Are Canadian universities vulnerable to cyberattacks? Not according to them. Unless regular operations are affected, very few postsecondary institutions report being victims of cybercrime. Case in point: when a major security flaw was discovered in December 2021, it wasn’t until the Quebec government demanded that all exposed sites, services and systems shut down as a “preventative measure” that many Quebec universities acknowledged it. The Université de Montréal’s response was similar when it was the subject of a global ransomeware attack a few years ago.
This relative radio silence gives the impression that public institutions like universities are immune to cyberthreats. But experts consulted by University Affairs say the reality is likely quite different. “The little data we have comes largely from British cybersecurity centre reports, which show just how vulnerable universities are to these very real threats,” said Benoît Dupont, a professor in UdeM’s school of criminology and Canada Research Chair in cybersecurity.
Jisc, a U.K.-based organization whose mission is to digitally empower the country’s higher education institutions, conducts a survey every year to see where things stand. The most recent results, published in November 2021, found that approximately 60 per cent of the 166 colleges and universities surveyed had reported a cyberattack in the previous 12 months. The survey also found a huge increase in ransomware attacks in the higher education sector.
The COVID-19 pandemic has contributed to this phenomenon. The public health crisis forced Canadian universities to move everything online. Their IT infrastructure became a lifeline almost overnight, making them more attractive targets. “The risk of cyberattack was high before March 2020 and it’s just as high now. The COVID curveball has made the university community aware of its own vulnerability and the importance of developing responsible digital behaviour,” explained Mohammad Mannan, associate professor at Concordia University’s Institute for Information Systems Engineering.
New Cyber Security Innovation Network
On Feb. 17, the Government of Canada announced the creation of the Cyber Security Innovation Network, which will be led by the National Cybersecurity Consortium. The consortium was created in 2020 by the centres of expertise in cybersecurity at Concordia University, Ryerson University, University of Calgary, University of New Brunswick and University of Waterloo. This newly created network will receive $80 million dollars in funding over four years, and will have the mandate of “enhancing research and development, increase commercialization, and developing skilled cybersecurity talent across Canada,” as explained in the press release announcing this initiative.
Look for a more detailed University Affairs article on this network in the coming weeks.
Another challenge is that institutions have to balance security concerns with their mission. Practices rooted in academic freedom mean larger networks that are by nature more exposed. “This culture of openness and transparency is vastly different compared to private sector businesses,” said Nora Boulahia Cuppens, a professor in the department of computer engineering and software engineering at Polytechnique Montréal. She believes we have to stop thinking of cybercriminals as scammers hiding behind their keyboards. “Cybercrime can also be an inside job.”
A danger among us
Now more than ever, research relies on national and international partnerships between a multitude of stakeholders, including researchers, organizations and research centres. But would-be attackers could be hiding under the guise of collaboration. That’s why the Canadian government took action in March 2021 by introducing National Security Guidelines for Research Partnerships “to protect Canadian research and intellectual property against foreign interference, espionage and theft.”
Going forward, applications for funding under the Alliance grant program administered by the Natural Sciences and Engineering Research Council of Canada (NSERC) for research partnerships involving one or more private-sector organization must also include a risk assessment. “Projects that are deemed high risk, or where the risk cannot be mitigated, will not be funded,” Minister of Innovation, Science and Industry François-Philippe Champagne announced in a press release.
For now, the guidelines only apply to a small number of grants in research areas considered “strategic,” such as artificial intelligence, nanotechnology and biofabrication. But it’s only a matter of time before they’re expanded to include other fields, according to Dr. Dupont. “Research teams will be held accountable for risk management, and cybersecurity in particular. Sooner or later, universities will have no choice but to get on board,” he said.
And some may have a lot of catching up to do. “The methods universities use to take action on data protection and cybersecurity are limited. Awareness campaigns just aren’t going to cut it,” said Dr. Dupont, who is also one of the brains behind an open online course on cybersecurity in academic settings titled, “La cybersécurité en milieu universitaire” (which is available in French). Universities can start by investing in simple safeguards, like setting up multifactor authentication for those that use their IT infrastructure, as well as routinely using virtual private networks to access sensitive data from outside the institution.
And in the long term? Everyone in academia must take responsibility for cybersecurity – starting with students, who make up a majority of the university community. “They are agents for change. They’re the ones who will be dealing with tomorrow’s threats, like quantum computing and 5G, which will increase the potential target areas,” warned Dr. Cuppens, who co-organized an ethical hacking competition in early February. “It’s a way to get our students thinking about cybersecurity issues,” she said.