You have witnessed the bizarre spectacle of a cyber issue if you have ever been on a college campus. Students are refreshing their phones while loitering outside the library door. An email from a professor expressing regret for missing the third Canvas deadline of the week. The digital message is no longer functional, and a bulletin board notice is put over it. The university’s official comments are composed, cautious, and well-researched.
Most of the students who pass those statements are merely attempting to ascertain whether their grades have been posted, whether their financial aid has been handled, and whether they are still eligible to register for the upcoming semester. The IT department may frame the cyber incident as a technological event. It’s an educational event for the student body. Furthermore, it is evident that the higher education system is unable to keep up with the frequency of those occurrences.
Although it’s not the only recent instance, the Canvas outage earlier this year is the most well-known. A small number of learning management systems, such as Canvas, Blackboard, Moodle, and Brightspace, are used by thousands of institutions worldwide. The consolidation of this infrastructure has created precisely the kind of single point of failure that cybersecurity experts have long warned about.
The period of the Canvas platform’s forced outage due to the ShinyHunters hack coincided with finals season at numerous large state systems and Ivy League colleges. Exams at certain institutions were made up on paper. Some grading was postponed. Some were forced to make changes to their academic schedules that had a real impact on when students could graduate. The tuition statements that students paid at the beginning of the year do not account for any of this.
Universities are both appealing targets and structurally susceptible defenders, which is the structural issue. The vastness of modern campuses is comparable to that of small cities. Open networks with tens of thousands of users. Research laboratories are using outdated hardware to run specialized infrastructure. international partnerships that call for access to data across borders. research supported by the federal government and involving millions of dollars’ worth of intellectual property. personally identifying information for applications, parents, donors, alumni, present students, and the full administrative infrastructure that supports them. Similar data sensitivity but more stringent operational control can be seen in a medical system. Similar in size, but with a more homogeneous user base, is a corporate network. In a way, universities have the worst of both worlds.
Speaking with IT professionals in higher education gives the impression that the gap between the institutional reaction and the sophistication of the threat has been growing for years. For the majority of the last 20 years, state financing for public institutions has either decreased or remained unchanged in terms of inflation. Even wealthy private institutions have been hesitant to invest the amounts of money that cybersecurity programs truly need, partly because the expenditures are not apparent until something goes wrong. The cost of cyber insurance has increased. After several cases, several institutions have completely lost coverage. Others have carried on with insurance levels insufficient to cover even one major breach. The children who are affected by the disturbance are the ones who most clearly exhibit this imbalance. The math has ceased functioning.
Despite receiving the least amount of public attention, the intellectual property aspect of this story may be the most significant in the long run. Graduate students do not receive a straightforward replacement timeframe in the event that their research data is lost or corrupted. They miss out on months of work. They occasionally miss the benchmarks that make up their degree advancement. Due to ransomware outbreaks that rendered their original datasets unrecoverable, some Ph.D. candidates working on time-sensitive projects—such as climate datasets, longitudinal medical studies, and collaborations with international partners—had to redo portions of their dissertations. This type of damage doesn’t appear neatly in any breach report. Years later, it manifests itself in researchers’ descriptions of what their early careers were expected to look like and what they ended up becoming.
The IT consolidation that is already taking place in higher education might eventually result in more robust defenses. More of the fundamental infrastructure of larger university systems is being moved to cloud providers with stronger security postures than any one institution could pay. Higher education resiliency is now receiving direct cybersecurity instruction and, in certain situations, financial support from federal agencies. Over the last three years, the Cybersecurity and Infrastructure Security Agency has greatly increased its outreach to academic institutions. Compared to ten years ago, SchoolSafety.gov is now a more comprehensive resource. At the very least, the trajectory is heading in the correct direction.
However, the trajectory hasn’t kept up with the incidences. Walking around schools coping with a breach’s consequences gives one the impression that students are embracing a level of educational opacity that earlier generations were spared. A four-year degree with predetermined milestones in a predetermined order is promised in the catalog.
Exams that are rescheduled because the testing platform is unavailable, grades that are delayed because the registrar’s systems are still being restored, and research projects that are put on hold because a professor’s lab is unable to access its major dataset are just a few examples of how contingent reality has become. Rarely is the disruption disastrous on a single occasion. The “lost years” frame is the result of accumulation. minor hold-ups. minor desertions. little adjustments to expectations. Those pile up over the course of a six-year graduate program or a four-year undergraduate program.