Universities launch cyber attacks against each other

Exercise Mercury, organised by Jisc, is an ethical hacking competition designed to expose weaknesses in cyber defence

20 UK universities have signed up to take part in a cyber attacking exercise, aiming to expose weak spots in their systems which could potentially be exploited by illegal hackers.

The competition, Exercise Mercury, aims to benchmark security in the higher education sector and share the resulting information for the benefit of all.

Universities are paired off and spend a week attacking each other using an internal team of staff and students to uncover vulnerabilities in processes, policies, procedures, technology infrastructure and digital footprint.

Teams typically spend two days checking out what’s most important to the opposition (sensitive research, for example) and the remainder of the week working out how to cause the most damage. Using open source intelligence and social engineering techniques, the hackers perform a controlled simulation of an attack with clear legal boundaries. The winning team is the one that would have made the most negative impact.

The only losers from this exercise will be wannabe attackers, as it will reduce exposure to vulnerabilities.Professor Rain Ottis, Tallinn University of Technology

Exercise Mercury, which is free for all participants, was launched at the Jisc cyber security conference in November 2018.

Once all 20 universities have been tested, which will take roughly six months, the data will be collated and Jisc will share information on the UK higher education sector’s common vulnerabilities.

Jisc runs the national research and education network, Janet, which has in-built cyber security protection. The organisation also monitors the network for security incidents and, through various services and advice, helps its members (colleges, universities and research centres) to protect their own cyber space.

Exercise Mercury aims to benchmark security in the higher education sector and share the resulting information for the benefit of all

Jisc’s director of security, Steve Kennett, said: “Through our relationships with security agencies, such as the National Cyber Security Centre, Jisc is doing all it can to collate and share intelligence on cyber attacks for its members. This excellent competition will provide even more valuable information. We hope it will give us a better idea of the actual security landscape in higher education.”

Professor Rain Ottis, head of the centre for digital forensics and cyber security at Tallinn University of Technology, Estonia, said: “This truly is a win-win situation. The only losers from this exercise will be wannabe attackers, as it will reduce exposure to vulnerabilities. It will also allow us to understand what the problems are within our industry, as well as providing international connections to better share proper threat data.”

To find out more, or to sign up to take part, visit exercisemercury.eu.