Universities must create joint cybersecurity teams to protect themselves against ever more sophisticated hacking attempts, according to the vice president of a Dutch university hit by a ransomware attack over Christmas that forced the institution to pay the equivalent of about $226,000 to criminals.
Maastricht University’s Nick Bos said one of the lessons of the attack was that it was increasingly untenable for universities to each rely on their own security systems.
On Christmas Eve last year, Maastricht raised the alarm after hackers took control of servers critical to email and the storage of research results, initially using phishing emails to break in. It took more than a month to restore all systems -- and the payment of 30 Bitcoin to the attackers.
In a report looking at what went wrong and how to stop future attacks, Bos called on universities to join up their security systems, pointing to collaborations already under way in Canada and the U.S.
“It’s not just a question of whether universities can afford it,” he told Times Higher Education. “There is not much choice here; we will have to invest in greater cyberresilience.”
Since the Maastricht attack, Dutch universities have stepped up joint efforts, he said, discussing whether they could collectively monitor their IT networks around the clock, for example. Meanwhile, Dutch health-care institutions are already setting up their own security operations center.
There are concerns that universities make relatively soft targets for cyberattackers, because they host thousands of students using their own laptops, and researchers are used to the open sharing of information.
The Maastricht attack was just one of several to hit European institutions in recent months. Last December, thousands of students at Justus Liebig University Giessen had to queue up to receive new passwords manually after a cyberattack. In October, the University of Antwerp’s email and student information systems were affected in a separate incident.
“There is a real race, even battle, going on with internationally operating cybercriminal organizations,” said Bos, who predicted that universities would have to make “substantial extra investments” in cybersecurity.
Bos pointed to North America, where a number of universities are pioneering collective cybersecurity.
In 2018, Indiana, Northwestern, Purdue and Rutgers Universities and the University of Nebraska formed OmniSOC, a joint cybersecurity center, arguing that individual university systems were not enough to fend off mounting attacks.
The idea is that the center can monitor all university networks at once for suspicious activity, thereby detecting an attack more rapidly. The joint center claims to be the first of its kind.
Six Canadian universities are also trialing a joint security center explicitly modeled on OmniSOC. In 2018, McGill, McMaster and Ryerson Universities, along with the Universities of Alberta, British Columbia and Toronto, formed CanSSOC in response to an “unprecedented” increase in the scale and complexity of threats.
“As a result, the associated scope and costs of successful early prevention, detection and mitigation are unsustainable by one single institution,” the group warned.