On Red Alert

U.S. universities urged to step up cybersecurity protections after report reveals Chinese hackers attempted to steal military secrets from dozens of institutions.

March 6, 2019
 
iStock

Chinese hackers are ramping up their efforts to steal military research secrets from U.S. universities, new cybersecurity intelligence suggests.

The Massachusetts Institute of Technology, the University of Hawaii, Pennsylvania State University, Duke University and the University of Washington are among 27 institutions in the U.S., Canada and Southeast Asia to be targeted by Chinese hackers, The Wall Street Journal reported Tuesday.

The Chinese hackers targeted institutions and researchers with expertise in undersea technology as part of a coordinated cybercampaign that began in April 2017. Some of the institutions mentioned above may have been compromised in the attacks, though none have confirmed this publicly.

Cybersecurity intelligence company iDefense, which conducted the research, is due to publish a report on its findings later this week. Inside Higher Ed has not viewed the report.

China is not the first country to target U.S. universities with a coordinated cybercampaign. Last year nine Iranian hackers were charged for their role in a phishing scam that ran from 2013 to 2017 and attempted to steal the passwords of hundreds of thousands of professors.

Ravi Pendse, chief information officer at the University of Michigan, said he was not surprised to hear about the Chinese cyberattacks. "This has been going on for a while. The national state actors might change. But work going on at U.S. institutions will always be of interest to someone," he said.

Cybersecurity breaches at U.S. universities are not symptomatic of universities being slow to ramp up protections, said Pendse. “We might not want to brag about what we’re doing publicly, but there is a lot of work and collaboration that goes on.” The problem is the speed with which technology is evolving, he said. Large organizations, even multinational corporations with big security budgets, “find it difficult to keep up.”

There are, however, some steps that institutions can take to make themselves safer, said Pendse. He stressed that it takes “an entire institution working collaboratively to keep us safe.”

Katelyn Ilkani, vice president for cybersecurity research at the Tambellini Group, a technology consulting company, said that research documents can be vulnerable to cyberattack because research repositories are “often outside the purview of the office of information technology.”

“Academic research contains institutional assets that must be safeguarded against bad actors,” said Ilkani. In order to safeguard that information, researchers need to view technology administrators as strategic partners, she said. 

Sean Koessel, vice president for cybersecurity company Volexity, agreed that often information security staff have “no--or very little--visibility” into research projects at universities – making their job extremely difficult.  

“Universities could benefit from the creation of working groups that would include department heads and key information security staff," said Koessel. “Taking this kind of proactive approach would help ensure that some level of basic security is implemented for research deemed high visibility or critical."

It is not just scientific, medical or defense research that is being targeted by hackers. Volexity has observed that academics that work on public policy matters, nuclear issues, and economic forecasting are also frequently “in the crosshairs of foreign actors,” said Koessel.

“It would be very difficult for any organization to fully prevent a well-funded, nation-state level attacker from gaining some level of access,” said Koessel. “Focusing solely on prevention is a losing proposition. Instead, universities need to add additional focus on early detection and response.” 

Sylvester Segura, threat analyst at Symantec, said via email, "Universities have a challenge in that they need to defend against multiple types of threats such as spam, phishing and ransomware, whereas targeted attack groups can be hyperfocused and devote all their resources to attacking a small number of targets. The good news is that targeted attack groups often have specific patterns and techniques that they use, so having technology to detect this type of patterned activity can help an organization protect itself."

Bradley C. Wheeler, chief information officer of Indiana University, offered several tips for researchers trying to protect themselves.

"First, reduce the number of unique devices," he said. "Researchers should assess if their work can be done on cloud or university systems. Second, no one should do their daily work in an account that has administrator privileges -- have a second account when you need to specifically log in for admin work. Third, use multifactor authentication for log-in to systems."

For universities, he had this advice: "Universities must rebalance personal preferences in how technology is used and managed with policies and procedures that effectively mitigate institutional risk. One of the greatest risks is that many institutions have extremely limited to no real insight regarding the depth of their security risks in schools, departments and labs. They can range from exceptionally well-managed servers and devices to those that are compromised or unpatchable."

It is "just inevitable" that research universities will be targets, Wheeler said. "The open culture of universities make us an enduring target."

Read more by

Be the first to know.
Get our free daily newsletter.

 

 
+ -

Expand commentsHide comments  —   Join the conversation!

Inside Digital Learning Articles

Today’s News from Inside Higher Ed

Inside Higher Ed’s Quick Takes

Back to Top