The enduring cyber threat to higher education: what next?

Over the last few years, the higher education sector has become one of the most targeted - and arguably least resilient - sectors when it comes to facing modern cyber threats.

June 2023 was no different, with a number of major higher education institutions globally hit by a wave of disruptive cyber incidents.

On June 9, the University of Manchester announced it was the ‘victim of a cyber incident’ , with attackers gaining and exfiltrating sensitive data from the university’s network. This followed an attack just days before on Aix-Marseille, France’s largest university, causing major disruption to key systems and educational services.

The following week in the U.S., Johns Hopkins University and the University of Georgia also announced that they were impacted by the recent MOVEit vulnerability, with personal information of staff and students likely compromised.

Easy pickings and long-term reputational damages

Today, many academic institutions are considered 'low-hanging fruit' for cybercriminals, with vast attack surfaces across campuses and poor cyber hygiene amongst staff and students, meaning that they are often targets of increasingly sophisticated forms of social engineering, phishing and malware attacks. Since the pandemic, universities have also found themselves besieged by disruptive ransomware and DDoS attacks, which not only paralyse vital IT systems and educational services, but can also bring significant financial and reputational damages as a result.

In the aftermath of the attack against the University of Manchester, it was revealed that hackers had not only gained access to the personal information of thousands of staff and students, but had also gained access to over 1 million NHS patient records. The records, which had been collected by the University for ongoing academic research, included individual NHS numbers, (partial) patient postcodes, and sensitive reports relating to major trauma patients and victims of terrorist attacks.

With the true ramifications of the attack unclear – the University of Manchester state they are now working with external experts to resolve the incident (likely to include the UK’s National Cyber Security Centre - NCSC) – the incident is a clear demonstration (and warning) to other higher education institutions of their potential exposure to ongoing cybercriminal activity. But it also highlights how catastrophic – and collateral – the impacts of a data breach may be from a financial, legal and reputational perspective.

Regarding the incident at the University of Manchester, there is now a possible threat of triple extortion from the attackers – first, holding the University itself to ransom over the publication of such data, before then directing their attention towards the NHS and the University’s own staff and students.

Beyond the obvious legal and financial headaches this creates, attacks of this nature also present an outsized threat to a university’s reputation. With many institutions heavily reliant on strategic partnerships with the private sector and other academic institutions for sources of funding and collaborative research, the longer term impact for institutions hit by such attacks may be to see partnerships and academic collaborations weaken and, worse, dry up altogether.

In other words, following a catastrophic data breach that sees sensitive research data and IP potentially exposed, could companies and other academic institutions begin to reevaluate their relationships with impacted institutions and seek new partnerships (and greater security guarantees) elsewhere?

Beyond the obvious reputational risk and damage this can cause, the financial impact from loss of funding and any potential future partnerships (on top of other financial penalties from regulators) will likely be devastating to any university’s balance sheet.

The growing threat of cyber espionage

Another evolving area of risk for the higher education sector relates to the growing threat of espionage and hostile state activity targeting academia.

With many universities across North America and Europe often at forefront of breakthrough scientific research, they also increasingly find themselves the victims of foreign and state-sponsored espionage efforts with valuable research and IP the main target. Whilst such threats can likely be dated back to a Cold War era, recent geopolitical events and ongoing ambivalent U.S.-China relations have meant that the discourse around state-sponsored espionage and the threat to Western universities have heightened once again.

At the peak of the U.S.-China trade war in 2020, President Trump issued an executive order preventing postgraduate Chinese students affiliated with China’s “military-civil fusion” from working or studying within the US, whilst recently drafted legislation in states such as Texas and Ohio could see bans on strategic partnerships between U.S. and Chinese institutions, and potentially even prohibiting students from China, Iran, North Korea and Russia altogether.

Similar anxieties have been shared in Australia and the UK, with the latter recently announcing the formation of RCAT (the Research Collaboration Advice Team), as a means of offering confidential security advice to universities and individual academics around the possible risks associated with cyber security and the protection of research IP.

Of course, the espionage threat is not simply consigned to the threat of individual students and/or researchers conducting clandestine operations on behalf of a hostile state (as seen recently at Norway’s Arctic University), but universities must now also face up to the increasing espionage threat posed from afar by cybercriminal and state-sponsored APT groups and threat actors.

Indeed, whilst national security services increasingly warn of the campus-based threat posed by students and academic researchers, are many of our higher education institutions resilient enough to defend and deter ongoing cybercriminal and state-sponsored espionage activity against their networks?

As recent attacks on universities show, there may be a long road and bumpy road ahead.

Little incentive or left out to dry?

With attacks on the higher education sector showing no signs of abating any time soon, how might universities and other higher education institutions become more resilient in the face of increasing cybercriminal and state-sponsored cyber activity in the future?

Whilst the easy answer may be to say ‘invest more in cyber’, this does little to address some of the more systemic and systematic issues the sector faces more generally – from meagre financial resourcing and senior leader buy-in, to the poor cyber hygiene and security awareness engendered by the very nature and design of the modern university ecosystem itself.

With most universities often sitting within an unhelpful grey zone between being part-public institution, part-business, and (as the pandemic demonstrated) part-critical national infrastructure, it could well be argued that many find themselves rudderless and lack any kind of incentivisation to improve their cyber posture – until, of course, they are impacted by an incident themselves.

In a UK context, does the recent attack against the University of Manchester, as well as incidents at universities in Newcastle, Sunderland, Northampton, Hertfordshire and Portsmouth, also raise the question of whether such institutions should be brought further into the purview of the state and NCSC?

Doing so could not only bring tangible benefits in terms of moving institutions towards shared security goals such as Cyber Essentials certification*, but could also be the tacit admission needed to align the security requirements of higher education institutions with other areas of critical national infrastructure.

Today, the higher education sector has become more dependent than ever on the provision of its digital services, infrastructure and data to function on a day-to-day basis. The growing interdependency of its various institutions, service providers and strategic partnerships means that the sectors’ attack surface and risk profile has never been bigger.

As custodians of sensitive data and IP – not just for staff and students, but for external business and public institutions too – universities and other higher education institutions now face a huge responsibility in remaining resilient to the plethora of modern-day cyber threats they now face. Does the sector have the right tools and support in place to meet the challenge?

‍

^{*It is important to note that many higher education institutions in the UK find it difficult to achieve wholesale Cyber Essentials and Cyber Essentials+ certification due, in part, to security requirements around Bring Your Own Device (BYOD). Beyond simply achieving Cyber Essentials certification for a sub-set scope of the institution (as many are now doing), recent events perhaps now point to the need for a bespoke certification level for universities – taking into account their complex and distinctive ecosystem in comparison to other public and private institutions.}