October is European Cybersecurity Month and the perfect opportunity to highlight this topic. Historian Kenneth Lasoen is an intelligence specialist and with his academic expertise he helped formulate a vision statement of the Flemish Interuniversity Council – Knowledge Security. The statement describes several measures to reduce the risk of foreign interference. Naomi Huygen, Security & Risk Officer of the ICT Department explains what the risks and consequences of foreign interference can be for our university and what good cyber hygiene means.
In May, the Flemish Interuniversity Council – Knowledge Security published a vision statement describing several measures to reduce the risk of foreign interference at universities. Foreign interference? Really? Yes, really! Kenneth Lasoen, researcher at the Faculty of Social Sciences and intelligence specialist, helped formulate that vision statement and also devised a training course around it.
‘Foreign interference at universities happens more often than you think and is often very subtle’, he clarifies. ‘A lot of intelligence agencies deliberately send out researchers to do PhDs at Western universities. This sounds very attractive at first: the PhD student in question indicates that they do not need funding, but would just like to do a PhD with us. But sometimes that often very loyal and motivated student is pressured by their home country to steal knowledge.’
‘Just because you don’t directly deal with academic knowledge does not mean you cannot be a target of a cyber-attack. For example, hackers can use your account to quickly get in touch with colleagues who do possess that knowledge.’
Naomi Huygen – ICT Department, Infrastructure & Communications
Counterintelligence
Counterintelligence is needed to detect and counter spying activities by foreign intelligence agencies, but at the same time that is where the shoe pinches, as Kenneth explains: ‘We are knowledge institutes and the idea is to generate and disseminate knowledge. This is at odds with shielding that knowledge from certain parties. But it is obviously unacceptable that tax money goes to institutes to generate knowledge, only for that knowledge to be stolen and used by other parties without any benefit to us. So we need to strike a balance between counterintelligence and “knowledge security”. Above all, we need to make university staff aware of what knowledge security means.’
École de guerre économique
Raising awareness means, first of all, understanding that there are countries that employ or send people to tap knowledge from other countries to get ahead economically, Kenneth says. ‘Those countries want to further their “development” without “research”. That kind of economic espionage is widely practised by a lot of intelligence agencies. The Russian secret service, for example, has always had a Technology Department whose main purpose was to steal foreign knowledge. But the French are also notorious for this. By the way, did you know that there is an “École de Guerre Economique” in France where you can get a master degree in espionage? The purpose of the study programme is to learn how to steal technological knowledge. Even the Americans – who are often the victims of this kind of economic warfare – have had a hand in this. But China, Iran, South Africa, etc. are also on the list of countries that engage in knowledge theft. It ranges from the theft of plans for F16s to voice technology.’
Cyber-attack
‘Exactly two years ago, in October 2019, our university was hit by a serious cyber-attack’, Naomi Huygen of the Infrastructure & Communications Department adds. ‘That attack mainly affected computer systems used for administration, but the payment systems of student restaurants were also affected. Fortunately, nothing was stolen and no data was leaked, but the story could have been different.’
‘For example, Iranian government hackers successfully attacked three Dutch universities and a university college in 2020. The intention was to steal academic knowledge and make it available for cheap to Iranian students. This case involved “good use” of hacked materials, but they could just as easily have captured sensitive information on behalf of Iran’s nuclear programme. That would have been unfortunate.’
Being aware
So what specific measures can we take to reduce that risk of foreign interference? ‘There is some reluctance towards implementing drastic measures’, Kenneth says, ‘because of our mission to generate and share knowledge. But one of the first steps we can take is to think carefully about who we bring into our university. If you get an unexpected email from a student who very much wants to do a PhD for free and for nothing, ask yourself where did that student get funding? And where does that student come from? Do they or the university they come from have links with intelligence agencies there? Does that person have a hidden agenda? A next step is then to check what access rights that person has at our university and how easy it is to copy or steal research data. In case of actual knowledge theft, the residence permit should be able to be revoked.’
Basic cyber hygiene
Another important measure is to maintain good basic cyber hygiene. In 2019, our university launched the ‘ICT Safety Collective’ which gives staff regular tips on how to protect themselves. Naomi sums up the most important tips: ‘First and foremost, install good antivirus software. And make sure your applications are protected with unique and complex passwords. Be sure to not choose one word that you reuse everywhere, but choose, for example, some funny phrases that you can easily remember. By the way, to find passwords quickly, you can use a “password manager”. This way, you only need to remember one password to access your password database. Use a VPN connection when surfing public websites. A VPN connection hides your data traffic online and protects it from external access. Make sure to always encrypt sensitive data.’
Social engineering
‘Just because you don’t directly deal with academic knowledge does not mean you cannot be a target of a cyber-attack’, Naomi explains. ‘For example, hackers can use your account to quickly get in touch with colleagues who do possess that knowledge. Hackers generally have a lot of time and a lot of patience: step by step, they try to penetrate the university from all sides. Anyone can be targeted. We should also be aware that there is such a thing as “social engineering”: the cyber-attacker will always try to capitalise on human traits such as curiosity, greed, fear, etc. They will try to gain your trust, or try to scare you, so that you end up passing them personal information, such as your password or your bank account number.’
‘There is some reluctance towards implementing drastic measures, because of our mission to generate and share knowledge. But one of the first steps we can take is to think carefully about who we bring into our university.’
Kenneth Lasoen – Historian and intelligence specialist
Phishing simulations
‘Too many people are still unaware of the dangers of the internet’, Naomi believes, ‘but we do notice that the topic has become more prevalent in recent years. For example, since that cyber-attack, we regularly send “phishing simulations” to staff inboxes to see how members of staff respond to them. Fortunately, we score pretty well on that. We are looking into doing the same with students. For those phishing simulations, we work with the company Phished, which completely automatically sends out personalised phishing emails based on artificial intelligence. As a university, we pioneered such a collaboration. A few other universities have since also started using simulations.’
How can you guard yourself against these phishing emails? ‘Do you get a weird or unexpected question? Don’t know the sender? Do you know the sender, but are they using a strange email address? Do you “urgently” need to do something? Are you being asked to transfer a payment even though you don’t have the rights to do so? These are all signs that this could be a phishing email. In doubt? Then send an email to abuse@uantwerpen.be and we’ll let you know right away whether it’s a legitimate or phishing email. If you report those strange emails properly, we can also better protect other colleagues.’
Multifactor authentication
‘Our university has recently also been focusing on implementing “multifactor authentication”’, Naomi says. ‘That means you have to provide a second factor besides your password to access your data, for example an extra code on your mobile phone or a second notification point to approve your access. This is a very big improvement in terms of security. With multifactor authentication, someone can no longer get into your account purely with your password; they need your mobile phone too.’
‘Yes, there will still be cyber-attacks on educational institutions anyway and knowledge will still be stolen unlawfully’, Kenneth and Naomi both know. ‘We have to constantly keep our systems up-to-date because new vulnerabilities are discovered all the time’, Naomi explains. ‘And we need to maintain our focus on new threats. The cyberwar with foreign powers is one that is difficult to win.’