Paul A. Watters, Strategic Cyber Consultant, Ionize

In Australia, the Defence Industry Security Program (DISP) is an initiative administered by the Department of Defence that is responsible for protecting classified information and technology in the possession of Defence contractors and other private sector organisations that have been granted access to such information and technology (https://www.defence.gov.au/security/industry). The DISP serves to protect classified information and technology from unauthorised disclosure and to ensure that contractors and other private sector organisations handling such information and technology have appropriate security measures in place. The DISP also helps to ensure that contractors and other private sector organisations are able to maintain the trust of the government and the public by demonstrating their commitment to safeguarding classified information and technology.

DISP requirements include:

• Establishing and maintaining a security management system that meets the requirements of the DISP

• Ensuring that all personnel with access to classified information and technology have the necessary security clearances (https://www.defence.gov.au/security/clearances/about/overview) and have been trained in the proper handling of such information and technology

• Protecting classified information and technology from unauthorised access, use, reproduction, and disclosure

• Reporting any security breaches or other incidents involving classified information and technology to the appropriate authorities

• Complying with all applicable laws, regulations, and policies related to the handling of classified information and technology

• Working with the Department of Defence to continuously improve security practices and procedures.

DISP benefits include:

• Maintaining the trust of the government and the public: By demonstrating their commitment to safeguarding classified information and technology, contractors and other private sector organisations participating in the DISP are able to maintain the trust of the government and the public. In simple terms – if you want a Defence contract, you will need to be a DISP member.

• Promoting collaboration and innovation: By ensuring that contractors and other private sector organisations have the necessary security measures in place to handle classified information and technology, the DISP promotes collaboration and innovation within the Defence industry.

• Enhancing the security of Defence systems and technologies: By protecting classified information and technology from unauthorised disclosure, the DISP helps to enhance the security of Defence systems and technologies.

• Facilitating the exchange of classified information and technology: The DISP helps to facilitate the exchange of classified information and technology between the government and contractors and other private sector organisations, which can be important for the development and implementation of Defence systems and technologies.

Universities may benefit from DISP membership, yet, cybersecurity risks remain significant for the sector. Why is it important for universities to protect against cyber-attacks? Universities have large user bases which are particularly susceptible to:

• Phishing attacks: Universities are often targeted by phishing attacks, in which attackers send fake emails or other communications that appear to be from a legitimate source, in an attempt to trick individuals into revealing sensitive information or installing malware.

• Malware: Universities are vulnerable to malware attacks, in which attackers use malicious software to gain access to or disrupt computer systems.

• Ransomware: Universities may also be targeted by ransomware attacks, in which attackers encrypt or otherwise lock access to data and demand payment in exchange for the keys to unlock it.

• Data breaches: Universities may experience data breaches, in which attackers gain unauthorised access to sensitive data such as student or faculty records.

• Insider threats: Universities may also face risks from insider threats, in which employees or other insiders use their access to sensitive information or systems for malicious purposes.

• Weak passwords: Universities may be vulnerable to cyber attacks if employees use weak passwords or reuse passwords across multiple accounts.

More broadly, universities are very susceptible to foreign interference, and present a risk to DISP membership. Like other organisations, universities may be targeted by foreign governments or other entities seeking to influence research or steal intellectual property. Universities may also be targeted by foreign actors seeking to gain access to sensitive information or technologies. This is particularly true if the university receives defence funding, contracts or grants, or conducts research which could endanger national security if disclosed to adversarial foreign governments.

To protect against foreign interference, universities should implement strong cybersecurity measures such as email filtering, antivirus software, and employee training programs. Universities should also be aware of the potential for foreign interference and take steps to safeguard against it, such as carefully vetting external partnerships and funding sources. Additionally, universities can work with government agencies and other organisations to identify and respond to potential threats.

One strategy that universities can develop is a counterintelligence program. While this approach may be at odds with the historically open and liberal nature of higher education, nonetheless, some foreign governments are actively targeting universities.

A counterintelligence program is a set of measures designed to detect, prevent, and mitigate threats to an organisation’s information, personnel, and operations from foreign intelligence agencies, terrorists, and other adversaries. A counterintelligence program may include the following elements:

• Threat assessment: A thorough understanding of the threats faced by an organisation, including the capabilities and motivations of potential adversaries.

• Security measures: Physical, technical, and administrative measures to protect against threats to information, personnel, and operations.

• Counterintelligence activities: Activities designed to detect and disrupt the efforts of foreign intelligence agencies and other adversaries to gain access to sensitive information or compromise personnel.

• Employee training: Training programs to educate employees about the threats faced by the organisation and how to protect against them.

• Intelligence collection and analysis: Gathering and analysing information about potential threats to the organisation.

• Collaboration with other organisations: Working with other organisations, including law enforcement agencies and the intelligence community, to share information and coordinate efforts to protect against threats.

It is possible that universities may find it challenging to implement a counterintelligence program due to a variety of factors. For example:

• Limited resources: Universities may have limited resources, including budget and personnel, to devote to counterintelligence efforts.

• Complex organisational structure: Universities may have a complex organisational structure, with many departments, centres, and institutes, which can make it difficult to coordinate counterintelligence activities across the entire organisation.

• Open and collaborative culture: Universities are generally characterised by an open and collaborative culture, which can make it difficult to implement security measures and restrict access to sensitive information.

• Large number of external partnerships: Universities may have a large number of external partnerships and collaborations, which can make it difficult to manage and mitigate potential threats.

• Despite these challenges, it is important for universities to take steps to protect against threats to their information, personnel, and operations. Universities can work with security experts and other organisations to develop a counterintelligence program that meets their unique needs and resources.

The Department of Education provides guidelines for universities to follow to counter foreign interference (https://www.education.gov.au/guidelines-counter-foreign-interference-australian-university-sector). While comprehensive, it is important to note that guidelines are not a counterintelligence program in their own right, and there are only four templates provided to even begin the process of developing a counterintelligence program.

Ionize assists a number of universities with DISP membership, cybersecurity program development and implementation, and implementing strategies to counter foreign interference. If you would like more information contact Ionize below.