TU Braunschweig is a popular target – also for hackers IT attacks on universities are on the rise. An interview with the Chief Information Security Officer, Dr. Christian Böttger
What do Universität Gießen, Ruhr-Uni Bochum, Universität Leipzig, TU Berlin, and other universities and research centres have in common? They have all recently fallen victim to massive hacker attacks. In some cases, central services were paralysed for months. Experienced data thieves have also stolen personal information from universities and offered it for sale on the darknet – on secret platforms. “Viruses in a Gold Rush” was the headline of the Frankfurter Allgemeine a year ago: “Hacker attacks on universities expose an Achilles’ heel not only of science. If there is no one-hundred-percent protection against it, one should at least do what is possible”.
In any case, Professor Manfred Krafczyk, Vice President for Digitisation and Technology Transfer, and Dr. Christian Böttger are certain that “it won’t happen here” is not a suitable strategy. With the new IT governance and the establishment of the new administrative department, Krafczyk has laid the foundations to protect the university in the best possible way in the future. And Böttger has been the new “CISO”, the Chief Information Security Officer, at TU Braunschweig for five months. As head of the corresponding staff unit, he reports directly to the Presidential Board. “In fact, at least twice recently we have simply been lucky that nothing bad has happened,” he says. A few months ago, for example, hackers exploited a security hole in a groupware and e-mail system and used it to gain access to computers at TU Braunschweig. Fortunately, the attackers were busy on other computers first, so the gap could be closed quickly. However, the Gauß-IT-Zentrum had to take an institute server offline ad hoc to prevent the attack.
What researchers do not know and do not want
What many researchers are not aware of: Regularly at the beginning of a semester, there are attempts worldwide to intercept access data via so-called phishing e-mails. Research results and data are specifically targeted, and are then cleverly exploited: For example, for security-relevant technologies in countries that are under embargo. Or one’s own results are published by strangers in specialist journals, leaving one empty-handed as the author – a disaster for many young researchers in particular.
Universities are popular targets of attacks because they store interesting data and are much more vulnerable than companies. The problem is well known. The CISO’s task is therefore also to update the organisational framework with solutions, guidelines and emergency plans. To do this, he works together with external experts and colleagues at other universities. At TU Braunschweig, the focus is initially not on technology, but on content. “We start with the information,” says Böttger. To do this, he first draws up priority lists together with the users: What information is particularly important? Where is it located and how must it be protected?
The Most Decentralised University in Germany
And that is precisely where the difficulties arise. Many institutes and facilities have their own workstations and operate their own servers that are not centrally registered. For example, there is an early warning system from the German Research Network, which was also used in the case of the Exchange attack. However, this only records the centrally located processes. “In many areas, we neither know what data exists, nor where and how it is processed. We are probably the most decentralised university in Germany, at least as far as IT governance is concerned,” says Böttger. Over the next four years, he will build up a security management system that should offer the best possible protection. One goal is to make the early warning system as usable as possible across the university so that effective measures can be taken when danger is imminent. The technical measures are only part of the solution package though. “Wherever information comes into our system from the outside, there will be spaces vulnerable to an attack,” explains the CISO. “At the moment, hackers mainly use emails, but it can also be chat channels or collaborative platforms.”
One click on the wrong link
With the IT Security Awareness Days, the TU Braunschweig has been drawing attention to this every year and wants to make users aware of the vulnerability of their data. “Overwork, time pressure, a new scam: it can happen to any of us that we click on a dangerous link,” says Böttger. “We can only learn from this.” The Gauss IT Centre regularly sends out fake phishing emails to test users anonymously. Six to seven per cent of the recipients click on the seemingly dangerous links and enter their access data. Even with this, TU Braunschweig is still in a good position; the average in companies is ten per cent. Consultations and training courses are therefore an integral part of the CISO’s programme. “I go to every organisational unit to inform and talk about it,” Böttger offers.
“In the next four years, quite a few processes – centralised and decentralised – will have to be adapted in order to protect TU Braunschweig sufficiently,” says the CISO. “It will be an interesting time when we all have to get together and see how we solve this together.”
Dr Christian Böttger
… has been Chief Information Security Officer at TU Braunschweig since May 2021. Previously, he had been responsible for information security measures and information security awareness measures at the Gauß-IT-Zentrum since 2016, as well as for the implementation of the General Data Protection Regulation (DSGVO). For 20 years, the physicist had already worked as an IT specialist, project manager and team leader in the private sector, half of the time as an independent consultant. Böttger studied at the Technische Universität Braunschweig and did his doctorate at the Institute for Metal Physics and Nuclear Solid State Physics.