Some UW Campuses That Contract With SolarWinds IT Provider Exploited In National Cyberattack

UW System Officials Won't Say Which Campuses Use Solar Winds Or Whether They Were Impacted By Suspected Russian Hack

The inside of a computer
This Feb 23, 2019, photo shows the inside of a computer in Jersey City, N.J The U.S. government on Tuesday, Jan. 5, 2021, said a devastating hack of federal agencies is “likely Russian in origin” and said the operation appeared to be an “intelligence gathering” effort. Jenny Kane/AP Photos

The national cyberattack that targeted the SolarWinds computer network monitoring software could have impacted some University of Wisconsin System campuses that use it.

In mid-December, news broke that a massive computer breach gave hackers months to sift through United States government computer networks. It’s been reported that cybersecurity experts believe the hack was carried out by Russia’s foreign intelligence service known as the SVR.

A Dec. 17 alert from the U.S. Cybersecurity and Infrastructure Security Agency stated that the compromise of SolarWinds’ monitoring software known as Orion “poses a grave risk” to the federal government, state, tribal and local governments as well as private businesses and other organizations.

Stay informed on the latest news

Sign up for WPR’s email newsletter.

This field is for validation purposes and should be left unchanged.

On Wednesday, UW System Interim President Tommy Thompson joined a webinar hosted by the Wisconsin Manufacturers and Commerce business association, which also featured a cybersecurity expert. Thompson started his presentation by briefly discussing the scope of the SolarWinds hack.

“It just tells you that if the Department of Defense, Department of Treasury and other federal agencies can be hacked, you can be hacked, a university can be hacked,” said Thompson. “And all of us have got to be concerned about cybersecurity.”

During a question and answer session with Thompson, WPR asked if the UW System itself was affected by the SolarWinds hack.

“I will not answer on the grounds that it might incriminate me,” Thompson answered sarcastically.

WPR sent the same question to UW System communications staff. Spokesperson Ethan Schuh responded by stating that some campuses do contract with SolarWinds.

“We are obviously aware of the security issues connected with SolarWinds and some of our universities utilize their services,” said Schuh. “We are in the midst of a complete review, not unlike many others in discovery mode related to this national cyberattack.”

WPR requested an interview about the SolarWinds questions with Thompson or UW System information technology staff. UW System spokesperson Mark Pitsch said they have nothing else to share.

On Thursday, WPR sent a list of questions to communications staff at the state’s 13 four-year universities asking whether their campuses use SolarWinds software, if any data breaches were identified and, if so, what steps are being taken to remedy the situation.

Only five of the state’s 13 universities responded to the questions as of Thursday afternoon. Staff with UW-Eau Claire and UW-Oshkosh said their campuses were not impacted. UW-Lacrosse, UW-Madison and UW-Green Bay officials deferred WPR’s questions to the UW System.

Brian Kelly is the director of the Cybersecurity Program at the higher education IT association Educause. In an interview with WPR, he said the Orion software developed by SolarWinds is used by more than 18,000 customers who might have been impacted by the security breach.

Kelly said the Orion software is used by institutions to monitor the infrastructure that controls computer networks. He said, in theory, any data moving through networks using the software could be accessible to the hackers.

But Kelly said new findings over the past few weeks indicated the target of the SolarWinds hack was an internet security company called FireEye that contracts with government agencies.

“Certainly, there was a compromise of SolarWind software,” said Kelly. “Anyone using that could have been impacted. But it doesn’t mean that data was stolen or student data was accessed or the email of faculty was read or compromised … so it’s not sort of a one size fits all.”

For universities, businesses or government agencies working to find out whether any data was stolen as a result of the SolarWinds breach, Kelly likened the process to “finding a needle in a pile of needles.” But he said cybersecurity experts are working with SolarWinds and its users to help identify online “signatures” that could indicate if data was stolen and where it might have gone.

Kelly said while colleges, businesses and government agencies field cyberattacks every day, the scale of the SolarWinds hack is leading to a broad discussion about ensuring that institutions are vigilant when working with third-party companies providing support for vital networks.

“It’s an opportunity for campus leaders to talk about those type of things, about contracting liability with third parties around risk in cyber liability,” Kelly said. “And I think … the best outcome of this is that we’re having conversations.”

Educause offers a list of questions called the Higher Educaiton Community Vendor Assessment Toolkit for colleges and universities to use when entering into contracts with companies like SolarWinds.

More than 100 higher education institutions use the toolkit, according to Educause. The UW System is not among those listed.

Over the past several years, the UW System has been the subject of critical audits by the Legislative Audit Bureau. A December audit noted a “significant deficiency in internal control over information security.” It noted the UW System had made progress on some recommendations like creating new, internal security policies involving data classification, protection and incident response following critical audits in prior years.

Another audit report published in September of last year focused more specifically on IT procurement and security. It to found that UW System Administration “did not develop comprehensive IT security policies and procedures for it and all other UW institutions.”

“We also found that the extent of policies and procedures developed by individual UW institutions varied, and that UW institutions awaited completion of UW System Administration’s policies,” said the report. “Incomplete policies and procedures increase the risk that UW System’s data and systems may not be adequately protected.”

The Legislative Audit Bureau recommended that UW System leaders develop comprehensive IT security policies and procedures based on standards set by the National Institution of Standards and Technology and address 46 IT security concerns, which the bureau stated were too “too sensitive to communicate publicly.”