United Kingdom National Cyber Security Centre Issues Threat Assessment for United Kingdom Universities

On September 18, the United Kingdom’s independent governmental authority on cybersecurity, the National Cyber Security Centre (NCSC) issued a threat assessment of “the current cyber security threat to UK universities and academia.”  The NCSC report noted that “[t]he threat posed to the university sector sits within the broader context of the threat to the UK as a whole,” including the threat of state-sponsored malicious cyber activity, as well as “a serious and sustained threat to the UK from organised cyber crime.”

The report presented four key judgments about the threat to universities:

1. The key cyber threats to UK universities are highly likely to be (1) “Criminals seeking financial gain”; and (2) “Nation states looking to steal personal data and intellectual property, for strategic advantage.”
2. Cybercrime “will probably present the most evident and disruptive difficulties for universities,” although state-sponsored espionage “is likely [to] cause greater long-term damage.” The report stated that the latter finding “is particularly true for those universities which prize innovation and research partnerships.”
3. Likely effects of state espionage include (1) “Damage to the value of research, notably in STEM subjects”; (2) “A fall in investment by public or private sector in affected universities”; and (3) “Damage to the UK’s knowledge advantage.”
4. “If foreign direct investment were to come under greater scrutiny or restriction, it is a realistic possibility that the cyber threat to universities would increase, as nation states sought alternative ways to gain access to sensitive research and intellectual property.”

The report also identified four potential categories of data and information of interest to a nation-state: (1) emails; (2) “bulk personal information on staff and students”; (3) “technical resources (e.g. documentation and standards)”; and (4) “sensitive research and intellectual property.”  Use of these data “will meet a wide range of state requirements,” such as “commercial advantage for the nation’s companies, advancing equivalent research efforts, military or security apparatus.”  The report also stated that sensitive research

may be targeted for its defence or commercial value, and its loss is likely the most detrimental of all to both the affected university and to the UK as a whole. Likely effects include damage to the value of impacted research and intellectual property for both individual researchers and the institution. The attractiveness, relevance and value of an impacted university as an investment partner will also be negatively affected. And at a wider scale, the knowledge advantage of the UK will suffer.

With regard to cybercriminals, the report observed that they “are likely to impact universities most often through untargeted attacks,” such as ransomware, which “brought significant loss-of-service to multiple UK universities in June 2018.”  It also noted that “[t]he use of spoofed or compromised email accounts to impersonate a university’s partners or suppliers is rising, and has led to the passing of sensitive information or funds to criminals.”

To defend against cyberattacks, the report cited widely recognized approaches, such as “good security awareness among staff and students”; “[s]ecurity-conscious policies, strict access controls and partitioning of high-value research”; and segregation within a university network of smaller, private networks, which “offers an opportunity to separate high-value or sensitive data and information, and apply a higher level of protection, without impacting the openness of the wider network.”

The report concluded with four main predictions:

1. “State-sponsored activity will continue whilst it remains successful and the repercussions are limited.”
2. “[S]tate espionage will continue to pose the most significant threat to the long-term health of both universities and the UK itself. There’s a realistic possibility that the threat will increase in-line with increased scrutiny of foreign direct investment and the minimising of other avenues to gain insight and advantage.”
3. “Cyber crime too will almost certainly continue to impact universities, either as a direct target or as collateral, regardless of the reputation and success of those universities targeted.”
4. “[S]pear-phishing and social engineering are highly likely to remain the main attack vectors,” but ransomware “is likely to be the greatest single cause of disruption to staff, students and the universities themselves.”

Note:  The NCSC report stated that its information “will be of interest to all academic and non-academic staff. It will be particularly relevant to senior leaders in universities and research institutions, members of university councils and those engaged in research.”  It should also be required reading for legal, cybersecurity, and compliance officers in United Kingdom universities and research institutions.

Because universities are accustomed to regarding themselves as bastions of academic freedom that “nurtur[e] a culture of openness, tolerance and dialogue,” it can be difficult for some university administrators to accept that their institutions can be treated simply as targets of opportunity by “state-sponsored actors . . . looking to steal data and information for strategic gain” or “cyber criminals seek[ing] to commit fraud, or monetise stolen material through sale or ransom.”

For those reasons, University legal, cybersecurity, and compliance officers should coordinate their efforts to inform university administrators about the report’s findings, and use it as an opportunity to reassess the state of their own institutions’ cybersecurity programs.