The number of cyberattacks affecting universities nationwide has spiked during the pandemic, a trend experts said GW should address with increased cyber and information security measures and data protection education.
Officials have responded to at least two cyberattacks this academic year, including third-party data breaches that targeted Kronos, an employee time-reporting system, and MyLaw, an online platform that GW Law uses to store students’ personal information and classroom materials. The outages at GW mirror national trends at institutions of higher education as the number of ransomware attacks against U.S. universities has increased from 13 in 2019 to 26 in 2021.
Interim Chief Technology Officer Jared Johnson said school districts and institutions of higher education have been met with “heightened cybersecurity activity” like email phishing, Zoom bombing, ransomware attacks and identity theft in light of the increased dependence on remote learning and working during the pandemic.
“The University continues to focus on the protection of our community in an evolving threat landscape and does so through continued investments in our cybersecurity infrastructure, continued evaluation of our capabilities, engagement with external partners (commercial, governmental and community based like [Research and Education Networks Information Sharing and Analysis Center] and [Health Information Sharing and Analysis Center]) and providing resources to help build better cybersecurity awareness,” Johnson said in an email.
He said the University holds a cybersecurity awareness month in October with guest speakers and panel discussions on cybersecurity, and officials have invested in residence hall signage to raise awareness of cybersecurity.
“Later this spring, GW [Information Technology] will launch security awareness training modules to the GW community and will include topics on social engineering, password management, mobile device security and handling and sharing sensitive information,” he said.
The attack against MyLaw kept the system down for nearly four weeks starting during final exams, leading to concern and frustration among students over University security. Officials reported the attack to the FBI, who declined to comment on the outage.
Kronos, the employee time reporting system, was down for more than a month, and officials said personal information like email addresses and NET IDs may have been compromised during the attack.
The GW community experienced at least two additional cyberattacks during the 2020-21 academic year. One affected the GW Hospital when its majority owner Universal Health Services sustained an attack in October 2020. Another leaked payment information last spring belonging to students purchasing items for Commencement as part of an attack against a company that sells caps and gowns to students across the country.
Officials increased funding for cyberattack protection in 2016 in response to an increased number of scams reported at the time.
Experts in cybersecurity said officials should invest more funds in information security for modern defense systems and increase education and awareness for University community members on common security risks to combat the rise in attacks.
Marcus Rogers, a professor of cybersecurity initiatives at Purdue University, said universities often don’t allocate large sums of money to information security until after an attack. He said information security is not a “major focus” at most universities because proper security funding is typically expensive, which leads to understaffed and underfunded security departments.
“It comes down to money,” Rogers said. “It’s expensive to do this properly, it’s expensive to hire the right people, it’s expensive to maintain your equipment, it’s expensive to update this stuff and at the end of the day, it doesn’t make money for the university.”
Rogers said universities are “vulnerable” to attacks because they store a wide range of data like research projects and students and staff members’ private information like Social Security numbers and personal health information.
“There’s always the risk of identity theft for students and faculty and staff whose HR and health information might be breached at a university,” Rogers said. “We’ve seen instances of attacks where Social Cecurity numbers, dates of birth, all that kind of personal health information has been breached.”
Rogers said GW’s fall data collection project that tracked students’ whereabouts on campus in the fall, which interim University President Mark Wrighton disclosed to students earlier this month, “absolutely” made GW a bigger target for cyberattacks. Rogers said the personalized information collected, like locations where students gather on campus, is crucial to data collectors like marketers.
“That kind of information can be extremely important to some type of foreign intelligence community or even mass marketers who want to be able to basically keep track of some of the locations that you are going to,” Rogers said. “The more data that is personalized, then the bigger a target an institution becomes.”
Ming Chow, a professor of computer science at Tufts University, said individuals can protect themselves from cyberattacks with safeguards like password managers – secure databases that store individuals’ passwords – and two-factor authentication. He said attacks primarily occur against those with weak password protection.
“The advice goes to anyone at all levels: president, student, staff, etc.,” he said in an email. “The fact of the matter is, too many systems and accounts get hacked because of a weak password used.”
Engin Kirda, a professor of computer science at Northeastern University, said modern defense systems would be most effective in protecting information systems at universities. Kirda said these systems are “costly,” and user education, which can teach students and faculty not to click on suspicious links, is also crucial.
“There are modern defense systems that may be costly, but that would be important for protecting information systems (e.g., solutions that provide some sort of sandboxing capabilities and novel end-point defense agents),” Kirda said in an email.
Anton Dahbura, the executive director of the Johns Hopkins University Information Security Institute, said universities should invest more time and effort in teaching cybersecurity, which can help inform students and staff about strategies they can use to combat attacks. He said universities should make cybersecurity a “top priority” if they haven’t already.
“Cybersecurity has become a discipline in recent years, and universities need to adopt the discipline in order to reduce the number of vulnerabilities in its systems and keep hackers at bay,” Dahbura said in an email.
Faith Wardwell contributed reporting.