cyberwarfare focusing on higher education as a prime target
TRANSCRIPT
Cyberwarfare:Focusing on Higher Education as a Prime Target
Nicholas A. Davis, CISSP, CISAChief Information Security OfficerUniversity of Wisconsin System
March 9, 2016
Higher Education in the United States
Research, both private and government focusedOpenness, the commitment to learning and freely sharing ideasAccess to third party research and intellectual propertyAn easy backdoor into other organizations
Higher EducationIn the United States
Dynamic student demographics, international students, government employees, members of the militaryDecentralized governance structuresHigh speed networks with massive capacity to serve as a base to launch attacksStrained funding models, in some cases
Higher Education is aLucrative Target
Theft of research for financial gain, national security benefit, or bothOpenness implies an assumption of good intentions among all who access the data, not arousing suspicionIdentity theft at a university can be a treasure trove, not just for financial gain
Higher Education is aLucrative Target
• Decentralized governance may lead to decentralized IT infrastructure, with technology gaps, enabling cyberattacks
• Lack of funding may leave known vulnerabilities intact
• Concern about individual right to privacy impacts IT security
Favored Methods of Cyberattack Against
UniversitiesConduct computer intrusionsCollect sensitive researchUtilize students or visiting professors to collect informationSpot and recruit students or professorsSend unsolicited email or invitationsSend spies for language and cultural training, and to establish credentialsFund or establish programs at a university
Dr. Reece RothUniversity of Tennessee
Despite university warnings on the restrictions on his research, University of Tennessee professor Reece Roth employed a Chinese and an Iranian student to assist in plasma research
Roth also traveled to China with his laptop computer containing export-restricted information and had a sensitive research paper emailed to him there through a Chinese professor’s email account
In September 2008, Roth was found guilty on 18 counts of conspiracy, fraud, and violating the Arms Export Control Act; he was later sentenced to four years in prison
Difficult to Change Mindsetof Some in Academia
Quote from Dr. Reece Roth
“I see this interpretation of the export control act and concern about homeland security as a deadly threat to free scholarly inquiry,” he says. “The problems I worked on in the plasma lab were not easy problems. They were hard problems. When anyone who does research refuses to hire Chinese or Iranian students, they’re cutting off their nose to spite their face.”
University of Maryland
Attacker accessed social security numbers and other personal information up to 20 years old for 310,000 student, staff, and faculty
Who do you think targeted the University of Maryland, and why did they do it?
Knowledge of Identities of Many Federal Employees
Summary
Higher education ranks as the third biggest cyberattack target, behind banks and retailThe nature of the business of higher education makes it an attractive and easy target, creating both motives and opportunities for cyberattack
Summary
To better prepare for continuous cyberattacks, universities, in general, could benefit from:Newer technologies, such as CloudMore homogeneous environmentsA model which funds cybersecurity in a manner consistent with the value of the assets being protected…………HOWEVER,
Evolving Mindset is Most Critical For Improving Higher
Education’s Readiness
Contact Information:Nicholas Davis, CISSP, CISAChief Information Security OfficerUniversity of Wisconsin SystemEmail: [email protected]
Resource: FBI WhitepaperHigher Education and National Security: The Targeting of Sensitive, Proprietary, and Classified Information on Campuses of Higher Educationhttps://www.fbi.gov/about-us/investigate/counterintelligence/higher-education-and-national-security