Rutgers University students this week learned the hard way what campus life is like without the Internet. A cyberattack knocked the New Jersey school’s networks offline Monday morning, sending roughly 66,000 pupils into the dark just as they were settling into their first class of the week. It's just the latest attack against major American universities, which have struggled to fend off increasingly sophisticated hackers in search of the troves of valuable information nested in academic networks.
By now Rutgers is probably used to working without computers after a single hacker, known only as Exfocus, took the New jersey research institution offline for five days as part of a distributed denial-of-service attack crippled the school last semester. No data appears to have been taken, but the attack (the fifth in a year) comes after the school spent nearly $3 million and raised tuition in an effort to improve cybersecurity.
Still, it could have been much worse.
Hackers ranging from minor players like Exfocus (who claimed he was hired by someone with a grudge to attack Rutgers) to professionals working with foreign governments have turned cybersecurity into a major concern for U.S. colleges and universities. Education experienced the third-most number of data breaches by industry in 2014, according to Symantec’s 2015 Internet Security Threat Report, trailing healthcare and retail but coming in ahead of the government, financial and insurance sectors. Education wasn’t ranked among the top industries victimized in spearphishing attacks, the primary method of infiltration, in Symantec’s 2014 report (PDF).
Educational institutions were hacked at least 751 times between January 2005 and August 2015, according to data provided to the International Business Times by the nonprofit Privacy Rights Clearinghouse (because PRC tracks only major data breaches that have been detected, the true number may be much higher). Medical was the most hacked industry since 2005, with 1,202 reported incidents, and government came in third place, with 705.
It's not surprising that hackers are targeting academics. University data vaults contain names, addresses, phone numbers, Social Security numbers, medical records, student records (which can fetch as much as $30 apiece on the black market) and other sensitive information that could make current and former students vulnerable to identity theft.
Universities also have intellectual property, patents and government-funded research, including military secrets conscripted by the Department of Defense. The University of Virginia, which conducts research and testing on a variety of Defense Department and intelligence programs, admitted in August it had been breached by Chinese hackers.
“It’s a very large problem that universities are just now beginning to realize,” said Don Welch, chief information officer at the University of Michigan. “Why would you rob a bank? Because that’s where the money is. We have information that’s very valuable and worthwhile for criminals and hackers to try and steal.”
The Symantec report shows 31 incidents in education in 2014, enough to make up 10 percent of all breaches that year. When it comes to the number of identities exposed in 2014, education comes in at No. 9, with 1,359,190, or .4 percent of all exposed identities in 2014.
“We’re finding that universities are the test bed for hackers,” said Royht Belani, CEO of the password protection company PhishMe, which works with more than two dozen universities. He added that academia has become a soft target because of the number of accessible student accounts.
“High net worth individuals are also making donations to these colleges,” Belani said. “Hackers are saying, ‘I might not be able to hijack a bank, but if I can hijack just one person’s identity maybe I can do pretty well.’”
It’s not just the University of Virginia. Penn State University and the University of Connecticut, both of which conduct defense research, recently discovered outsiders were lingering in their networks. Penn State’s Applied Research Laboratory is one of 14 divisions that work almost exclusively for the Pentagon, developing aerospace engineering information. The FBI and FireEye, which investigated the breach, told Penn State that hackers may have been in the system for more than two years before detection.
“There’s typically a propensity for a university to develop great technology for the outside world, but then they don’t practice the same course of conduct and help themselves internally,” said Darren Guccione, co-founder of the cybersecurity company Keeper Security, which works with Stanford University and a number of other schools. Guccione said too many schools rely on overworked IT staff, and lack sufficient government funding to hire the best minds in cybersecurity.
“That’s the situation,” he said, “and they’re being hacked by Russia and China, who are using the best and brightest on the planet. All these people do is divert trade secrets. That is all they do.”
As if adversarial intelligence agencies weren’t already enough, university CIOs also need to deal with students’ ongoing failure to protect themselves online. Cybersecurity studies have consistently indicated millennials are more likely than any other age group to believe their personal data is protected online, and they’re the least likely to extra steps to protect themselves.
Awareness On The Rise
The easiest, and most obvious, way to do that is to use different passwords. But with the acknowledgement that a problem exists, there’s also been an influx in prevention measures designed to protect research and trade secrets.
Hundreds of universities are handing out encrypted loaner computers to faculty members working on sensitive projects or traveling to foreign countries. IT staffs equip the laptop with PGP software, and give the staff member a brief tutorial on how to keep up with the standard of protection on that device. When it’s returned, the loaner is wiped clean.
Other schools are touting university-wide phishing awareness training, which aims to help professors detect emails meant to trick them into inputting their user names and passwords into bogus sites. Security professionals at University of Michigan, which fends off “thousands” of hacking attempts every day, are working with tech-forward faculty members to identify which staffers' credentials would be especially valuable to outsiders.
“We have accounts compromised every day, and we’ve been penetrated by some bad guys,” said Michigan CIO Don Smith. “The definition of success is that nothing happens.”