Howard University cancelled classes after suffering what it believes to be a ransomware cyberattack, the latest instance of a growing threat to higher education in the US and worldwide.
The 10,000-student institution in Washington DC, a leading historically black university, said it intentionally shut down its computer network to investigate the situation and minimise damage.
As a result, it shut its campus to all non-essential use and cancelled all classes for one day, before reopening to in-person classes only while keeping all online and hybrid courses suspended.
“We recognise that there has to be a balance between access and security,” Howard leaders said in a message to the university community. “But at this point in time, the university’s response will be from a position of heightened security.”
Howard said its initial investigation showed no evidence of personal information having been read or taken, and warned the community that restarting normal operations would be a day-to-day decision.
“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data,” Howard’s provost, Anthony Wutoh, and chief operating officer, Tashni-Ann Dubroy, said in the note.
The challenge of ransomware – in which outside attackers install destructive software and then demand a payment for its removal – is becoming an increasingly common problem for universities and many other businesses.
Within higher education, US institutions already suffering major breaches this year include Stanford University, Brown University, the University of California, the University of Colorado, the University of Miami and the University of Maryland, Baltimore.
Across all business sectors, the US saw the number of attacks grow by 17 per cent by mid-2021, compared with the beginning of the year, according to a tally by Check Point Software. The increases over that same period were 13 per cent in the Asia-Pacific region, and 36 per cent in Europe, the Middle East and Africa, it said.
The average ransom paid by organisations in the US, Canada and Europe more than doubled from $115,000 (£85,000) in 2019 to $312,000 last year, and then to $570,000 in the first half of this year, according to the cybersecurity company Palo Alto Networks.
The aggressive response by Howard seemed wise, said Brian Kelly, director of the cybersecurity programme at Educause, a US higher education grouping focused on information technology.
“It sounds like they’re following the appropriate steps as far as containment and isolation,” said Mr Kelly, a former chief information security officer at Quinnipiac University.
For universities more broadly, however, the attacks reinforce the need to find solutions beyond such now-standard advice as tightening password policies and bolstering security training, Mr Kelly said.
That’s because attackers have grown far more strategic in their choices of targets, both in simpler ways, such as choosing bigger and wealthier victims, and in ways that might be more complex, he said.
Current theories, Mr Kelly said, include the possibility that attackers might be intentionally pursuing institutions that have bought insurance against cyberattacks, and therefore are proving more willing to pay ransoms.
“The ransomware gangs are really focusing their attacks – they’re looking for ability to pay the ransom in their targets versus being indiscriminate,” he said.
The attackers are understood to be located in places where they can largely avoid legal repercussions, such as eastern Europe, Russia and South America, Mr Kelly and other experts said.
Howard said students and faculty could return to campus after the one-day closure, but should expect no wi-fi service for an unknown length of time. The period for students to add or drop courses for the fall semester will be extended, it said.