With more researchers moving from the laboratory to their living room, now is the time for universities and other institutions tackling the coronavirus to take a hard look at their cybersecurity strategies.
Chinese hackers are interested in stealing research on vaccines and treatments for the virus, the FBI and the Cybersecurity and Infrastructure Security Agency recently warned. Universities and other research institutions should assess their information technology systems and training to ensure they’re protected, cybersecurity experts say.
“It’s just kind of a good time to look at maybe data processes and technologies, and making sure they still meet your needs,” said Kim Milford, executive director of REN-ISAC, which promotes cybersecurity at colleges and universities.
The warning comes amid concerns over researchers who take money from foreign governments while working on National Institutes of Health grants only to create shadow labs in other countries. Federal attorneys last week arrested a former Cleveland Clinic researcher accused of participating in a Chinese program that recruits researchers with access to or knowledge of foreign technology and intellectual property.
Universities have ramped up their information technology and other systems over the past seven years in response to foreign threats to engineering, science, and technology schools, Milford said. Two-factor authentication has become standard, and universities are better at collecting and analyzing network information, flagging suspicious activity, and shutting it down if necessary. But cyber invaders always find new ways of getting in.
“The massiveness and rapidity of the global effort to develop and deploy treatment and vaccines for COVID-19 creates vulnerabilities in the security of research information,” Valerie H. Bonham, an attorney in Ropes & Gray LLP’s health-care and life sciences practice and former NIH counsel, said.
While protecting their systems, researchers still need to be able to securely share their information, Heather H. Pierce, senior director of science policy and regulatory counsel for the Association of American Medical Colleges, said.
“Without the quick sharing of the virus samples, the sequencing of the genome and the rest, we wouldn’t be as far along as we are,” Pierce said. “The same balance of trying to ensure rapid collaboration while being appropriate stewards of sensitive information, federal funding of research and early stage research results or intellectual property that could benefit not just Americans, but the world, is important.”
With closed campuses and limited hiring, anyone interested in stealing research isn’t likely to have direct access to Covid-19 health or research data.
That means hackers will to try to take advantage of shared computers and at-home networks, Milford said.
“They’re going to try to find ways to leverage the relaxed at‑home work status,” Milford said, unlike on-campus networks that scan computers to see if there’s personally identifiable information on it. “They can say, ‘Hey, what are you doing with Social Security numbers?’ That’s really hard to do when I’m on AT&T’s network.”
There’s been a massive increase in phishing using Covid-19 as a threat, with campus networks seeing double the amount of traffic, Milford said.
“Phishing is still the most effective front door,” she said, “It’s not a different threat, but there is increased threat because everyone’s using Covid as an attractive lure to get people to click.”
Universities already have been doing what the FBI recommended in its advisory, such as issuing IT patches for any vulnerabilities and actively scanning web applications for unauthorized access, Toby Smith, vice president for policy at the Association of American Universities, said.
More Guidance Sought
Still, universities want clarity on additional actions they should take, whether there have been verified attempts to hack research data, or if they are seeing increased activity data and should just keep doing what they’re already doing.
“Right now trying to address it with what we know would be like trying to hit a nail with a blindfold on,” Smith said. “We are taking this alert very seriously and we’re in communication to try and understand exactly what more and where our efforts should be directed to ensure and maximize our ability to protect information that might be at risk.”
Ideally, responses to the FBI warning will involve both technical fixes along with education and training, Bonham said. In seeking to understand and apply these warnings, research institutions need to work with both IT security and research administration staff.
“It’s Whac-A-Mole. We build the defense. and they figure out a new offense,” Milford said. “Then we build defense to match that offense and they jump to something else.”