All Georgetown students will now be required to install DUO, a multi-factor authentication service, to access university systems for the coming semester, the university announced on July 21.
This move, as the announcement acknowledges, comes in the wake of increased cybersecurity concerns due to a higher reliance on online services and home networks during the ongoing COVID-19 pandemic. While cyberattacks against both the Twitter accounts of powerful figures, including former President Barack Obama and Democratic candidate Joe Biden, and COVID-19 research centers have gained national attention, individuals and small businesses have also seen upticks in attacks since the reliance on telework increased.
The implementation of DUO for all students was largely based on increased threats to all forms of online information and accounts, according to acting Chief Information Security Officer and Chief Engineer Marty Johnson.
“A global increase in Cybersecurity activity, that generally exploits the fear and uncertainty we all feel, has made it apparent that simple username/password authentication methods are no longer sufficient to protect the systems that we are now using in an increasingly fluid and distributed manner,” Johnson wrote in an email to the Voice.
Previously, only faculty, staff, student employees, and associates had to be enrolled in DUO, because their university accounts contained sensitive information such as bank account details. However, the university announcement explained, the fact that the Fall 2020 plan calls for nearly all students to work and learn remotely broadened the need for security.
“Because many members of the Georgetown community will be studying and working remotely as an integral part of [the Fall 2020] plan, there is an increased risk of cybersecurity attacks against the network and your sensitive data,” the email read.
Increased vulnerability to attacks is not an issue specific to Georgetown, but rather a systemic problem revealed in the months since the pandemic began. In a study released by VMware Carbon Black, an internet security provider, 91 percent of all respondents reported attacks have increased since March.
There are a few reasons for this, according to Micah Sherr, an associate professor at Georgetown in Computer Science. When employees (or students) work from home, it becomes more difficult to detect suspicious patterns of behavior that might indicate an attack. Previously, activity outside the “norm,” meaning from off-campus, was one indicator of a potential cyber attack.
“With everyone being virtual, we’ve thrown the norm out the window,” Sherr wrote in an email to the Voice. “There is no longer any norm. Folks work from different locations and time zones, and that makes differentiating between authorized usage and attacks far more difficult.”
This deviation from normal circumstances also presents a challenge to individuals, Sherr said. People are changing up their routines and installing new software, such as Zoom. This means they are less likely to be able to separate routine emails from phishing attempts or identify malware.
Additionally, hackers can mimic communications surrounding the pandemic, such as government communications, according to a report from Georgetown’s SCS.
“For example, I suspect that a phishing attack purporting to be UIS asking users to install a new “GU-approved” patch to Zoom (which would in fact be malware) is more likely to succeed now than had it been done pre-COVID19,” Sherr wrote.
Universities are particularly vulnerable to cyberattacks because their systems often contain sensitive information and unreleased or proprietary research findings. Large networks also offer many points of access to hackers. Students and faculty need fairly open access to the network to research and communicate, but in some of the same systems, administrators and staff manage sensitive personal information.
Rather than relying on on-campus wifi, the majority of students and faculty will be logging on to their accounts via home networks and will be utilizing sites such as Canvas and Google Drive to share assignments at a higher rate, which means there will be more points of access for attackers to target.
At the same time, Sherr pointed out, universities prefer not to restrict access to information beyond what is necessary.
“It’s critical to remember—and I can’t emphasize this enough—that the University has an obligation to respect academic freedom, and a big part of that is enabling access to information. And today, for better or worse, “access to information” oftentimes equates to unfettered access to the Internet,” he wrote.
Sherr and Johnson both identified multi-factor authentication services as one useful strategy in preventing attacks on such a network. If you try to access a Georgetown-related account (Google accounts, Canvas, Box, etc) with a DUO account, a notification will be sent to you via another device to approve the login. This is intended to ensure no one logs into your account that is not you, and that you are notified of any outside login attempts.
DUO relies on two factors, which Sherr called “something you have” and “something you know.” Requiring anyone who wants to log in to provide both a piece of information (a password) and showing you have something that ostensibly belongs to you (your phone) raises the bar for hackers, Sherr wrote.
While the addition of DUO is not convenient for students, Sherr believes the cybersecurity benefits make the few seconds to confirm your identity worth it.
“Requiring a little extra work for a lot more security is the smart move, even if it does impose a modest annoyance,” he wrote.