In June the University of Calgary, while recovering from a significant malware incident, chose to pay a $CDN 20,000 ransom for a decryption key related to a piece of ransomware.
Several weeks later Linda Dalgetty, Vice-President Finance and Services at the University of Calgary, was quoted in the Calgary Herald that while the University’s cyber insurance policy did not cover the ransom, it was instrumental in helping the school recover after the attack.
I have no doubt there were exceptional efforts made, and tough decisions taken using the best information available at the time, that will remain known only to those directly involved with the efforts to protect the University’s data assets and recover its systems. But the public information available about this incident leads to the conclusion that cost, both in terms of outlay by the University, and lost staff time, was the primary factor in making the decisions related to this incident.
And if that is truly the case then that is of concern, particularly in relation to the choice to pay the ransom.
From a financial perspective, paying the ransom may have been the best decision for the University. But by doing so, the University provided a compelling incentive for ongoing unethical and criminal behavior. And many of the future victims of the malware that the University chose to finance will not possess the financial and technical resources that a large organization, like the University, can bring to bear to recover from their victimization.
Universities, because of their role in our society, must be held to a higher standard than private organizations. While there would be some consideration made for self disclosure, if a U of C student or faculty member were to reveal that they had paid $20,000 to a criminal organization to advance their studies or research, there would be serious repercussions. So I fail to understand why, when it comes to the administration of their information technology, the University appears to feel that financing criminal activity is the appropriate thing to do?
This topic came up in discussion with my parents, who are 81 and 88, and worked to send all three of their children to the University of Calgary. While they use tablets and computers, they have no background in IT administration. But their position was unsolicited, unequivocal, and based on a lifetime of experience; paying the ransom was the wrong thing to do.
The University of Calgary is hardly unique in considering cost as the primary factor when making decisions related to information systems. But this incident provides a good case for the examination of whether in today’s Canada, where we are entirely dependent on Information Systems for our academic, financial, and civic functions, and where our information systems are increasingly interconnected and interdependent, we can continue to let decisions related to IT be made based solely on the short term outcomes of an individual organization.
Perhaps it is time to establish foundational baselines of acceptable professional practices in Information Systems, just as we have chosen to do in finance, engineering, and medicine.
The upside of this situation is that the University of Calgary, unlike most organizations who will fall victim to ransomware, has at its disposal the talent, resources, and facilities to provide meaningful support to its community and stakeholders to mitigate some of the harm that will result from their action.
I would hope that going forward the University will choose to become a leader in seeking out and working with exceptional students, outstanding faculty, IS professional groups, and IT product and service providers, towards meaningful progress improving the practice of Information Systems in Canada, and the reliability and trustworthiness of the information systems we all rely upon.
For in the long run, that will accomplish more than trying to redress a regrettable decision made in the heat of a crises.
