The UK’s National Cyber Security Centre announced in March that it would provide additional support and guidance for education establishments following increasing numbers of ransomware attacks that have led to “loss of student coursework, school financial records, as well as data relating to Covid-19 testing”.
“This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted,” says Paul Chichester, director of operations at the NCSC.
While the NCSC declined to say how many cases they were currently investigating, their website noted that they had dealt with “a significant increase in the number of attacks since late February”.
Universities Under Attack
Among the most recent victims are the likes of Northampton University, Queen’s University Belfast – which was named as one of the UK’s first Academic Centres of Excellence in Cyber Security Education just a couple of weeks before – the University of Central Lancashire, and the University of Highlands and Islands.
Universities that The PIE News spoke with that were known to have been hacked were reluctant to share details of exactly what had happened and whether the attackers had demanded ransoms. Several noted that as far as they were aware, data had not been breached, although in some cases their systems remain affected even months later.
“Since 13 December 2020 we have dealt with a malicious cyber incident on our IT systems,” a spokesperson for LSBU told The PIE.
“The cyber experts we are working with have confirmed their belief that this was an attack on LSBU by sophisticated cybercriminals, seeking to disrupt our institution.”
Quite why disrupting an institution would be the main motivation for cybercriminals isn’t intuitive and the inability of universities to be able to say with any certainty whether data has been obtained is worrying, particularly given that there is precedence for this sort of information being hidden from the public.
“It is up to individual universities or colleges how much information to reveal, and there’s a balance to be struck here”
“It is up to individual universities or colleges how much information to reveal, and there’s a balance to be struck here,” explains John Chapman, Jisc’s head of cyber defence.
“Intelligence can be extremely useful in preventing and mitigating cyber attacks, but sharing certain details publicly could provide cyber criminals with information they can use to launch attacks, or increase their chances of successful attacks.”
Yet the response from UK institutions is somewhat out of step with approaches abroad, where some have come to see sharing information as essential in the fight against cybercrime.
In the lead up to Christmas 2019 Maastricht University in The Netherlands detected an attack that rendered normal functioning of the university impossible, and it was left with a terrible choice.
“The biggest question we were faced with was: what to do with the ransom demands of the ‘cyber attackers’? We thought about that question very thoroughly. We certainly did not decide anything overnight,” said university vice-president Nick Bos during a UM Symposium discussing the events.
“The biggest question we were faced with was: what to do with the ransom demands of the ‘cyber attackers’?”
“In this devil’s bargain, the university had to make an extremely difficult trade-off between two important social interests… Faced with this dilemma, the university administration ultimately made an independent decision that was entirely focused on the interests of students, staff and the institution: acquiring the decryptor.”
According to Reuters, the university paid out €200,000 in Bitcoin for the decryptor. The same decision has also ultimately been made by the likes of the University of California, San Francisco and Blackbaud, which had several universities among its clients.
But whereas UK universities are reluctant to admit they have even been the victim of an attack, Maastricht University’s response was the opposite: it published a 47-page report about its experience, even holding a symposium that “provided insight into what actually happened, and addressed broader cyber-related issues such as digital security in the public sector”.
“By publishing the report, this response and the results of follow-up research, Maastricht University wants to play its part in increasing digital security,” it noted.
“In the increasingly intensive fight against cyber insecurity, UM regards this as its social duty.”
Several universities in the US have also taken to making logs of their fight against attacks available and notifying the public about actions to rectify the damage done by attacks.
“Many organisations still fear reputational damage from a cyber incident and choose to stay as quiet as possible, while releasing as little information about the incident as they can. I believe this is an antiquated way of thinking,” argues Erich Kron, security awareness advocate at KnowBe4.
“Many organisations still fear reputational damage from a cyber incident and choose to stay as quiet as possible”
“Let’s face it, data breaches can happen to any organisations, large or small, but in the modern world, it is how they respond that makes the difference in maintaining trust and ultimately the business relationships with their customers.”
Kron suggests that for organisations to maintain or regain trust, they need to explain what happened, what was compromised, how they will keep it from happening again and what individuals can do to protect themselves from future harm.
“Organisations may even benefit from setting up a temporary call centre to answer questions from the individuals whose data has been compromised,” he suggests.
“These steps, while requiring some effort, make a public statement about an organisation’s commitment to security and their customers and the candour in the reporting can help ease the customers’ uneasiness in continuing a relationship with that organisation.”