Universities moving to online fall classes must secure their systems, experts say

WASHINGTON — It’s clear that many college students this fall will still be attending classes virtually. And as schools rush to improve the online learning experience, they’ll also be hoping to ensure their Zoom classrooms don’t have any uninvited guests: hackers looking to exploit the massive shift going on nationwide to web-based education.

“The hazard is greater now than it used to be for universities. We are increasingly moving into an online world, so everything is moving into the digital route and, with the pandemic, that has been accelerated overnight,” said John Hale, a faculty research scholar and at the University of Tulsa’s Institute for Information Security and chairperson of the computer science program.

“This is a particularly vulnerable time for us because we haven’t had enough time to mature our cybersecurity process,” he said.

Cybersecurity is something that many organizations often don’t prioritize, Hale said, but the pandemic and the surge in cyberattacks this year has highlighted the importance of having secure systems and networks.

Earlier this month, Michigan State University said it had been the victim of a ransomware attack on Memorial Day that took computer systems offline within hours of the intrusion, according to a release.

Hackers also attacked the University of California in San Francisco, whose researchers are leading antibody testing research and clinical trials for a possible coronavirus treatment.

In May, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) alerted that essential services, like universities, involved in COVID-19 responses were more prone to cyberattacks.

Many universities, including Stanford and Simmons University among others, have already decided to resume online classes in the fall, and some have already set up measures to secure their networks and platforms. Other schools have chosen to implement a hybrid program, a mix of online and on-campus classes, but details on deciding what classes will be online haven’t been made public yet.

“[Universities] have to do better, obviously, because they move too quickly. But with six months to prepare, they should be able to do well this fall,” said Paul Rosenzweig, who studies the intersection of national security and cybersecurity as a senior resident fellow at the think tank R Street Institute.

Privacy is also a concern for universities

The rush to move to online platforms in hopes of avoiding disrupting classes mid-semester introduced vulnerabilities to universities and research centers, as students and faculty weren’t prepared nor knew how to use the designated learning platforms, such as Zoom, which has received criticism for its privacy practices.

Stanford announced in April that the university would stop using Zoom data centers in China and Hong Kong “as a precautionary measure arising from privacy and security concerns.” Additionally, the university will be requiring users to set passwords to enter meetings and webinars, a measure Rosenzweig has said all universities and organizations should implement as soon as possible.

To improve online systems and prevent some of the most common types of cyberattacks, Rosenzweig said, universities should update the systems and patch vulnerabilities; train employees to understand the risks and learn how to use the platforms safely; and implement tools that will limit the how people can attack them, like enabling the waiting room in Zoom conferences.

“The reason we didn’t have that before is that so many people didn’t know to do that. Many people didn’t understand the risk. So, it’s really just a question of training and responsible use of technology,” he said.

Since universities started exposing their “zoombombing” attacks, when unwanted intruders disrupt Zoom conferences, some have questioned if Zoom is the safest, or the best option for professors to use. But, according to Hale, all virtual meeting platforms, including Skype and Google Meet, have vulnerabilities that could be exploited by foreign agents. Universities should select the platform they want to use based on what the system can support and then make sure to patch any vulnerabilities.

But colleges and universities are clearly not the only organizations at risk.

In May, the FBI and CISA formally accused China of conducting cyberattacks against U.S. research organizations to gain access to crucial information related to the virus’ research, which “jeopardizes the delivery of secure, effective, and efficient treatment options” including the development of vaccines, according to a joint statement.

To protect their research from state-sponsored threat actors, some universities in the U.K. have partnered with the government or private groups. The University of Oxford, which has focused on developing a vaccine and recently started human trials, has teamed up with the government’s NCSC to ensure the systems are secure against any attack. The university has also teamed up with the U.K.-based biopharmaceutical company AstraZeneca in an effort to distribute and manufacture the vaccine more rapidly, the university announced in April.

As states continue to lighten confinement rules and universities decide if in-person classes will resume in the fall, Hale and Rosenzweig agreed cybersecurity should not be put on the back burner as it has been in the past.

“We need to be incredibly agile and we have to be prepared to move classes back to online, even if [universities] are planning for an in-person classroom experience,” Hale said. “You have to recognize the situation is very fluid, and you have to prepare everyone for a sudden, overnight change in plans.”