Security Threats To The Academic Sector In 2022
Universities face a number of significant security challenges, and it's unfortunately not getting any easier. This article explores the key threats and security drivers for the Australian Higher Education and Academia sector in 2022 and provides resources on how to deal with it.
Share This Article:
It is long known that universities and research organisations attract a significant amount of undesirable interest from would-be threat actors. There are countless movie plots centred around some criminal enterprise or foreign spy agency trying to steal precious secrets from a well-guarded science laboratory to boost their own capability or build some planet-destroying weaponry.
Although the stakes may not be so high as an earth-ending event (well hopefully not), academic research carries with it the burden of holding cutting-edge information, analysis, and technologies, as well as often having access to closely-held data sets and input back into the society’s governance, policies, and decision-making. This makes academic research a BIG target.
With this in mind, let’s explore the key security threats to research organisations and facilities in 2022 and some of the main drivers for doing something about it.
Foreign Intelligence Services
Academia is specifically mentioned as a prime target by spies and Foreign Intelligence Services (FIS) throughout the Australian Secret Intelligence Organisation (ASIO) Annual Report 2020-21 and was called out a number of times by the ASIO Director-General of Security, Mike Burgess, in the Director General’s Annual Threat Assessment address.
The report states, “Espionage and foreign interference attempts by multiple countries remain unacceptably high. These attempts occur daily. They are sophisticated and wide-ranging. They are enabled and accelerated by technology. And they take place in every state and territory, targeting all levels of government, as well as industry and academia.”
Foreign spies are tasked to build a detailed understanding of Australia’s trade relationships and capabilities, to steal any valuable information or research that aids their home country, and in extreme cases, to sabotage Australian endeavours and societal cohesion.
When it comes to higher education and academia this involves an intricate mesh of interrelated espionage and sabotage activities. A line from the ASIO Annual Report 2020-21 makes it clear:
“The goal of these foreign powers is to build and leverage community and business relationships to covertly shape decision-making to Australia’s detriment—and they are prepared to invest years of effort to do so”.
Australian universities have already experienced a number of high-profile incidents related to FIS, including:
- Nation State sponsored hack of Australian National University (ANU) student data
- Chinese Communist Party (CCP) enlists international student to spy on the Australian Muslim Uighur community
- Human Rights Watch report finds Australian universities failed to protect the academic freedom of Chinese students and academics who did not adhere to CCP views
- “Prisoner X”, a Mossad spy, dies after being outed by an Iranian spy at Monash University
- Students at the University of Technology Sydney harassed and threatened on social media
- Anti-China activist is suspended from the University of Queensland (UQ) in a move that evokes concern about UQ political motivations
- State-sponsored waves of network scans hit Australian universities in large-scale attempt to identify security vulnerabilities
The above list is by no means exhaustive and represents but a small sample of publicly known FIS-related incidents in the academic sector over the past couple of years. There is undoubtedly a much more significant list of targeted attacks and espionage activities aimed at Australian universities that have either not been publicly disclosed or haven’t yet been discovered.
The discovery aspect is not to be understated. As with any form of security, you can only know what threats you’re facing if you’re actively looking. And, to be frank, most universities in Australia and internationally are simply not looking.
The grim reality of this fact is that the vast majority of attacks lined up and waiting to happen are not on universities’ radars until they already occur. At this point, the only thing that can be done is damage control, which is often much more expensive, time-consuming, and generally devastating than pre-emptive and preventative measures.
Changes to Security Legislation
On the back of increasing cyber and FIS related incidents and events, Australia has recently made significant moves to increase the security of its important industries and services.
December of last year saw the introduction of the Security Legislation Amendment (Critical Infrastructure) Act 2021, which expanded the definition of Critical Infrastructure in Australia and paved the way for a number of flow-on amendments to sector-specific legislation.
The Higher Education and Research sector was named as one of the 11 critical industries that fall under the new critical infrastructure obligations and protections.
As a newly proclaimed critical infrastructure, universities are being put under the security spotlight. We are currently in a grace period where critical industries are expected to get some basic security frameworks and processes in place and, in return, the Australian Signals Directorate (ASD) have committed to help respond to significant disruptions of national concern.
According to the amended Security of Critical Infrastructure Act (SOCI), a critical education asset refers to any university that is owned or operated by an entity that is registered in the Australian university category of the National Register of Higher Education Providers. Specific obligations are still being rolled out and vary between operators of critical infrastructure.
In general, there may be enforceable requirements on higher education providers to monitor for and report cyber security incidents, establish a security risk management program, and, for entities responsible for assets deemed critical to Australia, undertake vulnerability reporting, cyber incident response planning and security event exercises.
Regardless of government mandates and potential financial or administrative repercussions, the security practices being proposed are fundamental to any security aware organisation and highly valuable in proactively managing the security of your research, your staff, and your students.
Defence research
The third largest security driver for universities and research organisations in 2022 arises from the neo Cold War climate that we increasingly find ourselves in. Alongside the historical alliances between military and academia, the hardening political climate is reviving opportunities for collaboration between Government and universities across a wide range of academic disciplines.
To take advantage of defence-related research opportunities, grants, and partnerships, universities need to prove that they have adequate levels of protection across the security categories of governance, personnel security, physical security, information and cyber security. This can be achieved through membership to the Defence Industry Security Program (DISP), which:
- Helps you to get the right security requirements when delivering Defence contracts and tenders
- Gives you access to Defence security advice and support services
- Helps you better understand and manage security risks across your organisation, and
- Provides confidence and assurance to Defence and other government entities (either Australian or foreign) when procuring goods and services from industry members.
In the case of universities and research organisations wanting to respond to Defence contracts and opportunities, it may make sense to combine efforts and obtain DISP membership alongside a more general security enhancement program.
What to do about it
The problem facing universities and academia in being prepared to anticipate and defend against security threats is not a simple one.
A study done by Malwarebytes Labs found that education organisations are especially vulnerable to cyber attacks for many reasons, including:
- A lack of resources, which means efforts to boost cybersecurity takes a backseat
- Outdated technological infrastructure make it easily penetrable by cybercriminals
- Students and staff connecting to school networks from personal devices that may be jailbroken, both on-premises and at home
- Some students may hack school software out of boredom or to shut down the Internet and disrupt the school day.
From my own experience I would also add that the diverse yet niche requirements of each department and individual researcher has necessitated the acquisition of innumerable computers and technologies, all running different hardware, software, applications, and connected to different networks. This adds considerable risk to the organisation due to the increased difficulty of managing and monitoring all these disparate devices and networks.
Unfortunately for us, criminals and spies don’t care much about the reasons why we’re so vulnerable. All they care about is that we’re vulnerable. And where there’s a vulnerability there’s an opportunity for them to do their job.
In a research paper on cyber security in higher education by the Higher Education Policy Institute (HEPI), Dr John Chapman states: “Organisations that do not adequately protect themselves risk the loss or exposure of personal student and staff data and also commercial, institutional and research data that are valuable to cyber criminals operating domestically and internationally”.
There are many resources available to help universities and research organisations understand their threats and protect their critical areas of vulnerability against targeted attacks:
- The Department of Education, Skills, and Employment have published an entire website dedicated to countering foreign interference in the university sector.
- The Department of Home Affairs have a website to help owners and operators of critical infrastructure to understand their obligations under the new scheme.
- And, ASD provides detailed and highly prescriptive guidelines on security in the form of the Information Security Manual (ISM), which is particularly relevant to working with Defence and the broader Australian Government.
However, at the end of the day a security refresh will never be an easy undertaking for an academic organisation. The ungodly mesh of vulnerable interconnected legacy systems with top tier threats, bureaucratic webs of policy, and limited financial resources makes this area unavoidably messy and confusing.
That’s where we can help. The Anchoram team consists of professional security consultants who have deep experience in the Higher Education and Academia sector as well as in Critical Infrastructure, Defence, and Intelligence Organisations. We can help with everything from Foreign Interference Testing to security governance, risk, and compliance, and also have experienced technology and engineering teams who can advise on any architecture updates or technology refreshes along the way. We can even help with obtaining and maintaining DISP membership and all the certifications, accreditations, and new security roles that may come with it.
Please don’t hesitate to contact any of the team if you need help with securing your research organisation.
Universities face a number of significant security challenges, and it's unfortunately not getting any easier. This article explores the key threats and security drivers for the Australian Higher Education and Academia sector in 2022 and provides resources on how to deal with it.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.