Cyber Security updates
Sign up to myFT Daily Digest to be the first to know about Cyber Security news.
When two Amsterdam-based universities accepted funding for research on artificial intelligence and internet search from network technology group Huawei last year, the decision raised eyebrows. While the US government was pointing to security risks and pressing European allies to join its decoupling efforts, Chinese companies continued offering enticing research and development investment deals, seen as part of the country’s soft power arsenal.
Fortunately, many research collaborations are not risky, and academic co-operation existed long before Beijing’s Belt and Road Initiative. However, identifying exactly when a constructive effort may carry a risk of intrusion is a challenge, one often left to universities themselves. And as digitisation intensifies, assessing security threats in strategically sensitive contexts becomes ever more complex.
Western intelligence services say that universities and other knowledge hubs, such as hospitals and labs, have become the focus for foreign intelligence gathering efforts. Students and PhDs from Iran, North Korea and China have been used as an advanced guard by state services. To make things worse, educational institutions have also become lucrative targets for hackers and ransomware gangs.
The autonomy of universities allows them to research and govern independently. But combined with lock-in contracts with big software vendors, this also means that they are responsible for cyber security and other strategic matters, despite lacking the expertise and manpower to ward off the attention of foreign states. To avoid future security breaches, we need more legal clarity about what is considered to be critical knowledge infrastructure.
Surprisingly, universities are currently not treated as part of the critical infrastructure for which many governments roll out extra protections. When, at his June meeting with Russian leader Vladimir Putin, US president Joe Biden declared 16 sectors to be “off-limits” to cyber attack, education was not included.
Protection for critical infrastructure is often awarded using 20th-century criteria. While it is crucial to protect essential physical structures such as satellites, roads, electricity grids and water filtering plants, today, “hard” and “soft” infrastructure is often intertwined in technological ecosystems. Leaving data and knowledge centres unprotected means significant information remains unnecessarily vulnerable.
Digital infrastructure is seen as particularly important from a national security point of view, yet knowledge assets often enjoy less protection. As digitisation blurs the lines between hard and soft infrastructure, the protection of physical plants, hospitals and buildings is no longer enough.
In academic institutions, IT security is a job for on-site experts, rather than the leading experts in the country. Attackers exploit any weak links, human or digital, and benefit from the lack of streamlined response once an attack does happen. A new category of critical knowledge infrastructure would ensure the protection not only of essential hardware but also related data and information. If an attack does happen, accountability mechanisms and sanctions should then kick in.
We cannot expect professors and systems engineers to be aware of the latest hacking methods. So, without compromising academic independence, designating critical knowledge infrastructure will help us clarify who is responsible for preventing theft, subversion and intrusion. Ransomware attacks, as well as efforts by foreign entities to gain access to information, have exposed a different kind of weakness in our infrastructure — knowledge — that needs addressing urgently.
The writer is international policy director at Stanford University’s Cyber Policy Center