Last week, the White House sent out an executive order warning about the potential threats of cybersecurity attacks aimed by Russia at the United States, given the ongoing escalation around the war in Ukraine and the heightened statements from Vladimir Putin over sanctions. The potential targets are many, from small and large businesses to those with ties to the defense industry.
Institutions of higher education and K-12 schools also remain in the crosshairs of hackers, both from Russia and other nations such as China and Iran, because they are seen as soft targets with potential payoffs—schools are easy marks for intrusion through ransomware schemes, as are colleges, and possess open networks where research and personal data can be exposed and stolen.
Hugh Taylor, founder and director of the Cyber Policy Institute and Executive Editor of the Journal of Cyber Policy, says that although the nation probably shouldn’t panic over the President’s statement or warnings from the FBI, individual institutions should be very wary of more attacks coming.
“It seems like there are people on the inside of the intelligence community who know something is up,” he says. “Certainly school systems have been targeted by ransomware. Many of them are understood to be Russian in origin. The question is, why? One simple answer is these gangs want to make money, and school systems—and probably universities, too—have a need to be functioning. So they can’t really be shut down. But often, these are poorly defended.”
Colleges and universities over the past five years have paid out millions in ransomware attacks to get systems running again and in an effort to protect their data. They are being increasingly targeted through malware and email phishing attempts. But money and data may not be the only drivers. There could be more nefarious reasons for the breaches.
“I would be concerned about very serious disinformation attacks, which we’ve been enduring now for at least six or seven years,” Taylor says. “We saw this in the 2016 election. These large-scale troll efforts or bots that foment chaos and disagreement amongst people in the United States, you might see a very pronounced increase in that. If the concern is that Russia is going to retaliate against the sanctions, they may unleash a greater amount of these kinds of attacks.”
Held for ransom: Why colleges must be proactive to prevent cyberattacks
Taylor says that type of campaign has the potential to be catastrophic given that the U.S. might be underestimating the number of operatives and artificial intelligence working behind the scenes to sow discord. “It was said there were a few hundred people sitting in buildings in Russia influencing the American election. If that’s what 300 people can do, I’ve been told that there’s at least 15,000 operatives in the Russian cyber intelligence world. Imagine what 15,000 people could do if they really want to twist the knife with hatred and anger and fear. They can prompt physical riots from online activity. We’ve already seen that. That makes me nervous.”
Russia isn’t the only player. Taylor and others worry about increasing threats in cyber space from China. “It’s understood that China has systematically stolen basically every single medical record of every American, as well as all the credit histories,” he says. “So what are they doing? One theory is they’re trying to create a social map of the United States so that when someone shows up in the airport, they know who you are, they know who your brother is, your father. Does your cousin work for the CIA? Or that they’re trying to train artificial intelligence software that can manipulate public opinion.”
Shoring up your systems
One of the problems with ransomware attacks is that the payoffs aren’t necessarily final, even though agreements by universities may have been made. Malware can be planted deep within systems that could be reactivated at any time. Taylor said it is vital that IT teams are experienced and continually checking for breaches. For those institutions already behind on bolstering their networks, Taylor says, “it’s a little bit late. Hopefully you should have programs in effect now.”
That said, colleges can take further steps to try to prevent worst-case scenarios from occurring, and it starts with some basic cyber hygiene and persistence:
- Teams should be patching out-of-date systems and purging old users.
- Taylor says institutions should be running tests and preparing for potential disruption.
- Antivirus programs should be current on PCs utilized widely by students and faculty.
- Password standards should be high. The University of Arkansas last week sent a directive to its community to make sure passwords aren’t shared and that multi-factor authentication is required. Leaders there say, “If you are sending sensitive information to another campus user, consider using OneDrive, which is encrypted by default. Alternatively, use Outlook’s built-in email encryption when sending sensitive information.”
- Taylor says backups are incredibly important because “sophisticated actors will try to destroy them.”
- And utilize campaigns across multiple channels to let campus stakeholders know when and how to report concerns.
One of the most persistent problems plaguing the federal government that also exists at other organizations is that many have old legacy systems that can be easy prey and are difficult and expensive to replace.
“It could take five years to implement some of these ideas,” says Taylor, a Harvard Business School graduate who has lectured on cyber topics at UC-Berkeley. “The government is trying. It just can’t move that fast. And by that time, a lot can happen. Something could happen in the next five weeks. Universities have this problem, too.”
Taylor says another problem the U.S. has is that there are no uniform standards for cybersecurity. Even though there are more than 80 pieces of legislation to improve it, Taylor says many of those bills have overlap as legislators propose them individually. “There should probably be one cybersecurity bill,” he says.
Some of those target workforce shortages. Higher education is trying to help in the fight with a 250,000-new-cyber-worker initiative, but even that will take years to develop. Right now, Taylor says, “There just aren’t enough people to go around.”