Thursday, May 5, 2022  |  Category: Eduvation Insider

Today’s Existential Threat

Good morning, and happy Cinco de Mayo!

Apologies to those of you who missed me for more than a fortnight – somehow the “extended break” I announced before Easter turned into a mini-sabbatical, as a book-length report demanded my full attention. (Thanks so much to those who inquired after my health, but no, so far I have not caught COVID19.)

Of course, I also really have to say “May the Fourth be with you” (belatedly), since yesterday was Star Wars Day! (Some institutions got into the spirit – see #ICYMI, below.) Some fanatics also recognize “Revenge of the Fifth” today – but if you’re not a devotee of Lucasfilm, you can instead celebrate midwives, fingernails, hoagies or garden sheds.

More seriously, today is also “World Password Day,” when you’re encouraged to change your thousands of passwords to shore up your privacy and cybersecurity. (Chances are, your IT department forces you to change passwords more than once a year anyway.) Cyberattacks have been on the rise throughout the pandemic, but particularly in recent weeks…

21st Century Warfare

Hackers aren’t just criminals hoping to hold your data hostage, or share your most embarrassing selfies with the world. Increasingly, they’re an invisible army being deployed by nations against each other…

Putin’s Specialty

Since Donald Trump publicly asked Russia to hack Hillary Clinton’s emails in 2016, it’s been clear that Moscow has developed one of the most sophisticated cyberwarfare capabilities in the world. The Kremlin has a network of state-sponsored hackers, giving the government plausible deniability – if attacks can ever be traced back to them at all. China is no slouch either: their hackers have penetrated at least 6 US state government networks via a livestock disease tracking platform. The worst-case scenario isn’t just espionage, lost data, or disrupted telecom or banking networks: attacks have been proven capable of shutting down and even permanently damaging gas pipelines, steel mills and electricity grids.

“A serious cyberattack can have a similar impact to a natural disaster, knocking out essential infrastructure and creating cascading crises.” – Stuart Madnick, professor of IT, Engineering, and Cybersecurity, MIT

Attacks on Ukraine

You may recall that one of the earliest of my 14 Ukraine issues focused on “the War in Space and Cyberspace” (back on Mar 4). I summarized how the Russian FSB has been linked to numerous hacks into Ukrainian military networks, US defense contractors, and the Kyiv Post. Since then a 3rd wave of malware, “CaddyWiper,” has been detected on Ukrainian systems, and GRU hackers have attempted to blackout Ukraine’s electrical grid for the third time since 2016. It has also become clear that Russian hackers managed to knock out Viasat’s internet satellite service just as troops crossed the border, knocking tens of thousands of Europeans offline in 55 countries from Poland to France – including Ukrainian military communications, of course. (It also impacted 5,800 wind turbines in Germany.)

Ukraine Strikes Back

On the other side, Ukraine has amassed an international volunteer “IT Army” of some 300,000 “hacktivists”(including “Anonymous”) who have been relentlessly attacking Russian and Belarusian targets since the invasion began. I mentioned Mar 4 that they had launched DDOS attacks against the Kremlin, Russian television, and the Moscow Stock Exchange. They have also been disabling the Belarusian train networks that were carrying Russian troops to the front. Ukraine’s digital ministry, formed to digitize government services and deliver “the state in a smartphone,” pivoted to pressuring 50 tech companies to boycott Russia, crowdsourcing data on enemy troop movements, and developing a smartphone air raid siren app.

Energy Disruption

The Harvard Business Review warns that Russia’s cyberwar will inevitably spill over the Ukraine border, and target corporations, institutions and governments considered “friendly” to Ukraine. You may recall that Putin has been “Weaponizing Petrochemicals” as a deterrent to keep others from supporting Ukraine. Long before EU politicians began debating a ban on Russian oil, cyberterrorists had successfully infiltrated more than 100 computers connected to 21 American natural gas companies back in February – “pre-positioning” to shut down competing providers of LNG. (And of course, we saw the disruption caused by the hacking of the Colonial Pipeline, which crippled delivery of gasoline and jet fuel across the southeastern US last May.)

“The most damaging cyberoperations are covert and deniable by design… Some of the most consequential computer network breaches may stay covert for years, even decades.” – Thomas Rid, prof, School of Advanced International Studies, Johns Hopkins U

Attacking NATO

The plausible deniability inherent in cyberwarfare means that, although Putin has yet to target NATO countries with direct military action, his hackers could have been assaulting NATO networks, European politicians and militaries for years. In January, networks at Canada’s Department of Global Affairs were knocked offline for 4 weeks by a cyberattack, as the national cyberspy agency warned of Russian attacks on Canadian infrastructure. (A retired major-general was 100% sure Moscow was responsible.) In March, the National Research Councilreported a “cyber incident” too (although it seemed better prepared, after a similar attack by Chinese hackers in 2014). In April, we learned that the smartphones of at least 5 EU officials were hacked last year using Israeli spyware. This week, we learned that significant data was obtained in cellphone hacks of the Spanish prime minister and defense minister. Yesterday, Google reported that credential phishing campaigns were sent from newly-created Gmail accounts to NATO and EU military recipients. NATO says merely that “we see malicious cyber activity on a daily basis.”

“Cyber will be soon indistinguishable from what we would see as traditional warfare.” – Ray Boisvert, formerly of Canadian Security Intelligence Service (CSIS)

Unfortunately, the true scope of cyberattacks in Ukraine and beyond remains unclear, because the vast majority are “playing out in the shadows,” and the victims avoid publicity. The same is true elsewhere…

PSE Cyberattacks

I’ve written before about cyberattacks on higher ed, notably in “Cyber Cat and Mouse in the Matrix” (Jan 21 2021) and “Deficits, Data Breaches and Determination” (Feb 19 2021). With the pandemic, suddenly campus servers and websites became the entire campus, and network security became a lot more vulnerable once thousands of staff and students were given remote VPN access. The cost of cyberattacks reached $6 trillionlast year. Now, Moody’s Investor Service warns that cyberattacks are posing credit risks for PSE, and one ransomware attack helped completely destroy a small private college…

A Quick Recap

Way back in 2016, uCalgary fell victim to a cyberattack and UNB was tracking up to 185 million brute force intrusion attempts a week. In 2020, ransomware attacks hit SFU, Michigan State, UCSF, and Columbia. uUtahmade headlines paying hackers a $460,000 ransom. A Blackbaud data breach affected alumni at Western,uManitoba, uRegina, Trent, and St Lawrence College (and likely others). Saskatchewan Polytechnic was knocked offline and took months to fully recover. More attacks came to light in 2021, at SFU, Lakehead, and Laurentian – where a pending data breach class action lawsuit was among the institution’s list of supposed “creditors.” (More about Laurentian one of these days.)

“What the other members of your household do on that computer impacts the security of your university. Vulnerabilities in your home Wi-Fi network become university vulnerabilities.” – Ray Schroeder, Inside Higher Ed

Ramping Up in 2021

Just as the pandemic evolved in its second year to cause us new headaches, so did cyberattacks. China’s “Hafnium” hack of Microsoft Exchange servers compromised as many as 60,000 organizations last February, including the European Banking Authority (and doubtless scores of higher ed campuses). The Netherlands Organization for Scientific Research was paralyzed for months by a ransomware attack that left Dutch researchers unable to apply for funding. Last April, uColorado faced a highly-public cyberattack that saw personal information of students, donors, and patients leaked online when they refused to pay a $17M ransom. For several days last May, the websites of StudentAidBC and LearnLiveBC were shut down by hackers, but no personal information was compromised.

CdnPSE Dominoes Fall

Last summer, we saw an “IT security incident” impact “a very small number of systems” at McMaster, including residence acceptances and grad school admissions, but no data was lost. George Brown Collegereported a “suspected malware infection,” Sault College an “attempted cyberattack” (which prompted a month of recovery efforts), and uWindsor a “PrintNightmare” that shut down campus printers. We learned in March that a former student successfully extorted almost $300,000 from La Cité Collègiale, using Russian “ransomware as a service.”

Juicy Targets

College and university campuses make juicy targets, because they invest mightily in information archival and knowledge generation, and distribute access to large networks widely among staff, faculty, students, and research partners. (Plus academic culture reveres openness, transparency, and academic freedom, which compounds the risk.) A new Sophos survey claims that ransomware attacks hit 64% of PSEs worldwide last year (double the proportion in 2020), and 50% of them paid a ransom to restore about 61% of their data. About one-third reported that cyberinsurance paid the ransom – which is why cyberinsurance providers are increasing their demands for multi-factor authentication, antivirus protection, immutable backups, and robust systems for privacy and patch management. The average cost of resolving a PSE cyberattack hit $2.7M last year – far more than private sector organizations. Those conducting medical research, or with affiliated hospitals, have been particularly attractive to cybercriminals during the pandemic.  Campus Technology  |  University Business  |  Forbes  |  Inside Higher Ed

“[Cyberattacks] can pose existential threats to any organization—large or small, public or private. If you cannot operate your business, if you can’t operate your college, then you may not be able to exist.” – Henry Stoever, CEO, Association of Governing Boards of Universities and Colleges

Most Recently

Just last week, Tennessee’s Austin Peay State U cancelled final exams on Friday due to a ransomware attack. This week, Kellogg Community College in Michigan cancelled classes “indefinitely” at all 5 campuses following a ransomware attack. And in perhaps the most extreme example yet, 157-year-old Lincoln College in Illinois is shutting down permanently next week, in part thanks to a crippling cyberattack late last year. (Lincoln’s cyberinsurer paid less than $100,000 in ransom, but it took months to recover access to enrolment and advancement systems.)

“Lincoln College has been serving students from across the globe for more than 157 years. The loss of history, careers, and a community of students and alumni is immense.” – David Gerlach, president, Lincoln College

Fighting Back

PSE institutions are, of course, filled with brilliant ITS experts and researchers, so they don’t have to take cyberattacks lying down. McGill launched a cybersecurity awareness campaign and microsite, “Secure Your Journey,” in early 2021. uWindsor announced the SHIELD Automotive Cybersecurity Centre of Excellence. Polytechnique Montréal launched a Maritime Cyber Security Centre of Excellence. NSERC-funded researchers were given new National Security Guidelines for Research Partnerships last March. And this February, the National Cybersecurity Consortium was charged with leading a new Cyber Security Innovation Network, involving hundreds of researchers at 35 CdnPSEs.

200 Worst Passwords

What we can all do, of course, is choose and change complex, secure passwords regularly. Cautionary tales are always good fun, so let’s consider NordPass’s “Awful Password List” for 2021. The top 20 worst passwords include “123456789,” “aa12345678,” “000000,” “qwerty,” “password,” and “abc123.” (Less obvious are “iloveyou,” and “baseball.”) “Unfortunately, passwords keep getting weaker, and people still don’t maintain proper password hygiene.”

Come on people, we’re supposed to be smarter than that!

#ICYMI

On a lighter note, here are a couple of videos released by universities yesterday, in honour of Star Wars Day…

Robots and Light Sabres!

Birmingham’s South & City College has appeared in my collections of April Fool and Christmas videos before, and their robotic mascot Simon is a natural fit for a celebration of Star Wars. In this silly, 90-sec vid, an urgent holographic message from “Principal Mike” tells Simon he’s “my only hope” to get the word out to students about Star Wars Day. (He seems to spend most of his time playing with a light sabre, really.)  YouTube

Physics of Hyperspace

uGuelph physics prof “the Great Orbax” explores “the science behind space travel in Star Wars and Star Trek” in the 3rd episode of “Reel or UnReal.” This 5-min vid features tons of rapid cuts, special effects, and over-the-top facial hair for an entertaining comparison of hyperdrive and warp drive, and an exploration of time dilation effects, mass shadows, and more. Ultimately, Orbax gives us the final word on the competing speeds of the Enterprise vs the Millennium Falcon. It’s a fun example of YouTube outreach designed to appeal to younger attention spans, and its release on May the Fourth was a stroke of brilliance. (It was certainly timely for me!)  YouTube

As always, thanks for reading!

As I navigate my own gradual “re-entry” to publishing the Insider, I’ll take a couple of days to prepare another issue for Monday.

Meanwhile, stay safe out there – practice good password hygiene, and pandemic hygiene, as we all start returning to campus and conference season once more.

Have a great weekend!