Editor’s Note: The author of this post, Jack Ochs, is currently Vice President, Strategic Planning & Analysis for the Publications Division of the American Chemical Society. He serves on the COUNTER Executive Committee and chairs the International Association of Scientific, Technical & Medical Publishers (STM) Public Affairs Committee. He also serves on STM’s Copyright Committee and is an Ex Officio member of the Executive Board. Prior to joining the ACS, he served in sales, editorial, strategic planning, and management positions with Simon & Schuster, Scholastic, and Prentice-Hall.
In a recent Scholarly Kitchen post, University of Utah Associate Dean for Collections & Scholarly Communication Rick Anderson wrote about the unintended consequences of sharing passwords or falling prey to phishing schemes to gather university network credentials that enable illegal pirate operators like Sci-Hub to offer illicit access to licensed scholarly publications.
The American Chemical Society (ACS) could not agree more.
Over the past two months, ACS has experienced the effect of compromised university network credentials and servers used to launch a significant increase in sophisticated sustained theft of ACS copyrighted journal articles. These activities have ranged from single instances that attempted massive article downloads to hundreds or thousands of simultaneous robotic user sessions crafted to download hundreds of articles apiece. The perpetrators of these attacks are cunning enough to test and adjust their penetration methods based on the security and usage monitoring tools they encounter. As a consequence, we are revising our own network capabilities and protocols regarding how we detect, respond and prevent these incursions and are urging our academic partners to review their campus cybersecurity protocols, as well as their internal response and investigation procedures. In addition, ACS is urging victimized institutions to preserve any and all evidence related to these violations of academic IT security. Although ACS, like other scholarly publishers, is most certainly aware of and alarmed by what has been stolen, an even more immediate concern for our university partners should be to determine how their own networks and resources have been compromised. For a number of reasons, publishers and universities are in this fight together.
First, universities and publishers have increasingly concluded that network violations, like the ones ACS’ academic partners recently experienced, are the work of international cyber criminals. Unfortunately there is no reason to expect that once such individuals gain access to university IT systems they will stop with scholarly articles. University servers contain troves of intellectual property and other potentially lucrative information such as university patents, faculty and student social security numbers, email addresses, and other personal and institutional financial and health records, including tax information that can lead to identity theft.
Second, the consequences to universities of not securing this information are potentially catastrophic. As noted among the many comments to Rick Anderson’s informative post, non-compliance with U.S. regulations concerning health and student records alone could jeopardize a school’s federal funds. Given that scholarly communication is a global enterprise, the compromise of university networks around the world also puts many entities at risk of violating data protection regulations and liability for associated penalties – not to mention legal claims by individuals alleging their personal information is not adequately safeguarded.
Third, compromised university security systems and their users are also potentially exposed to ransomware, an unfortunate new risk of operating in today’s web environment. Think this will never happen? Just this month, after futile efforts to crack the ransomware that had infected them, the University of Calgary paid hackers $20,000 (Canadian) to restore access to data that those hackers had turned into the digital equivalent of gibberish. The university reported that more than 100 of its computers had been affected, and cautioned that the decryption keys they received “do not automatically restore all systems or guarantee the recovery of all data.”
Finally, those who deem illegal pirate operators like Sci-Hub to be above using the stolen journal access credentials they possess to also steal university intellectual property and confidential information should bear in mind that the hackers who we believe directly or indirectly assist those operators certainly seek to exploit rather than protect personal data: i.e., there is every reason to believe that such individuals are intent on using stolen credentials for their own personal benefit, or are willing to aid others in raiding universities for valuable information.
Case in point: a hacker known only as “Peace_of_Mind” was profiled in a recent WIRED Magazine interview. “Peace” sells data on the dark web, where a “store” page of fenced credentials has a 100-percent user satisfaction rating, with feedback such as “A+++” and “…follows up with your questions and delivers promptly.” Peace’s selection of ill-gotten goods includes 167 million user accounts from LinkedIn, 360 million from Myspace, 68 million from Tumblr, and 71 million from Twitter – overall, more than 800 million compromised usernames and passwords in total and growing. “Peace” has boasted that stolen data are used for hackers’ own purposes first and then sold to others, with new data sales available every week. Our guidance to our global user community is this: please take seriously any advice to change your personal password(s) on these and other social media sites, and consult with your IT professionals on best practices for password maintenance and security at your institution, to help minimize your exposure to such identity theft.
We at the ACS have been grateful for the cooperation we have received and continue to benefit from as we partner with our customers and relevant law enforcement authorities to pursue more detailed investigation of the recent occurrences of piracy that have affected our professional society. Serious as these thefts are, the consequences to ACS and other scholarly publishers are just a fraction of the risks facing universities that remain exposed to unchallenged infiltration of their campus network systems. In that vein, ACS will be seeking to instigate high-level consultations within the scholarly publishing and university communities to address our shared global cybersecurity concerns. We welcome participation in that dialog.