In fact, the education sector, according to recent reports, comes in third place, right after the healthcare and retail sectors, in the number of security breaches. Many universities conduct sophisticated research, whether in engineering, the sciences, or other disciplines. Schools can be a proving ground for new or emerging technologies and innovation. These sophisticated research programs often partner with U.S. government agencies or industry.
Accordingly, schools can serve as a beachhead for other nations and foreign companies seeking to gain competitive advantages, whether economic, political, technological, or militarily. By hacking into university systems, not only can the attackers gain access to sensitive data held by the schools, but those systems can also be used as a jumping point into government computers or corporate networks.
Recent statistics reveal that from 2006 through 2013, over 500 universities reported a data breach (and many more attacks may have been unreported). The trend continues in 2015-2016, when already hackers have targeted large universities in Pennsylvania, Virginia, and Connecticut. In the Pennsylvania incident, over 18,000 students and faculty were affected. So what is behind the targeting of educational institutions?
Hackers Misusing Open Environment of College Campuses
According to an FBI white paper titled "Higher Education and National Security," the systems and open environment of U.S. college campuses may be misused in order to:
. Steal technical information or products
. Bypass expensive research and development
. Recruit individuals for espionage
. Exploit the student visa program for improper purposes
. Conduct computer intrusions
. Collect sensitive research
So hackers, typically working for foreign companies or governments, can help save vast sums of money and development time, by stealing critical research information. A foreign company can then use the stolen data to produce products, but at a much lower cost when competing with the U.S. product, since it did not have the same R&D costs.
This is not only potentially harmful for U.S. businesses, but it also impacts the bottom-line of universities since it may reduce revenue received through patents and technology transfers, and also may result in reduced grants for research and other sources of funding, not to mention potential damage to the university's reputation. In other words, by letting hackers in to steal technical research information, funding organizations may equate that to their own money being thrown out the window.
Internal and External Threats
These threats can be internal as well as external. According to the FBI, foreign businesses may also send their own employees as students in order to obtain information valuable to their company. These individuals appear to be typical students, and do not disclose that they are actually employed with a foreign company.
The FBI's white paper reports that attackers use various methodologies to conduct computer intrusion, including sending phishing emails with malware attached and exploiting social networking sites. Computer hackers, including foreign governments, are capable of breaching firewalls and exploiting vulnerabilities in software used by universities. According to the FBI, U.S. universities receive large numbers of unsolicited requests for information and millions of hits on their Web servers on a daily basis.
To combat these trends, colleges and universities should look to strengthen the security of their networks and deploy sophisticated monitoring and auditing tools. Schools should also be prepared to respond to the inevitable data breach by identifying where sensitive information is stored, prioritizing resources to protect that information, documenting an incident response plan, and rehearsing response strategy and scenarios with their incident response team.
Hackers Moving Freely
And it is not just research or industrial secrets that are of concern. Once attackers are inside the school's network, they may be able to move freely within it, accessing other systems that contain student, faculty, and staff information such as Social Security numbers, credit card information, and even academic records. Of course, access to this information can run afoul of federal regulations, such as the Family Educational Rights and Privacy Act (FERPA) as well as numerous state data breach notification laws.
Although schools may be difficult targets to defend due to the open nature of campuses and less strict control over hardware and software that students and faculty use, in the wake of a data breach regulators will still look to see that schools had in place appropriate technological and administrative safeguards to protect sensitive information.
In order to help strengthen their networks and defend against potential intrusions, schools should invest in periodic risk assessments to determine where sensitive information is maintained and what vulnerabilities may exist. At a minimum, administrators should set policies that control and limit access to computer networks and ensure that appropriate safeguards are in place for information both at rest (stored on systems) and while in transit. Administrators can mandate that sensitive information, such as critical research information, as well as personal information relating to students and employees, is encrypted.
Finally, when the inevitable data breach does occur, colleges and universities should be prepared to respond efficiently and quickly with an incident response plan that is already in place and that has been tested via practice scenarios. The incident response plan should identify key participants, including legal, compliance, IT and other relevant stakeholders from the organization and provide key information and resources the team can use to contain, mitigate and respond to a cyber attack.
is a partner with BakerHostetler in Philadelphia. He focuses his practice on privacy, data security, and technology issues. Eric has significant experience counseling corporations, healthcare providers and other entities on compliance with data breach notification laws, as well as assisting with data incidents.