 2018, the University of New England released a

comprehensive three-year information security plan. It is an impressive assessment of the threats, risks and challenges for the university – and it updated a previous plan for 2015-17. The

scale of the challenge is well captured by one sentence in its executive summary: > …yesterday’s security defenses are not effective against > today’s rapidly evolving threats. Not all

Australian universities have such an easily accessible and comprehensive plan. WHAT IS TO BE DONE? Mature organisations in the corporate world do not leave cyber security management in the

hands of the information technology managers. Rather they place responsibility in the department of risk management, directly under the CEO or Board of Directors. One reason is that cyber

security is a socio-technical problem, not just a technology problem. There is an additional option uniquely available to universities: to ensure that those who manage security of networks

and data work closely with those who research and study the same problem. This happens in Oxford University, where the academic staff in the field are seen as part of the solution. Oxford

convenes a monthly meeting of its Information Security Special Interest Group (SIG) and its members help manage the university’s annual baseline cyber security assessment.

------------------------- _ READ MORE: DETERRING CYBER ATTACKS: OLD PROBLEMS, NEW SOLUTIONS _ ------------------------- Oxford also has its own Computer Emergency Response Team (CERT), a

type of organisation used globally, though often only at the national level, to manage certain aspects of cyber security. The CERT is developing the university’s own security analytics

platform (SAVANT). In December, the Canadian universities and colleges association issued a workshop report on what their member institutions needed to do to address this problem. It

advocated, among many other steps, a national university-based cyber security network. Participation in a shared Australian network of this kind will be the only solution available to

Australia’s smaller universities with low security capability, but also an essential component of the cyber security work for our largest.