As universities and colleges continue to suffer the effects of an unprecedented wave of ransomware attacks over the past year, the calls for wider security intelligence sharing are becoming louder.
“At the moment there is a distinct lack of openness and sharing, and I think that’s shortsighted,”
says Richard Bartlett, enterprise security architect at Plymouth University.
“There are areas of higher and further education that strongly compete, but cyber security is not a competition – it's a problem for all of us. Universities and colleges ought to be strategic partners when it comes to fighting cyber crime.
“Ultimately, sharing is about the defense of our sector for which we all have a responsibility.”
But there are questions around what and when to share, with whom and how the data will be secured.
Forewarned is forearmed
“What would be most useful, is for universities and colleges under attack to share information in real time, as incidents happen, which gives others in the community a vital opportunity to act quickly to protect themselves."
Information security manager at Bournemouth University, Simon Teather, agrees:
“I don't care which university or college is being attacked, I just need to know how to stop it happening here. We hear about attacks through peers at other organisations, which is useful, but I shouldn’t have to rely on a lucky break.”
Bartlett also describes the frustration of hearing attack news on the grapevine, and one contrasting incident:
“A member of staff at another university that was hit was reporting on it ‘live’ via the NCSC’s cyber security information sharing portal (CiSP), which is a safe space. The posts were showing key indicators of compromise (IOC), which was invaluable.”
As a government platform, CiSP is the "gold standard of safety”, says Bartlett, so no education provider should be worried about sharing through its academia group, where members can post anonymously, so there’s little risk to their reputation.
During the current spate of ransomware, Jisc has also been making more use of CiSP. Head of cyber defence, Dr John Chapman, says:
“We have been publishing more often to the academia group to show the breadth and depth of recent ransomware attacks against the sector.
“By sharing contextual information as well as the more technical indicators of compromise, we hope that members will be encouraged to add to that information and provide more details that could help the sector as a whole.”
In addition to a new international threat intelligence sharing partnership for the global education sector, Jisc is also planning to soon launch a threat sharing group for its UK members on the open-source MISP platform.
Besides quick-response intel that’s immediately useful to technical teams, Bartlett feels there’s benefit in wider discussions. He says:
“It would be useful if executives in those institutions which have been hit could exchange views on how they now prioritise cyber security, and the consequence of not doing so. Hindsight is a terrible thing in our business for those who become victims, but invaluable for the rest of us.
“Below that high-level institutional overview, technical teams should be talking about what security measures they are choosing to implement and sharing experience of security products and services.
“Managers and senior leaders might also talk about their attitudes towards cyber insurance, crisis communications processes and business continuity plans, security awareness training and how to go about developing a secure culture across the campus.”
Both Bartlett and Teather agree that one of the most difficult aspects of their jobs is evidencing to management the importance of good security.
“That is really, really challenging and there’s a lack of available information which could help,”
He spends time daily searching various public sources, including global media, and organisations including Microsoft and pwc. He uses the information in regular internal bulletins.
“The reports I produce draw a lot of attention to the consequences of the kinds of attacks that we are seeing on a regular basis around the world, and I am able to use them to highlight to the board the risks that we should do something about.
“What I'm trying to achieve is a list of actionable data - the current external threats - so we've got a good idea of the vulnerabilities in our network, and what could be attacked here and how. It also tells recipients the number and type of incidents and whether they have been mitigated.
“However, collating these reports is really time-consuming. There’s lots of information, lots of ideas, and lots of conjecture and I need something more definitive.
“It would be useful to be able to quantify the threat intelligence and attack information properly, and plot it on a timeline so we, and senior leadership teams, can see at a glance the whole picture for our sector. Jisc could play a role here.”
It’s Jisc’s experience that many institutions that suffered cyber attacks may have wanted to inform the sector using CiSP, ask for help from Jisc’s CSIRT, or talk to peers to gain support and advice, but have been prevented from doing so by insurers’ legal counsel.
Bartlett also thinks this is a widespread barrier.
“I hear it’s usual for legal counsel to advise not speaking to anyone about anything because they want to reduce the risk of liability.
“I’d argue that timely and responsible disclosure reduces insurers’ risk. I expect it’s possible to argue that if you have attack information and you don’t share it that you are liable for not doing everything in your power to prevent attacks. Whether that’s provable or not, the fact remains that keeping quiet certainly does not help.”
Chapman has been trying to tackle the problem:
“We’ve been aware for some time that some cyber insurers have been actively discouraging our members from informing CSIRT of incidents.
“Firstly, Jisc’s CSIRT comprises a team of highly trained and knowledgeable experts whose job it is to help members deal with and recover from cyber attacks. This service forms part of the members’ subscription and members should be free to use it when they most need to.
“Secondly, even if members don’t need our help with an incident, the more information we can gather and share on attack methodology, the better prepared we and the sector will be to deal with these crimes.
“Over the last few months, we’ve had positive meetings with some of the main sector insurers to gain their agreement to allow members to approach CSIRT in the event of a cyber attack.”
Any Jisc member that would like to join CiSP should contact Janet CSIRT.
Hear from peer organisations about their experience of cyber security in general and ransomware attacks in particular by signing up for the free Jisc security conference, 9-11 November 2021.