Editor’s Note: Today’s post is by Susie Winter. Susie co-chairs the Scholarly Networks Security Initiative Communications Working Group and is VP, External Communications at Springer Nature.
It will come as no surprise to those who work in higher education, or follow developments in the sector, that cyber-attacks are on the increase. The National Cyber Security Centre (NCSC) in the UK reports that, since late February 2021, ransomware attacks on the UK’s education establishments, including schools, colleges, and universities, have increased. With library networks often on the front line, how aware are librarians of the threat posed by cybercrime and, crucially, do they know what steps to take if their network has been compromised?
Awareness of cybercrime
Recent research from Shift Learning following a survey of over 250 librarians, commissioned by The Scholarly Networks Security Initiative (SNSI), shows that, even given the increased threat identified by the likes of NCSC, levels of understanding are worryingly mixed. While most librarians have some understanding of cybercrime and data security issues, the level of understanding varied depending on the size of their employing institution. For example, those working in large higher education institutions were more likely to describe their level of understanding as ‘expert’ across a range of threats such as phishing, viruses, data theft, and theft of log in details, than those working at a small or medium institution. However, across the board, there was still strong understanding that these activities posed a network security risk with the impact on the security of staff and student data, and the reputational damage that a cyber-attack could inflict, concerning librarians the most.
Help and support
In contrast, there was almost unanimity amongst librarians as to who they would go to if they suspected their institution’s network had been compromised. 96% would contact their IT department and 85% would report it to their security department. Reassuringly, 85% would also tell other librarians, and 67% would take direct action to restore the integrity of the network. However, the research did uncover a level of hesitancy amongst librarians to discuss with students how to prevent future network breaches, with only 43% saying this would be something they would do or something they would add to a security log for future reference and picture building (25%).
Why this matters
While 65% of librarians said that the theft of personal data was a concern, and 56% were concerned about the theft of university log in details and credentials, many librarians’ knowledge of illegal websites which deploy such practices to gain access to content, such as Sci-Hub, was more limited. Less than half (43%) worry sites like this may have access to their institution’s network and 23% of respondents were unsure if students using these sites would put their institution network at risk.
In addition, the research also revealed that whilst 64% disagreed with the view that it’s fine for librarians to recommend using these illegal sites, and 45% agreed that using these sites is wrong, 47% agreed that these sites are useful for learners.
The research also revealed some confusion amongst respondents as to what is an illegal site. 62% were familiar to some degree with illegal websites, with 63% naming Sci-Hub as an example. However, 21% were unsure and other answers to the question whether they could name an example included legal sites and services such as Google Scholar, Research for Life, ResearchGate, and Academia.edu. It also means that, when asked directly, whilst 84% of respondents had heard of Sci-Hub but only 62% had heard of illegal sites that offer scholarly resources, 22% have heard of Sci-Hub but don’t connect it with being illegal.
What this means
For many librarians, illegal sites like Sci-Hub are clearly a paradox; they agree that it shouldn’t be used and wouldn’t actively recommend it, but they tend to agree with some of the principles it promotes, such as free access to research content. The result of this is that they may be inclined to overlook its use and unwittingly expose their institutions to cyber-attack, potentially compromising researchers, faculty, and student personal data.
This gap in understanding is in stark contrast to warnings from the likes of the City of London Police in the UK. Its Police Intellectual Property Crime Unit (PIPCU) has publicly warned against the use of sites such as Sci-Hub primarily because of how they operate — by using, amongst other means, phishing emails to trick university staff and students into divulging their login credentials. These are then used to compromise the university’s network. PIPCU reports that many universities around the world have suffered intrusions as a result of access credentials being stolen when visiting the Sci-Hub website.
What, therefore, are the key takeaways from this research?
- Respondents had limited confidence around cybersecurity. The open responses in particular revealed a lack of knowledge of how cybercrime works, what to look out for and how to prevent it.
- They were mostly concerned with data protection and ensuring their colleagues, students, and institutions were safe with the theft of student or staff data being a top concern.
- Librarians’ first port of call if there was a security breach was their IT department, but findings did indicate that librarians see cybersecurity as somewhat outside their realm of responsibility and that they would be unlikely to speak to students about network security
- Sci-Hub was considered a paradox. While librarians felt that recommending the use of websites like Sci-Hub was wrong, they were also sympathetic to its use. There was also some familiarity with the name Sci-Hub, however most lacked a comprehensive understanding of what it is, how it works, and the associated security risks such as access to personal data, with some unsure if it is illegal
With pressures on their time, an ever-changing research ecosystem to understand, and having to manage through a global pandemic, it’s perhaps no surprise librarians are not fully aware of the cyber-security threats sites like Sci-Hub pose. This makes the help organizations such as SNSI can provide that more important. By providing security checklists, training, information on risks, and opportunities for collaboration, librarians can increase their awareness of cyber security issues, the ‘flags’ to look out for, and build their knowledge in the actions they can take to protect their data and their network.
*This research was conducted prior to Russia’s invasion of Ukraine. Since then, Jisc has warned UK Universities to brace themselves for Russian cyberattacks.
Discussion
5 Thoughts on "Guest Post – Cybersecurity and Academic Libraries: Findings from a Recent Survey"
I am still waiting for some concrete evidence that just visiting sci-hub poses a security risk.
When credit card skimming malware is installed on online stores, tech websites run articles describing how the malware works, where it is sending data and where malicious scripts are coming from. For sci hub all we hear are allegations with no proof. I can’t get phished visiting sci hub because I don’t give them my email or any other personal info. So if they’re sending malware or keyloggers to my browser, why can’t anyone describe what that malware is doing?
The naivete among librarians about Sci-Hub is sad and alarming. Too many accept the hype about free access and ignore the real dangers that are involved for faculty and students.
You seem to be a good candidate to reply to “Sci hub user” in the comment above yours.
Yes please.
I’ve never had any kind of security alerts from visiting sci hub or using their PDFs. So I need more than “real dangers” and references to ongoing police investigations. I don’t think it’s unrealistic to want to hear about readouts from network analysis software or see some screenshots of dodgy code.
Millions of people are using sci hub. If there is real evidence it needs to be published to convince us to stop and to get IT departments to add their domains to their blocklists.
There’s an important nuance around the issue of cybersecurity and sci-hub that I find is often missing in articles discussing the topic, including the warning put out by the London police. This is easy to spot by anyone who understands how a web browser works. There’s two very different scenarios that must be considered independently:
1. You access sci-hub. When you go to sci-hub and view/download a paper, the chance of your account credentials being compromised are no greater than that of any other website you might access that day. Web browsers run JavaScript code in a sandbox so that it is prevented from accessing files on your hard disk, opening connections to your local network and other non-origin servers, and otherwise getting access to things it shouldn’t.
While exploits are sometimes found that malicious sites can use to bypass these, they are patched quickly, so making sure browser and operating systems are kept up to date in a timely manner (which often happens automatically) provides good protection. This is standard cybersecurity practice that everyone should follow, along with things like not running untrusted executable files etc. Even if sci-hub *were* malicious in this manner (which I doubt, but it’s theoretically possible), following good security practices is essential. In practice, you’re far more likely to encounter malicious code in 3rd party advertising scripts used on many websites, particularly those of the adult nature.
To sum up, the risks of simply *using* sci-hub are basically zero.
2. Sci-hub access you. This is the *real* risk to be concerned about. I don’t know how exactly sci-hub obtains credentials, but phishing emails and other techniques are probably among their tactics. It’s crucial to understand here that the level of threat an institution faces is *completely independent* of whether or not people at that institution use sci-hub just by accessing the website. Even if a university were to convince all staff, students, and visitors to never access sci-hub, and block it on their network, the incentive for sci-hub to steal credentials remains the same, and avoiding/blocking the website offers zero protection against whatever mechanisms they may use to gain those credentials.
Especially in this second case, good cybersecurity practices (including awareness among users) are essential. This as true for the risk of credential theft from sci-hub as it is for the risk of credential theft from any other parties. One can speculate about what sci-hub might use those credentials for other than downloading paywalled journal articles (my guess is probably nothing), but regardless, there are security risks from many actors, and suggesting that this has something to do with case 1 at best indicates a poor understanding of technology, and at worst risks potentially being seen by some readers as disingenuous.
Sci-hub is both illegal and popular. The only reason it exists in the first place is because of the use of paywalls to restrict access to publications, and limitations on who can distribute articles and where. While I’m against the practice of credential theft, I nonetheless acknowledge that the paywalls creates an incentive for it. In a world where all taxpayer-funded research were openly available without restriction, sci-hub would have no reason to exist in it’s current form. I don’t know if and when we can reach such a world, but in the meantime, I think arguments against sci-hub are stronger if they avoid mischaracterizing cybersecurity risks.
