The higher education sector in Australia could soon find itself considered as “systems of national significance“, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.
The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.
“The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highlight disproportionate to the likely degree and extent of criticality of the sector,” it said last month.
The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.
The hackers had gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.
Then there was Melbourne’s RMIT University, which last month responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.
While no official attribution has been made regarding who is to blame for the ANU breach, the Australian Security Intelligence Organisation’s (ASIO) Director-General of Security Mike Burgess said he knows, which was enough to set the mind of Senator James Paterson, chair of the Parliamentary Joint Committee on Intelligence and Security (PJCIS), at ease.
“I do know who was behind it. But I would not say that publicly because I don’t believe that’s my role to do so,” Burgess said on Thursday, fronting the PJCIS as part of its inquiry into national security risks affecting the Australian higher education and research sector.
Regarding RMIT, however, the ASIO boss was in the dark.
“It’s not reached my level, not to say someone in my organisation isn’t working on the matter,” he said.
Both the ANU and RMIT incidents were a focus of the committee as it probed representatives from Home Affairs and Education. Paterson was hoping to find attribution, however.
“It has been referred to as an advanced threat actor, but it hasn’t come to the point of a specific deliberation or specification of the country involved, that information has not been identified,” Home Affairs deputy secretary of national resilience and cybersecurity Marc Ablong said.
The specifics of the RMIT incident, which Ablong paints as more of an attack than a systems outage, are still under investigation.
“We wouldn’t want to prejudice our ability to make any judgments about where that’s come from and who’s involved in it until such time, as we’ve got the forensic information to be able to determine exactly what has happened and when,” Ablong said. “But we are aware of the attack and there is investigations underway.”
Discussions around the two security incidents were used by the Home Affairs representative to justify the inclusion of higher education and research in the Critical Infrastructure Bill.
“The threat is very real. It is getting a lot realer and a lot harder, even for very sophisticated organisations,” Ablong said.
According to Ablong, what the higher education sector has failed to realise is that it hasn’t been deeply considering the cyber risk.
“That’s a shame … and more effective measures are needed,” he said.
Paterson, meanwhile, said he has observed that the universities are trying to “have it both ways”.
“They’re telling this committee and the public, ‘Don’t worry, we get it, we want to work with you, we want to fix it’, but also, ‘Please don’t subject us to any actual requirements, legislative or regulatory, that would require us to do anything about it’,” the Liberal Senator mused.