Why universities - and their research - are the latest target for hackers

What’s so interesting about a university’s data that sends online hackers wild? Is it the latest news on the two-for-one snakebite deals down at the union? The endless recipes for beans á la toast? Or the secret knowledge of how one can make £20 last until the end of next month?

It’s none of the above, unsurprisingly, but cybersecurity experts say that not only are British universities facing hundreds more attacks from unscrupulous hackers each year, but the problem is getting progressively worse.

The reported number of digital breaches at UK institutions - and, crucially, this figure doesn’t include after-deadline attempts to submit essays online - has doubled in the past to years, with 1,152 separate incidents recorded in the academic year 2016-17, according to research compiled by The Times.

Knowledge Hacks

But what are these hackers after? The Times’ survey finds that scientific, engineering and medical research is believed to have been compromised most often.

Universities are naturally reluctant to reveal exactly what sort of materials have been taken, but the newspaper reports that “research into missiles, stealth fabric - used to help disguise military vehicles and weapons- and energy” are thought to be among the targets.

As Carsten Maple, the University of Warwrick’s director of cyber security said at the time, it is certainly possible that those that obtain this information might then “provide that information to a nation state”. Indeed, one institution reported tracing the bulk of its attacks to China, Russia and the Far East.

This certainly matches a similar scene in the USA earlier this year. According to security company Recorded Future, 63 American institutions - made up of prominent universities, alongside federal, state and local US government agencies - were the target of a hacking operation with its routes in Russia, carried out via SQL injection.

Universities drive much of the research and development process that goes forward in the UK, thanks often to their significant funding from the state, international grants and old alumni and host of captive researchers - students, to you and I - with the intellectual property they amass requiring years of preparation, as well as significant financial cost.

Some even reported criminal groups were targeting students’ personal data, with an intention to use it for money laundering, identity theft and even blackmail.

Bolstering defences

Many fear that the data obtained by the Times only represents the tip of a cybercrime iceberg. Way back in March 2016, another Times study found British universities were successfully hacked every hour.

Most universities, says Dave Palmer, director of technology at online security firm Darktrace, have “fundamentally backwards-looking” defenses, and many attacks go completely unnoticed.

Since these attacks, the National Cyber Security Center has said it is “working on the ways that protection might be extended to universities” but, as there is no central system or regulator, each institution was responsible for its own security, the organisation said.

UK universities might need to take a cue from their counterparts abroad, many of whom are beginning to adopt innovative strategies to combat the threat of hacking.

Some are turning to cloud storage solutions in a bid to modernise their systems and make sure they are more eminently protectable. The California State University System, which is made up of 23 separate campuses around the state, has recently signed up to Unisys’ hybrid cloud system. The system’s analytics promise to “detect, prioritize and neutralize cyber threats arising from both external and internal sources”, which sounds useful.

Similarly, Adelaide’s Flinders University is now using Dell’s Boomi iPaas service to manage all of its 26,000 students’ personal data

There are good examples closer to home, yet have yet to leverage the tech to boost security. Reading University, for example, have signed an extensive agreement with Red Hat to provide the “Reading Research Cloud”, allowing access to its data around the Berkshire town. If anything, this sounds less secure than before.

Perhaps a new partnership between Siemens and the University of Sheffield might find a way: the agreement aims to “accelerate digitisation, boost digital skills and promote technology and knowledge”, which sounds promising, but there is no mention of security anywhere in the project’s literature.

It looks like Universities need to up their game, lest they become old, prestigious institutions with even older, legacy security systems that could risk the integrity of their research - let alone the safety of their students.

https://theweek.com/88192/hackers-target-research-from-uk-universities

https://www.itpro.com/hacking/29393/uk-universities-deny-research-data-was-compromised-in-hacks

https://www.computerworld.com/article/3170724/hacker-breached-63-universities-and-government-agencies.html

https://campustechnology.com/articles/2017/09/05/california-state-university-moves-administrative-systems-to-hybrid-cloud.aspx

https://www.zdnet.com/article/flinders-university-turns-to-dell-boomi-for-connected-cloud/