The Australian National University’s Vice Chancellor Brian Schmidt talks about lessons learned after its devastating data breach in 2018 and explains why cybersecurity is everyone’s responsibility.
It was just two years after Professor Schmidt was appointed as vice-chancellor of ANU that “sophisticated attackers” sent a malware-laden phishing email to a senior ANU employee that gave the attackers credentials to a highly privileged account and access to the university’s broader IT infrastructure.
The breach exposed email usernames, passwords, emergency contact details, tax file numbers, payroll information, bank account details, passport information, student academic records and more.
Professor Schmidt, who worked as a system administrator in his undergraduate years in the US, discovered the importance of cyber security after he downloaded a password cracker and found he could crack the passwords of 75 student desktops in about 10 seconds.
“I realized vulnerability right then and so I’ve been always very aware since,” he told a virtual panel discussion hosted by the Australian Society for Computers and Law.
When Professor Schmidt arrived at ANU in 2016, he saw “pretty serious systemic issues”, but knew that changing a university network that had been “glaciated since 1972” would be difficult because universities don’t turn systems off and have a lot of legacy internet infrastructure.
Professor Schmidt was commended for his transparent data breach disclosure report in June 2019, almost six months after the breach occurred, but just a few weeks after it was discovered. The report included a detailed timeline of events that and information about the university’s phishing defence training programs.
But ANU had also been breached previously, reportedly at the hands of state-backed hackers from China. After that incident, in 2018, he received some stern words from Australian intelligence and defence officials that prompted him to invest in ANU’s cybersecurity capabilities.
Referring to the alleged China hack, he said he realised ANU’s network had been “well and truly compromised”.
“It turned out that [the attackers] were sort of using it as a sand pit to train their staff because they don’t appear to have stolen anything,” he recalls.
“I had a good talking to from various people across the lake here in Canberra that I had to raise my game. I said, ‘Okay, I need some help,’ and we started a major program of figuring out how do we make ourselves safe in the modern era.”
While ANU outsiders were “obsessed” with how much intellectual property had been stolen in the later attack, Professor Schmidt saw a bigger problem: people not feeling safe using ANU IT systems. He notes that women at ANU from the Middle East are tackling feminist issues.
“They need to be able to do that and not feel like their family is going to get locked up,” he said.
The conversation he had with the Australian Signals Directorate (ASD) and the Australian Security intelligence Organisation (ASIO) after discovering the breach in May 2019 was a very different one to the earlier discussion.
In October 2018, Schmidt hired ANU chief information security officer Suthagar Seevaratnam to oversee the university’s cybersecurity programs. Australia’s notifiable data breach legislation had been in place since 2017, and Mr Seevaratnam told Professor Schmidt that “we definitely have a reportable breach — I can see that the data has left.”
“But by building up our capability we were suddenly able to detect things quite frankly we have never been able to detect in the past,” said Schmidt.
“We immediately reported to ASD and to ASIO, and instead of being really mad at me like they were the year before, they said, ‘You’re the first organization that’s ever caught something that sophisticated.’ So they were really excited.”
Interestingly, Professor Schmidt is less concerned by state-backed hackers than cybercriminals.
“If it’s a state-run actor they’re kind of nice inside your domains, the don’t destroy things. But if you get a bunch of criminals in there, they hold you hostage and they literally destroy the joint.”
Watch the corresponding webinar, “Who is watching? Cyber security and Australian Universities” hosted by the Australian Society for Computers and Law.
Do you know more? Contact James Riley via Email.
That ANU detected the mechanics of the incident, very quickly, is commendable. That they published a report having a level of detail from which some lessons can be learnt is equally commendable.
While Prof. Schmidt may well be correct in his views about “State actors being less destructive”; he does not suggest that a State-Actor will not acquire valuable IP/Intelligence and use it to advantage within their local settings.