U of T teams up with schools in Canada, around the world to share cybersecurity intelligence

From ransomware to espionage, educational institutions face a growing number of cybersecurity threats – which is why the University of Toronto is working with schools in Canada and abroad to thwart attacks by sharing data in real-time.

For nearly a year, the Canadian Shared Security Operations Centre (CanSSOC), for which U of T serves as administrative lead, has been piloting a threat feed that sends members immediate information on suspicious activity and potential breaches, all while protecting the anonymity of affected institutions.

Now, CanSSOC will be partnering with organizations in the United States, Australia and the United Kingdom to extend this intelligence-sharing well beyond Canadian borders.

“This is unprecedented,” says Isaac Straley, who is the chief information security officer for both CanSSOC and U of T.

“With this partnership, we’re really building relationships and working together to tackle this international problem.”

CanSSOC serves universities, colleges, polytechniques and CÉGEPs across Canada. U of T was one of six founding institutions alongside the University of Alberta, University of British Columbia, McGill University, McMaster University and Ryerson University – but the consortium has the goal of serving more than 200 educational institutions of varying sizes.

Jill Kowalchuk, the organization’s director, says the organization was founded out of a desire to combine essential resources in the war against cyberattacks

“Our motto at CanSSOC is: ‘Better than what we can do on our own, always in partnership,’” she says. “We recognize the value and strength built through co-ordinated and community-focused approaches to security threats.”

The new crossborder partnership will see CanSSOC collaborate with Jisc in the U.K., AARNet in Australia and OmniSOC in the U.S., all of which co-ordinate collective approaches similar to CanSSOC in their respective countries.

“This global threat intelligence gives OmniSOC analysts a unique perspective,” says OmniSOC executive director Von Welch in a statement. “This is a great example of global collaboration in the face of a global threat.”

Experts say universities are highly appealing targets of cyberattacks because they oversee vast amounts of critical infrastructure, research data and personal information. The Canadian Centre for Cyber Security warned last May that cyber threat actors were taking advantage of the pandemic to carry out malicious and fraudulent activities against academic institutions involved in COVID-19 research and development, with attackers posing as legitimate businesses to try to spread misinformation, obtain sensitive information or gain funding.

Straley says the entities plotting such cyberattacks range from criminal groups using ransomware to extract money to nation-state actors aiming to disrupt public infrastructure or engage in espionage. What they all have in common, he says, is a wealth of resources at their disposal, placing many public educational institutions at a disadvantage when it comes to confronting these threats.

“We’ve got a high technology footprint that has a high amount of exposure to the Internet, and that just leads to a higher risk,” says Straley. “We [are also facing] very sophisticated actors. It’s not possible to protect everything.”

“CanSSOC’s threat feed allows institutions to pool resources in a single national service that funnels real-time data, curated for the sector, to members, thereby giving them an opportunity to more quickly respond to threats as they arise,” adds Bo Wandschneider, U of T’s chief information officer.

The intelligence is gathered from private and governmental sources, and, critically, from the member institutions themselves. The international partners will now also contribute to the knowledge base, which is subsequently curated by CanSSOC and shared. The identity of the affected institution is kept anonymous throughout.

Organizations have the option to either automatically block suspicious activity or manually monitor and prioritize threats.

“Through this process, we can get protection sometimes within minutes,” says Straley.

The threat feed will be provided to all eligible research and education institutions connected to Canada’s National Research and Education Network (NREN) thanks to funding from CANARIE’s Cybersecurity Initiatives Program, which supports initiatives that strengthen the cybersecurity of Canada’s research and education sector.

“In today’s world, many people see cyber security as the fourth line in our national defence structure, and it is important for us to engage at the local, provincial and national level,” Wandschneider says.

Scott Mabury, U of T’s vice-president, operations and real estate partnerships, says the university is pleased to be working with partners across Canada, including the provincial organizations in the NREN, and around the world to enhance cybersecurity protections for educational institutions.  

“The valuable data gleaned from threat feed and our global collaboration will enable U of T to more fully safeguard the privacy of our community and the cutting-edge research that our researchers are undertaking,” Mabury says.