Criminal hackers drew national attention when they brought down a major East Coast oil pipeline for several days in May, triggering a panic that led to gasoline shortages and price increases. Colleges have been similarly hit, knocked offline for days or weeks by attackers who froze — and sometimes threatened to sell — their data and demanded payment for it to be restored.
Called ransomware, these attacks doubled in frequency within higher education between 2019 and 2020, according to one industry report, which pegs the average cost of such an event for institutions at $447,000. They have affected colleges nationwide, from a community college in Iowa, to Michigan State University and a University of California system campus. One two-year system in Arizona said it narrowly averted such an attack.
Federal law enforcement agencies warned colleges of the increased threat earlier this year.
Ransomware attacks are hitting colleges at an inopportune time. Institutions have been relying far more heavily on their virtual systems for instruction and student support during the pandemic than ever before. This has made the impact of such attacks that much bigger for colleges, said Von Welch, associate vice president for information security at Indiana University.
Welch is also the executive director of OmniSOC, which was founded in 2018 and brings together security officials from several universities to provide 24/7 coverage of their systems. The collaborative approach also lets them apply lessons from an attack on one school to that on another.
Higher Ed Dive talked with Welch about the recent spate of ransomware attacks and other cyberthreats colleges should be watching for.
Editor's note: This interview has been edited for clarity and brevity.
HIGHER ED DIVE: With OmniSOC member schools doing more online during the pandemic, did the group's structure or priorities change?
WELCH: There are subtle differences, but it's not as big a change as you might expect. It's not like universities have been nice, neatly contained boxes, frankly, ever. We're very used to this dynamic nature, as opposed to organizations where the physical boundary of their building is more meaningful in terms of their computer infrastructure.
We're seeing more headlines about cyberattacks happening on campuses. Is that something schools should be worried about?
Most of the increase in threats I've seen to higher ed, and really all of the world, have been related to ransomware, but it's not mainly due to covid. Ransomware has gotten popular because criminals can go after so many more victims. Five or 10 years ago, all of cybercrime was basically around getting things like social security numbers, credit card numbers, access to bank accounts — things they could convert into money really easily.
When someone does a ransomware attack, they're attacking your business continuity. So all that has to happen now is your infrastructure has to be important to you. If you think about this from who can be a victim, it grows incredibly. It's been very effective during the pandemic because — guess what — everyone is incredibly reliant on their computer systems, and so the impact of a ransomware attack is much larger.
Would colleges have been as big of a target for ransomware had the pandemic not happened and pushed everything online?
They would have been a target, but because we weren't doing everything online, it probably wouldn't have been quite as big of a story. But I don't think going online has necessarily made schools all that more vulnerable. They're using software from places like Microsoft, Zoom and others that are relatively mature products.
Do you notice any patterns or trends in the kinds of schools getting hit with ransomware?
Information technology has gotten so complicated that smaller schools are having a harder time keeping up with the demands of keeping it secure. They typically don't have as big of an IT budget. These are very hardworking people being pulled in more directions and don't have the specialization that you can get at larger schools.
When we do see larger universities hit, it tends to be their departments rather than central IT. In central IT, we have a lot of trained staff who are very focused on keeping things secure. Once you get to a department, the balance between priorities shifts between security work and other support.
What should a school do if they get hit with ransomware?
One of the critical things they're going to have to figure out at that moment is do they have good backups. If you have good backups of all your IT systems you can restore those backups and get online without having to worry about the extortion.
If you don't have good backups, you might have the question of should you pay the ransom. That can be a tricky ethical issue. With the pipeline attack, you have the FBI and the Department of Justice asking people not to pay ransoms because if you do, you're giving money to the criminals, they're investing it to become better and it encourages them to go after more victims. On the other hand, from the perspective of the pipeline CEO, they had people running out of gas all up and down the Eastern Seaboard, so they had a compelling reason to want to get back online quickly.
That may be something senior leadership wants to talk about before they get in that situation. Which of the key services on their campus would cause them to have to shut down if they were suddenly unavailable? Ask their IT staff: Do we have a backup for that server? When was the last time we made sure the backup worked? Could we recover if that server was hit by a ransomware attack? It's basically a disaster recovery exercise.
Has this threat been on schools' radars long enough for them to have done this preparation?
Our first look at ransomware here at Indiana University was five years ago, and that was a little bit early on. The Department of Justice said it's going to give ransomware a similar priority to terrorism, so it's on the national radar. If you believe your organization is one that needs to be able to keep running through any sort of disaster, it's past time to have had a conversation.
It's a very hard subject to tackle, because the IT infrastructure has gotten so complicated. The big challenge is making sure you've got all your critical systems identified and have them secured and have good plans in place. Where people struggle is doing that at the scale of something with the complexity of a college or university.
What other threats should schools be more aware of now that they are doing more online?
There are phishing attacks, which are fraudulent emails. There's also voice phishing, which is basically calling somebody up and saying, "Hey this is your CFO, we need to get $50,000 to this vendor by the end of the day." Those are still out there and a little easier during the pandemic because we're doing a lot more things via phone or otherwise. It's certainly not a good time to let your guard down on issues like that.
What would you like non-tech leaders to know about their role in helping teams like yours protect the institution?
Leaders have to balance many risks every day and I recognize cybersecurity is just one of them. It's hard because cyber is changing so rapidly, relatively speaking. Things like tornados and financial risks can be relatively well understood — we've got actuaries, we've got meteorologists. Cyber is such a dynamic field that it can be hard to stay on top of it. And so recognizing that although it is tough, it does need to be an ongoing conversation between the cybersecurity experts and the leaders, to understand how the cyber risks are changing and how those changes relate to our missions of education and research.
Do you think the pandemic has made leaders more or less interested in those conversations?
The pandemic introduced huge public health risks for universities. Suddenly we were spending a lot of time trying to keep students and staff safe from the pandemic itself. You can just take a look around at all the deaths and the lives that have been impacted by the pandemic, and it puts the cyber risks in a little bit of a different context. It's money versus lives.
But on the other hand, the role cyber has played in helping with the pandemic is we've had to keep a lot more health data secure, sometimes on systems that have been set up very quickly. Speed and urgency is not the friend of cybersecurity. It had to adapt to keep up.
