Universities warned that FDI restrictions would enhance cyber risk

In a newly published paper, the NCSC highlighted the specific cyber threat facing universities, citing the large volumes of personal data held on staff and students, research data and intellectual property (IP) as among the assets that will draw cyber criminals to target the institutions.

The NCSC said the universities sector is at risk from both "criminals seeking financial gain" and nation states seeking to gain a "strategic advantage" by stealing IP and personal data.

It said there is "variable" awareness of the cyber risks posed by nation states across the UK's universities sector, but warned that "state espionage will continue to pose the most significant threat to the long-term health of both universities and the UK itself".

"Nation states almost certainly target universities for the data and information they hold," the NCSC said. "Cyber offers a deniable route to obtain information that is otherwise unavailable to them. It is likely exploited instead of, or in conjunction with, traditional routes to gain access to research, such as partnering, ‘seconded students’, or direct investment. Awareness of the risks associated with international collaboration and overseas funding are variable between universities, as is the level of scrutiny applied to investment opportunities."

"If foreign direct investment were to come under greater scrutiny or restriction, it is a realistic possibility that the cyber threat to universities would increase, as nation states sought alternative ways to gain access to sensitive research and intellectual property," it said.

The NCSC said that "outward facing" culture and technology of universities, which is a factor in their success, makes them vulnerable to cyber attack. It identified phishing attacks and the use of malicious software (malware) as two of the methods used by attackers.

The NCSC urged universities to adopt "security-conscious policies, strict access controls and partitioning of high-value research" to make it harder for cyber attackers to gain entry to systems and data. It acknowledged, though, the challenge in developing securely designed networks with "without impacting the ease with which information can be shared, or the diversity of what information can be accessed".

"Many university networks contain a collection of smaller, private networks, providing close-knit services for faculties, laboratories and other functions," the NCSC said. "The freedom this offers is balanced by the challenge it presents to protecting the data and information within. When maintained with minimal central oversight or adherence to security policy, private networks are likely more vulnerable to persistent infection or unauthorised access. However, this same segregation offers an opportunity to separate high-value or sensitive data and information, and apply a higher level of protection, without impacting the openness of the wider network."

According to the NCSC, staff and students both have a role to play in sound cybersecurity practices at institutions.

"The first line of defence is good security awareness among staff and students," it said.

Cyber risk expert David McIlwaine of Pinsent Masons, the law firm behind Out-Law, said it was noteworthy that the NCSC saw fit to issue guidance specifically to the higher education sector. 

"To date the NCSC has only issued guidance to those offering critical national infrastructure and legal businesses, so issuing guidance to universities now is indicative of the real cyber risk to education establishments that they see," McIlwaine said. "This is consistent with the growing cyber risk we are witnessing in the sector. We have seen a disproportionate amount of cyber attacks on education establishments, and it is clear that sensitive research projects are a target."