A cyberattack that forced the University of Winnipeg to take down its network this week appears to be yet another example of how Canada has been far too slow to respond to cyber threats posed by foreign adversaries, one expert in cyber and national security says.
Christian Leuprecht, a professor at the Royal Military College of Canada and Queen’s University, said while it’s just as possible that the attack at the U of W was done by someone looking to extort a ransom from the school, universities are disproportionately targeted by adversarial states like China to steal research and intellectual property.
He added the size of the school, which is not as large or well-known as some other Canadian universities, demonstrates that “everybody’s a target.”
“It’s not just the large institutions — and it means that everybody needs to be paying attention, and much better attention,” Leuprecht said.
“There’s also still a certain ignorance, I would say, in Canadian society about the extent to which Canada is being targeted.”
The expert called it “puzzling” and “tragic” that the federal government “pours billions of dollars into research, but is not willing to do what is ultimately required to keep that research safe from adversarial actors.”
Earlier this week, administration at the U of W confirmed a “threat actor” managed to gain entrance to its system, and that the university took its network down to protect its data — but also declined to provide any further details.
WATCH | University targeted by cyberattack:
The university says it’s working with cybersecurity companies to get the most important services back online by next week, and to prevent another cyberattack from happening. Officials say Sunday’s breach means the university is extending the semester and pushing exams back by one week.
Leuprecht said the university caught the issue and responded quickly, which shows institutions are learning more about how to respond to cyberattacks. But he said the fact that it used the “draconian” measure of shutting down the entire network — and some university services were still not available days later — suggests the vulnerability was fairly deep inside the network.
For students at the U of W, the cyberattack was a source of extra stress just as final exams were about to happen. Arman Afridi, a criminal justice student, said he hopes to see the school tighten its security system to prevent similar attacks from happening again.
“If this happened one time, in the future it may happen one more time,” Afridi said.
Meanwhile, education student Marnie Bloom said she and her classmates feel left in the dark, including about whether any of their personal information was compromised.
“We’re panicking,” Bloom said. “We don’t know what’s going to happen to it.”
Leuprecht said while foreign adversaries typically focus university cyberattacks on research — and while personal information is usually well protected — it’s possible they’d also be interested in students’ data as a way of finding information on dissidents.
“Most universities will have, you know, Tibetan student groups, Uyghur student groups, Hong Kong democracy activist student groups — and trying to get access to the university network is one really way to try to access information on these groups that otherwise might be private,” he said.
He said cyberattacks on universities are always a reminder that the institutions are high-value targets with somewhat limited ability to defend themselves, because of both limited funding for cybersecurity and legislation that hasn’t kept pace with the level of threat — something he said adversaries know and take advantage of.
Leuprecht said action is needed both at the provincial level, to use the resources of government to procure information technology for institutions and lease it back to them, and federally, where he called the current approach “homeopathic” and said more funding for cybersecurity, a more robust research security policy and more guidance for universities are needed.
He said it’s far too late to call incidents like what happened at the U of W a wake-up call.
“Can you say like six years in, that this is a wake up call? I would say this is par for the course,” he said.
“And part of the reason why we continue to see it is because the level of awareness at the level of universities, the public, the provincial government and the federal government, and the priority that this is given and the way it is resourced, it simply continues to be wholly inadequate relative to the threat that we’re facing.”