The breaches of the Australian National University (ANU) in 2018 and 2019 were the trigger for increased government activity around Cyber Security in the education sector. The target was the Enterprise Systems Domain which houses financial and HR data amongst other information. ANU was not able to ascertain how much data or specifically which fields might have been accessed, nor to determine the source of the attack. However, given the attackers demonstrated a significant level of sophistication, the attacks were tagged as nation state.
The explanatory document for the 2020 amendments to the Security of Critical Infrastructure Bill highlights that the Education sector has been targeted and proposes an enhanced framework with far wider scope and a deeper level of obligation to secure systems. The Higher Education and Research sector is included in the wider scope and will be required to meet the obligations.
Nation state attacks have been the declared bogey in cyber security over the last year or so, and the focus is on publicly identifying adversaries and stopping access to information. However, this stove-pipe public viewpoint detracts from the wider role the Education sector has with regard to Cyber Security and the growing level of digital transformation, the economic value of the international Education programme, and the key importance of international collaboration to research. Taking an architectural perspective to Cyber Security and Education reveals a much more complex set of opportunities, threats, and risk mitigations which need to be addressed. An architectural perspective reveals three areas in which the Education Sector intersects with Cyber Security: building skills through education programmes, research in the field of Cyber Security, and protection against cyber attack.
Australia’s 2017 International Cyber Engagement Strategy includes a requirement for Government to work with the Educational Institutions to build digital-ready workforces and build digital upskilling across the Indo-Pacific. In addition, Australia’s 2020 Cyber Security Strategy highlights the need for greater collaboration to build Australia’s cyber skills pipeline through a $26M Cyber Security Skills innovation fund as a national cyber workforce growth programme. This provides a clear scope for educational activities related to building skills, and provides clear domestic and international opportunities for all higher education institutions.
Australia’s 2020 Cyber Security Strategy also notes that $20M is being invested into cutting edge research laboratories, but fails to recognise the critical role that the Education Sector has in developing new paradigms for protecting against cyber attacks and developing trustworthy solutions that are resistant and resilient against attack. These are significant opportunities for the Education Sector to lead Australia’s path to a resilient digital future.
The 2020 Amendments to the Security of Critical Infrastructure Bill provides clarity on how the protection of Educational Sector systems should be managed, but fails to provide any new insights into risk and control approaches which will avoid attacks such as that at ANU. Using the same ineffective management systems and security tools will do nothing to make Education Sector systems more resilient. The Education Sector itself can conduct and apply its own research to make the step change that Australia needs.
There are clear opportunities for the Education Sector to be at the forefront of Cyber Security in Australia. Using the SABSA architectural framework will enable these opportunities to be identified and taken, and to use them to mitigate risk while enhancing, rather than inhibiting, the Educational Sector.