Last week, the Louisiana State Police Cyber Crime Unit tipped off five institutions—the University of New Orleans, River Parishes Community College, Nunez Community College, Southern University at Shreveport and Louisiana State University Agricultural Center—that their networks had possibly been compromised.
The risks needed “immediate” attention, Quintin D. Taylor, chancellor of River Parishes Community College, wrote in an email to Inside Higher Ed, adding that the coordinated effort also included the Governor’s Office of Homeland Security and Emergency Preparedness.
Without delay, the colleges set to work performing restorative activities on their respective computer networks, according to Meg Casper Sunstrom, deputy commissioner for strategic communications at the Louisiana Board of Regents. This included campuswide internet shutdowns that left many students and faculty members frustrated and without easy or efficient ways to communicate with each other.
Throughout, several of the colleges relied on social media to communicate with their respective communities. The University of New Orleans, for example, in a five-tweet thread wrote that the shutdown was a proactive decision that impacted the campus internet, Wi-Fi, email, Workday and PeopleSoft systems. The thread acknowledged the other affected institutions and clarified that updates would be provided though alerts and on social media. Then the account added, “This is all of the information currently available for release.”
The word “cyberattack” was conspicuously absent when referencing the incident, even if the Louisiana State Police Cyber Crime Unit joined the investigation. That may be because the incident was not a cyberattack, according to some experts.
“I don’t think that the [Louisiana] authorities or schools are trying to hide something,” said Alexandru Bardas, an assistant professor of electrical engineering and computer science at the University of Kansas who researches cybersecurity. “I think that they saw some indicators of compromise and are looking into them.”
But other experts offer another view.
“A vulnerability doesn’t take out email,” said Karen Worstell, senior cybersecurity strategist at VMware. “There is something going on.”
“Faculty members were having to get in touch with students over Facebook. They weren’t able to access any of the systems,” said David Rushmer, director of threat research at Blackpoint Cyber, a leading company specializing in managed detection and response. “Something went horribly wrong … They probably did suffer an actual cyberattack, and they turned everything off in order to mitigate damage.”
U.S. colleges are attractive targets for cybercriminals. Those that experience significant threats to their networks have some choice about when, how much or even whether to disclose the information, which differs from more restrictive expectations in the European Union. Many, as in Louisiana, steer clear of the word “cyberattack,” which leaves some to speculate about what college leaders and authorities know. But these days U.S. colleges are less quick than in the past to blame users when networks are compromised.
The five Louisiana colleges may have sought to “limit the blast zone” by shutting off services until they better understood the problem, according to Worstell. Statements issued in the interim can be “not untrue,” even if some details are omitted.
“As long as you are not arming the bad guys, I’m not a fan of keeping anyone in the dark when it comes to security practices,” Rushmer said. “It’s not really the colleges’ information. It’s personal information.”
How a college responds to an “incident of compromise,” as Tina Tinney, chancellor at Nunez Community College, dubbed the ordeal in a conversation with Inside Higher Ed, may depend on the culture in which it happens. In the European Union, for example, the General Data Protection Regulation dictates how institutions must protect personal data and privacy.
“In the case of a lot of crime, you’re innocent until proven guilty,” said Rushmer. “With the GDPR, you’re guilty until proven innocent.” That is, institutions that experience cyberattacks are assumed not to have done everything in their power to have averted an attack that compromised personal data.
“There isn’t anything like the GDPR over in America,” Rushmer, who is based in the United Kingdom, said. “If an organization has data stolen, it doesn’t really have to go and let people know.”
To be sure, when a U.S. college is hit by a cyberattack, many leaders may elect to share such information. Some may be motivated by a moral obligation. Others may seek to control the media’s narrative. In the case of a ransomware attack, they must also decide whether to pay the ransom.
“A lot of higher education institutions, especially in America, don’t tend to pay the ransomware demands,” Rushmer said. “They’d much rather just claim their insurance premiums.”
In an earlier computing era, security professionals sometimes blamed users, even called them “stupid,” for clicking on phishing links, according to Bardas. But that stance has changed with a more nuanced understanding of the threat landscape. Many professionals now understand that phishing attempts will succeed 100 percent of the time, Worstell said.
“Spam 1,000 people with urgency and a problem to solve, and a certain percentage of those people will respond to that before they realize what they’ve done,” Worstell said, adding that humans are predisposed to want to help in the face of a pressing problem. “It only takes one click for an attack against an entire university to take hold.”
“If there’s a large user base, someone will make the mistake,” Bardas said in agreement.
Cybercriminals can, for example, create a convincing replica of a university’s login page. To spot the fraud, a user would need to look for a small detail, such as the absence of the letter “s” in the http address, indicating that data sent via the website is encrypted.
“If you’re counting on the user finding that small detail every time, that is problematic,” Bardas said. “Defenders always have to be right. Attackers have to be right only once.”
Phishing attempts occur on a near-constant basis, Bardas said. Once a bad actor gains access to a college’s network, it attempts to escalate privileges. That two-step process affords some time to implement offensive or defensive measures.
“If you take a look at our entire data set for, say, over the last 30 days, you’re looking at 88 million-odd events that have happened across all of our customers, and that gets whittled down,” Rushmer said. Of 100 investigations within a single organization, Rushmer offers as an example, only one may be deemed actionable. Most of those actionable events, such as an unusual pattern of login or authentication attempts, are addressed without alerting the community.
“The breadth and scope of what security organizations do for their customers is pretty extreme, and the level of skill that goes into some of the work that we do is pretty high,” Rushmer said.
When a security team cannot keep its work undercover, it is typically empowered by the institution to take precautions, Bardas said. This may include shutting down a system, as in Louisiana.
Colleges may manage their own network security, or they may hire managed service providers.
“Standing up your own security team can be incredibly expensive,” Rushmer said, adding that some level of outsourcing is common. Some providers take full responsibility for network oversight, while others offer limited services. In the latter case, a provider may alert a college of a problem, after which the college would address the concern.
“The problem with any kind of passing of the buck, where you rely on a security organization to tell you to do something, is that, unless you have a team in place to take action, the alert could just be cast out into the void,” Rushmer said. Indeed, a recent Google Cloud security talk indicates that some organizations do not have the ability to translate threat insights into action.
That said, network security companies often promote their services as solutions, but effective strategies often rely on both technology and human oversight, Bardas said.
“In the States, the unfortunate reality is that some universities hire students … who might have basic skills but not necessarily enterprise-level skills,” Rushmer said, adding that security concerns could fall to a student. Ideally, a team that includes junior to senior-level employees, including some who have experienced a variety of threat scenarios, would address security concerns.
Also, college cybersecurity teams do not often include their institution’s cybersecurity researchers in their day-to-day efforts, including by giving them access to real data, Bardas said. Some experts see that as a missed opportunity to involve more people with professional expertise and vested interests.
Colleges are extraordinarily dynamic computing environments, according to those consulted for this story. For example, students are both clients and stakeholders. Many are not technically savvy, and most bring their own devices. Students also turn over regularly due to admissions, study abroad programs and graduations. Those who are concerned about the high cost of college may be especially susceptible to phishing attempts that purport to concern their college account, Rushmer said.
Researchers, visiting faculty and adjunct instructors add to the mix of people arriving and leaving or logging in from far-off corners of the globe. Also, colleges often have standard naming conventions for students, faculty and staff emails, which makes phishers’ work easier to automate.
“Everything you need to pull off an impersonation of an individual is pretty much kept on databases within the college,” Rushmer said.
Meanwhile, colleges manage a lot of money, and their intellectual property also has value. College leaders may be reluctant to erect too many guardrails out of concern that doing so may stifle research. At the same time, security teams are increasingly asked to do more with less.
“Higher ed is a very big target to hit, and you don’t necessarily have to be very accurate,” Rushmer said.
In the past five months, seven Louisiana colleges have been struck by apparent cyberattacks. In addition to the five that were impacted last week, Xavier University in New Orleans suffered a ransomware attack in November. The gang, which was known for targeting colleges, said it leaked sensitive data after the university declined to pay ransom. Also, Southeastern Louisiana University was hit by an attack last month that shut down its internet, website and email for almost three weeks.
Most of the colleges whose networks went off-line last week were largely back to normal this week, though significant details of the event remain unclear.
“Each of these institutions is restoring its individual network at a pace proportionate to their current network architecture, available resources, and required applications. These restorative activities were coordinated between the universities and state cybersecurity experts,” Sunstrom said in a statement.
Sunstrom offered the following progress reports by email, current as of March 28, concerning the five institutions:
The Louisiana State Police Cyber Crime Unit’s investigation continues, according to Sunstrom.
During this story’s reporting, most of the affected institutions either responded to requests for comment or provided information concerning developments that was easily findable on social media.
But the Louisiana State University Agricultural Center was an exception. On its Facebook page this week, the institution featured a post about an attack of sorts that garnered more than 10,000 reactions. Though the post made no mention of real or averted cybercriminals, it offered advice for mitigating harm from the bright-pink eggs of apple snails, an invasive species in Louisiana.
“Destruction of the eggs should be done using an implement to knock egg masses into the water, where they are prevented from hatching,” the post said. “Skin exposed to apple snail eggs should be washed immediately. The eggs contain a protein neurotoxin called PcPV2, which has been shown to be lethal to mice and it can cause irritation of the skin and eyes of humans.”