- Cybersecurity is important for every industry, but academia is often overlooked
- Like other sectors, attacks on academic organizations are financially motivated
- Educational environments have wider attack vectors
Whether it’s the 3 billion users affected by the 2013-2014 Yahoo attack or Russian hackers gathering political information, cybersecurity is frequently in the news. While most stories focus on consumer, corporate, or government breaches, there’s one area that’s often overlooked.
Attacks directed at higher-education and research institutions aren’t as common as those meant for retail and healthcare, but they do happen. What’s more, comparing academic and corporate breaches can teach us a lot about how cybercriminals think and what they really want.
It’s all about the money
The majority of hackers are motivated by cold, hard cash. According to the Verizon 2018 Data Breach Investigations Report (DBIR), 76% of breaches across all industries were financially motivated. Kim Milford, executive director of the Research Education Networking Information Sharing & Analysis Center (REN-ISAC) at Indiana University, agrees that this is the biggest issue facing academic cybersecurity.
“Academic breaches are almost always financial,” Milford says. “If it’s research, they’re looking for intellectual property. And health records are the biggest market right now for identity theft.”
To make matters worse, cleaning up the mess after an academic breach isn’t easy. According to Milford, it can take months before a breach is detected. This isn’t specific to the academic sector, as Verizon’s DBIR reports that 68% of breaches took “months or longer” to be discovered. This gives a hacker ample time to get what she needs and cover her tracks before anyone notices.
Investigating a breach and restoring a secure environment isn’t cheap, but academic institutions can have a hard time tracking exact numbers. Milford explains that there are two major reasons for this.
“First, a lot of these costs are hidden costs until an incident happens, and then you’re putting out fires as quickly as you can,” Milford says. “Secondly, the responsibility for prevention or protection is spread out so broadly in any large organization. Everyone has to take responsibility for it. So, how does the university know that I’m taking the time to protect my credentials?”
Although much of the threat landscape is similar to that affecting major corporations, cybersecurity is handled differently at the academic level. The most prevalant vulnerability is one of the most important assets of education: easily-accessible information.
“The biggest difference is that we in academic and university settings have more end-points visible to the outside world,” says Milford. “So whereas a private corporation might have a fairly rigid firewall with very few public IP addresses and very few exposures to the public internet, we don't do business that way.”
“For instance, the geology department can't just use a central university website. They need their own website. Their work is independent, they probably have actual research going on external to their website, or to the university website. So they need to maintain that external presence.”
University cybersecurity professionals have one more unique attack vector to consider: supercomputers. Hackers want access to these high-performance machines to mine cryptocurrency.
While some private companies do own supercomputers, cryptocurrency hacking generally involves academic or high-end research computers. One Harvard student used the school’s Odyssey supercomputer to mine Dogecoin, while Russian engineers at the Federal Nuclear Center in Sarov were caught mining bitcoin with the physics research organization’s machine.
Academic institutions possess a goldmine of computing resources and data. And they have a responsibility to their students, staff, and their legacy to uphold rigorous standards of information security.
Understanding more today than we did yesterday is mankind’s greatest mission, and an attack on a university is an attack on the pursuit of knowledge. Challenges will continue to arise, but cybersecurity professionals at institutions of higher education are fighting back to secure our knowledge resources and protect the future of discovery and learning.