Interview with Canadian computer security expert Tom Keenan
The University of Calgary paid a 20,000 Canadian dollar ransom in bitcoins to hackers after a malware attack in May 2016. In contrast to Maastricht University, which was hit before Christmas and is still recovering, the Canadian colleagues admitted almost a week after the attack that they paid the ransom, as well as releasing the amount paid. Why did they publicise it? And what lessons have been learnt?
Several days after hackers crippled the essential online services, including e-mail, Skype and internal servers at the University of Calgary, the vice president responsible (chief financial officer), Linda Dalgetty, told newspaper Calgary Herald that university officials agreed to pay 20,000 Canadian dollars to ensure that critical systems could be restored. Paying the ransom is one thing. However, telling the world that you actually did so, as well as mentioning the amount is another.
“They chose to be transparent,” says Tom Keenan*, professor at the University of Calgary, computer security expert and author of the book Technocreep: The Surrender of Privacy and the Capitalization of Intimacy. He refers to Linda Dalgetty’s statement in the news: “We’re a public sector organization and we pride ourselves on our openness.”
Doesn’t this transparency make an organisation even more vulnerable, as criminals now certainly know you will pay?
Keenan: “There’s some truth to that, which is why organisations that pay a ransom and tell the world, need to do serious computer security work which is very expensive; software and hardware updating, audits and penetration testing.”
Keenan was on a research trip to Australia during the cyberattack in 2016, and he was quite lucky, as his administrative unit “was one of the ‘early adopters’ that moved their e-mail to servers hosted by Microsoft”, which is why he wasn’t affected
Only “after the dust was settled,” in 2017, he gave one of his first interviews about the university’s attack in Calgary Herald.
What was the main message?
“I stated that this large-scale cyberattack should serve as a wake-up call to both individuals and organisations who remain lax when it comes to backing up critical data and being more cautious when opening e-mail attachments. It’s becoming inexcusable not to have a basic backup. And when it comes to e-mail, people are too quick to click and too slow to think.”
Could Maastricht University, just like other confronted universities and public organisations, have expected a cyberattack?
“I think ransomware should always ‘be expected’ since after all, the bad guys only need to find one hole (an unpatched operating system; a user who clicks on a phishing e-mail et cetera) to gain access.
What are the lessons learnt at your university?
“Many security improvements were made. As a small example, we now see a warning message ‘The following recipient is outside your organisation’ when replying to e-mails such as yours. Furthermore, our university has now divided the IT systems into ‘managed’ and ‘unmanaged’. Certain critical functions can only be done from ‘managed’ systems and, for example, users are prevented from installing software on them. Unmanaged systems, such as the personal laptops of students and professors, can run any software but are not regarded as trusted.”
In the Canadian newspaper, vice president Dalgetty also advised other institutions to get cyber insurance, just like her own university already had. And although it did not cover the actual ransom, she stated, it was instrumental in helping the school recover after the attack. Keenan: “The major expense in an attack like this is usually not the ransom but the extra work, bringing in cybersecurity consultants for example.”
But don’t you increase your likelihood of being targeted with having such an insurance?
“Some experts say you do, because the bad guys will know that you have the resources to pay. In fact, the attack on the University of Calgary happened soon after their cyber insurance policy took effect. Still, the costs of a major cyberattack can be crippling for a university. The real answer is probably for all universities to get insurance, then they won’t be making themselves an individual target.”
*Tom Keenan speaks for himself, not on behalf of the university