It is time for universities to reconsider how they defend intellectual property

State-sponsored espionage may sound like the plot of a Cold War thriller, but it is a significant threat to universities.

That was the startling conclusion of the National Cyber Security Centre’s first assessment of the cyber threats facing UK universities, which last month identified attacks by foreign states, as well as cyber criminals seeking financial gain, as the sector’s two biggest concerns.

While both are significant, there is a danger that the fallout of high-profile personal data breaches in the private sector, and within universities too, makes universities underestimate the threat presented by nation states intent on stealing research for strategic advantage.

State-sponsored espionage threatens the UK’s position as world leader in innovation. As we navigate global political and economic tensions, the significance of this risk means a root and branch reappraisal of how higher education institutes protect their intellectual property (IP) is now needed.

The rewards on offer to aggressors today are substantial. In a world where the pace of technological innovation is accelerating at an unprecedented rate, it is arguably more cost-effective to bridge a research and development gap at another economy’s expense. Shortly after the NCSC’s report was published, a BBC documentary revealed that during David Cameron’s tenure China sent military personnel to British universities to gather intel for its weapons programme. Yet, while this case shows the reality of state-sponsored internal threats, it does not show their most nefarious and immediate dimension.

By sharing ill-gotten IP with the private sector, state aggressors can give domiciled firms the opportunity to bring new products and services to market first and gain a competitive advantage on an international stage. The collateral consequence that this could have on UK GDP is significant.

So, before taking practical steps to combat state-sponsored espionage, British universities must first fully quantify the commercial worth of their research and what its loss could mean for the economy.

The threat posed by cyber criminals out for monetary gain is, of course, significant. Financial penalties aside, competition for students is fiercer than ever. Universities cannot afford to be known for a high-profile breach where, for example, students’ personal information is compromised.

However, most attacks lodged by criminals are successful because of human error. Encouraging good personal cyber security principles among faculty and staff and the implementation of an effective incident response framework can go a long way.

The resources available to state aggressors, on the other hand, outstrip even the most well-equipped criminal cells, and indeed most of the world’s largest multinational corporations, by a considerable margin. It means that the practical steps universities take to defend themselves must become more sophisticated.

Universities have a democratic attitude to information. Giving faculty, students and partner institutions unfettered access to university resources undoubtedly supports learning and aids ground-breaking research. However, while open-access culture should be protected, state-sponsored threats mean that it cannot continue to exist in its purest form. A university’s most valuable IP should only be accessible to those with an active role in its development.

From an IT perspective, this means segmenting systems. A network-defined perimeter stops external threats gaining access to an organisation. But, when combatting internal threats, this is not enough. Universities must separate IP from the wider student body and faculty using software-defined perimeters so that if a system is accessed, only those with the appropriate credentials can see the information. This approach minimises the risk of students and faculty being able to act on behalf of a state aggressor to gain access to sensitive information.

More broadly, those with responsibility for system segmentation must make the IT professionals designing them fully aware of state-sponsored espionage as a threat so that they can ensure they are fit for purpose.

Practical measures must be accompanied by sensible policy that fully considers state-sponsored threats. For example, if a university is given a government grant to undertake research that could advance the UK, announcing it far and wide might garner attention from the wrong places.

And, critically, it is not just the most obvious university departments that need to be alive to the threat. Admissions, recruitment and human resources, for example, should also understand the danger posed by threats from within so that they can be fully factored into their processes. 

Our higher education sector is one link in a value creation chain that makes the UK a world leader in technology and innovation. Recognising this and taking steps to protect its reputation on an international stage will see this continue, but also ensure UK universities remain an attractive destination for foreign investment, world-class academics and the next generation of students. 

Edward Lewis is partner at law firm Weightmans LLP, which is a founding member of CyXcel, an alliance of 15 specialist businesses that help organisations build cyber resilience.