We outline recent developments and the key steps that higher education providers can take now to mitigate the risk of a cyber attack.
- In recent times, higher education providers have become increasingly attractive targets for cyber attacks from both criminal and state sponsored actors.
- There are currently legislative developments underway, including proposed new cyber security obligations for universities.
- Our Perspectives on Cyber Risk 2021 report explores the trends and impact of cyber risk, and looks at ways for organisations to manage their cyber security.
Cyber incidents in higher education are on the rise
We are seeing that higher education providers have become increasingly attractive targets for cyber attacks from state sponsored actors. Earlier this year, the Australian Security Intelligence Organisation (ASIO) confirmed that Australian universities and researchers are under threat from foreign states.
This year a number of publicly acknowledged cyber security incidents impacting Australian universities have arisen, in the wake of a major breach of the Australian National University's systems in 2018. In that incident, hackers gained access to nearly 20 years' worth of data relating to human resources, financial management, student administration, and 'enterprise e-forms systems'. While the attacker is known to ASIO, it has not been publicly revealed.
A universities' systems may be particularly vulnerable to cyber attacks for a number of reasons:
- Universities are designed to be open and collaborative structures.
- They typically utilise numerous public-facing systems, some of which may be legacy systems.
- Many and varied users access university systems and services, including students, academics, researchers and staff. With multiple touch points, these systems present hackers with an broad attack ‘surface’ that can be challenging to defend.
- Many universities are dispersed across a number of campuses and research locations.
Universities also hold lucrative stores of intellectual property assets derived from their research activities, as well as an extensive inventory of personal and sensitive information.
In response to this threat, the Australian government has introduced significant legislative reforms requiring proactive uplifts to existing university compliance frameworks.
Government action in the wake of mounting threat
In August 2019, the Minister for Education announced the creation of a University Foreign Interference Taskforce (UFIT). The purpose of UFIT is to provide better protection for universities against foreign interference.
The Guidelines to Counter Foreign Interference in the Australian University Sector (Guidelines), developed by UFIT, were released in November 2019. The Guidelines were developed for, and in partnership with, the Australian university sector. The stated purpose of the Guidelines is to support universities with:
- examining existing tools;
- assisting decision-makers to assess the risks from foreign interference; and
- promoting greater consistency across the sector.
UFIT has recently refreshed the Guidelines, with consultation with the higher education sector currently underway with a view to releasing revised Guidelines in the coming months.
Universities are also closely monitoring the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (SOCI Bill). If passed, the SOCI Bill will extend the obligations under the Security of Critical Infrastructure Act 2018 (Cth). It will also introduce new and enhanced cyber security obligations to a broader range of sectors, including the university and research sector.
In its present form, the SOCI Bill will impose obligations on universities to comply with requests for information, directions for action, or requested intervention, in response to serious cyber security incidents impacting a ‘critical education asset’. This term is defined as an institution, such as a university, that is owned and operated by an entity registered in the Australian university category of the National Register of Higher Education Providers.
Universities may also need to comply with a number of positive security obligations, including:
- the provision of ownership and operator information;
- the adoption and maintenance of a critical infrastructure risk management program; and
- mandatory reporting obligations about cyber security incidents.
Some of these obligations are not imposed automatically, but may be 'switched on' by the Minister.
Key steps for universities to mitigate cyber risk
In anticipation of further legislative reform, there are several steps that universities can take now to uplift existing controls and mitigate the risk of a cyber attack. These include:
- Assessing cyber security maturity and compliance against external risk frameworks, such as the National Institute of Standards and Technology (NIST) cybersecurity framework.
- Developing a cyber security strategy which clearly outlines key issues, priority actions and success measures.
- Leveraging sector-specific networks to share intelligence and collaborate on security-related initiatives.
- In addition to regularly testing data breach response plans, developing and updating threat modelling and playbooks.
- Understanding the risks posed by the supply chain, including operational and security risks.
- Undertaking regular and effective staff training on cyber security.