The Conversation

  • Written by Greg Austin, Professor, Australian Centre for Cyber Security, UNSW
How Australian universities can get better at cyber security

The cyber security practices of Australian universities are in the spotlight after the Australian National University (ANU) reported last week it had been the target of a serious attack. Hackers – reportedly based in China – infiltrated ANU’s networks some time last year and have proven difficult to remove.

According to the Australian Cyber Security Centre’s 2017 Threat Report:

Targeting of the networks of Australian universities continues to increase. Universities are an attractive target given their research across a range of fields and the intellectual property this research is likely to generate.

Anecdotal information suggests university performance in cyber security is quite weak. The problem is not widely studied by scholars. But there are things they can do to improve.

It’s important that they do because university networks hold important intellectual property data; sensitive political, business, and social data from background interviews and surveys; and valuable personal information about students who go on to become political, business and national security leaders.

Read more: Is counter-attack justified against a state-sponsored cyber attack? It's a legal grey area

This is a global problem

Cyber attacks targeting universities aren’t limited to Australia.

Chinese universities were among the major victims of a global ransomware attack involving the Wannacry malware in 2017. The attack, which locked up user files and demanded a ransom, came just on the eve of submission of final theses for the academic year in Chinese universities. Social media reporting suggests the disruption was serious.

Indeed, universities figure rather prominently as victims of cyber attacks in China. In 2016, according to a Chinese study, the country’s universities accounted for the highest proportion (40%) of targets of the most serious form of threat.

Known as Advanced Persistent Threat (APT), this form of attack is usually associated with government intelligence or military agencies. My own work suggests that in general the institutions targeted had bad security practices – either by not installing software updates on the day of issue or by using pirated software.

Better reporting is required

So how good are Australian universities at cyber security?

There is scant public evidence assessing the cyber security practices of Australian universities so it’s hard to say. According to a senior official of a small regional university who I spoke to last month, his institution simply has not been equipped, staffed or funded in the past to engage with the challenge.

What about the country’s top universities?

To answer this, some consistent and public reporting on security incidents would be required. If we had information on the size of security staffs, the type of outsourced security arrangements, and the total annual budget for cyber security in our universities we could make a reasonable judgement. These types of data are difficult to find, but we can make judgements in other ways.

First and most simply, do universities utilise two-factor authentication? Do they prohibit staff and visitors from bringing their own devices and USBs? Most Australian universities probably fail these two basic tests.

Read more: How suppliers of everyday devices make you vulnerable to cyber attack – and what to do about it

Second, since most Australian universities don’t insist on mandatory training in simple security measures, such as how to avoid “phishing” emails that carry malware, we can assume serious vulnerabilities exist.

In 2018, the University of New England released a comprehensive three-year information security plan. It is an impressive assessment of the threats, risks and challenges for the university – and it updated a previous plan for 2015-17. The scale of the challenge is well captured by one sentence in its executive summary:

…yesterday’s security defenses are not effective against today’s rapidly evolving threats.

Not all Australian universities have such an easily accessible and comprehensive plan.

What is to be done?

Mature organisations in the corporate world do not leave cyber security management in the hands of the information technology managers. Rather they place responsibility in the department of risk management, directly under the CEO or Board of Directors. One reason is that cyber security is a socio-technical problem, not just a technology problem.

There is an additional option uniquely available to universities: to ensure that those who manage security of networks and data work closely with those who research and study the same problem.

This happens in Oxford University, where the academic staff in the field are seen as part of the solution. Oxford convenes a monthly meeting of its Information Security Special Interest Group (SIG) and its members help manage the university’s annual baseline cyber security assessment.

Read more: Deterring cyber attacks: old problems, new solutions

Oxford also has its own Computer Emergency Response Team (CERT), a type of organisation used globally, though often only at the national level, to manage certain aspects of cyber security. The CERT is developing the university’s own security analytics platform (SAVANT).

In December, the Canadian universities and colleges association issued a workshop report on what their member institutions needed to do to address this problem. It advocated, among many other steps, a national university-based cyber security network.

Participation in a shared Australian network of this kind will be the only solution available to Australia’s smaller universities with low security capability, but also an essential component of the cyber security work for our largest.

Authors: Greg Austin, Professor, Australian Centre for Cyber Security, UNSW

Read more http://theconversation.com/how-australian-universities-can-get-better-at-cyber-security-99587


Independent Parliamentary Budget Office exposes Shorten's lies

Bill Shorten's false claims about so-called insecure work lie in tatters today, following an analysis published by the independent Parliamentary Budget Office (PBO).  The PBO’s independent analysis...

Union demands paint a bleak future under Shorten

It’s time for Bill Shorten to come clean and rule out extreme changes to Australia’s industrial relations laws that would wind the clock back to the strike-torn Whitlam era.   As the ACTU prepares...

Doorstop at AKD Sawmill with Trevor Ruthenberg, LNP Candidate for Longman

MR TREVOR RUTHENBERG, LNP CANDIDATE FOR LONGMAN: Well morning folks. Welcome to Caboolture, welcome to Longman. This is a fantastic day for local jobs. This is a fantastic day for our community. ...

Business News

Artificial stone dust: the new asbestos

Calls for national ban on dry cutting techniques and tougher penalties amid new cases of tradies sick from toxic dustLeading plaintiff law firm Shine Lawyers is calling for a national ban on dry cutti...

Top Tips if You’re Thinking About Quitting Your Day Job and Starting a Small Business

Are you fed up with working for another person and long to be your own boss? Do you think you’d like to take over a local business that’s up for sale? Would you like to make your hobby into somethin...

What is the best structure to use when starting up a business

Coco Hou, tax specialist and accountant, has shared her advice for people who are starting up their own businesses, setting up side gigs, or moving into consultancy work. The start of the new financ...


Adina Apartment Hotel Brisbane

TFE Hotels has opened the doors of the spectacular new Adina Apartment Hotel Brisbane, which offers stunning views over the Brisbane River and awe-inspiring interiors that transport guests back to t...

Winter In Rotorua: Things To Do

While many travelers consider the summer months to be the prime traveling season, there are thousands and thousands of travelers who love to take to their campervan hire australia journeys when the ...

Discover Hong Kong Your Way With Ecruising

From July – November 2018, Ecruising in partnership with Hong Kong Tourism and Royal Caribbean, including Azamara and Celebrity Cruises are offering travellers new and exclusive cruising itinerari...

You might also like