By Dr Guy Bunker.
How can universities ensure cyber safety to protect valuable research?
With growing fears that universities are vulnerable to cyber-attacks, how can universities protect their sensitive data? With studies relating to nuclear technology, aerospace design and infrastructure systems among high-risk targets, it’s evident that cyber defence measures need to be heightened for both the researchers and the public, who could be affected by both breaches of confidentiality and data loss. A report released last week, by the vice-chancellors’ body Universities UK, advises universities to protect politically sensitive data including climate change modelling, economic projections, commercially valuable product data and information used for expert testimony. It’s no surprise that this information would be highly sought after and is a valuable asset to companies, the government and the public sector. What’s clear here, however, is that it’s the entire value chain which needs to look after these valuable assets of information.
As mentioned in our recent blog on Operation Waking Shark 2, hackers will always attack the weak point in a value chain. It’s not just client information and sensitive company plans that are precious; if hacker can get to the root of the information – its research- then this could have dramatic consequences for the company, not to mention the impact unauthorized access to sensitive data on nuclear technology and aerospace design research might have. The consequences of information leaks in research projects could not only be hugely detrimental to a company but also to scientific and academic progress. The contribution to innovation and economic development in the UK from university research is invaluable.
With the network of academic researchers sharing such valuable information of otherwise unseen progress in sensitive areas, this open culture of academic collaboration and large numbers on campuses with access to university networks add to their vulnerability. One way to eliminate risk in the transfer of information would be to employ an adaptive security system, such as adaptive redaction, which can be updated to redact key terms and information before the point of delivery. This will prevent both unauthorized as well as inadvertent access. According to the report, the security services are working with the Department for Business to compile “a composite case study of previous attacks on UK higher education institutions”, which serves to potentially work similar to that of Operation Waking Shark 2, designed to test Britain’s financial industry to 'its limits' on how to cope with a sustained cyber-attack.
Treating universities as individual entities would not suffice in terms of data protection. With academic researchers increasingly relying on a collaboration of data, information and research resources, this is not a single organisation or an endpoint issue; it’s a supply-chain or value-chain issue. Just like we reiterated when the government was testing the cyber security readiness of the financial sector, with the transfer of information back and forth hackers can seek out the weakest point in the chain in order to attack their actual target.
With universities and schools being urged to address the growing issues of cyber security dangers by preparing more young people with the tools and knowledge to understand advanced IT skills, including coding and programming, it seems appropriate that Universities themselves are at a high risk of data loss and need protecting. Like the old medical adage, “Physician, heal thyself”, academic institutions which should nurture the future cyber defence army for themselves as well as for the rest of us.