The tests carried out by the National Audit Office gave them full control over the computer systems of two of the schools and control over researchers’ IT equipment and cloud storage at a third. – It is objectionable that research data is not sufficiently secured against attacks, says Auditor General Karl Eirik Schjøtt-Pedersen. This is revealed in a new report the National Audit Office presented on Wednesday. They tested the IT security at 10 of the country’s largest universities and colleges. – The aim was to gain access to sensitive research data. We carried out tests against three and succeeded with two of these. We got full control over two, says Schjøtt-Pedersen. The tests show that the country’s research institutions are not well enough protected against computer attacks, emphasizes Schøtt-Pedersen. It may concern personal information, trade secrets or data that may be of interest to foreign powers. These 10 have been investigated These ten research institutions are included in the investigation by the National Audit Office: Nord University Norwegian College of Sports (NIH) Norwegian University of Science and Technology (NTNU) Norwegian Foreign Policy Institute (NUPI) University of Bergen (UiB) University of Oslo (UiO) University of Stavanger (UiS) The University of Southeast Norway (USN) The University of Tromsø – The Arctic University of Norway (UiT) The University Center in Svalbard AS (UNIS) Hacked in The National Audit Office has simply hacked in. The National Audit Office has its own IT experts who have expertise in cyber security and hacking. The National Audit Office succeeded in taking control of the IT systems at two institutions so that they could change data and also encrypt it. They also entered a third. Through the successful hacking, the National Audit Office was able to retrieve or manipulate stored information and research data. It took several days before the institutions discovered the hacking. This shows that research results can be exposed to computer attacks, the National Audit Office believes. All 10 research institutions were tested for IT security. The examinations produced a disappointing result for all. Among other things, they had a lack of control over user accounts and access rights, and weak requirements for user approval. CRITICAL OF SOCIETY: Tekna president Elisabeth Haugsbø believes that politicians must now wake up. Photo: Tekna – There are too many weaknesses in basic technical security measures, says Auditor General Schjøtt-Pedersen. – It is disappointing that research data is not better protected, especially considering the geopolitical situation we are in, and it is not entirely new. We have known for a long time that research institutions are potential targets for such intrusion operations, says Elisabeth Haugsbø, president of Tekna. Tekna organizes IT engineers, civil engineers and researchers in technical and natural sciences. Gaping security holes They will not disclose which colleges or universities the National Audit Office succeeded in hacking. This is due to fear that malicious people will try to do the same. The survey also reveals that the universities and colleges do not have a good enough overview of their research data. The Tekna president believes that the survey shows that politicians have not prioritized IT security. – This shows a gaping hole. It may seem that the politicians and the Ministry of Education do not understand how important it is to protect research data, this is data that is important and critical to society, says Haugbø. Consequences In 2022, a student at the University of Tromsø was arrested on suspicion of illegal intelligence for Russia. Among other things, he did research on the northern regions. The student claimed to be Brazilian, but it turned out he was Russian. PST believes that he has acquired a network and information about Norway’s policy in the northern regions. – The threat picture in this industry has worsened in recent years, says Schjøtt-Pedersen The National Audit Office points out that poor security of such information can have consequences: Financial trouble Spread of sensitive information Loss of reputation They also state that this may be of interest to criminal circles . In recent years, there has been a sharp increase in computer attacks against those engaged in research. The government must take action The FRP believes that the government must now take IT security in research seriously. – For several years, PST has warned against the intelligence threat against Norwegian higher education institutions. The National Audit Office’s report shows major weaknesses in security, and we expect the government to start taking the intelligence threat seriously. There is no longer room for naivety, says Himanshu Gulati, Frp’s education policy spokesperson. LOOKING AT MEASURES: Minister for Knowledge and Education Sandra Borch (Sp) will look at what measures the government must implement to improve IT security. Photo: Tore Linvollen / news Red also reacts. – It is obvious that the current systems do not work well enough and that the cooperation across the institutions and the ministry is too poor. The Ministry of Education must take this seriously, and ensure that necessary measures are initiated and actually followed up, says Seher Aydar, member of the control committee for Rødt, Research Minister Sandra Borch (Sp) says that the findings are very serious. – We have prioritized work with information security for several years, but it is obviously demanding to keep up with new and more complicated threats. Now I will go through the report and assess which measures should be implemented, says Borch.
ttn-69