The University of Michigan was without full internet access after staff shut the school's connections down in response to a "significant [cyber]security concern" at the beginning of the new school year. The internet shutdown affected campus IT systems used for research and fundraising and could delay financial aid reimbursements.
Although campus computers were generally cut off from the public internet, students were finding workarounds via their cell phones. University staff have made progress in helping students access resources from off-campus computer networks, but the recovery remains ongoing. The school, which has about 50,000 students at its flagship Ann Arbor campus, acknowledged the "major inconvenience" the internet outage caused at the start of the school year. Many students had trouble accessing lecture materials online because of the internet outage, which has forced some to return to off-campus housing to get work done between classes.
The cause of the outage was unclear. The university's statements suggested malicious cyber activity was to blame. Sean Lyngaas, CNN "University of Michigan shuts down school's internet connections following 'significant' cybersecurity incident" cnn.com (Aug. 29, 2023)
A cyber defense plan should include specific procedures to follow when a cyberattack or breach is detected. What happens in those critical first few moments of an attack may be the difference between a quick return to operations or months of expensive and complicated recovery.
The U.S. Federal Cybersecurity & Infrastructure Security Agency (CISA) has published a document called: "First 48": What to Expect When a Cyber Incident Occurs, which sets out best practices in the event your organization is the victim of a cyberattack.
CISA recommends removing any affected devices from the network to stop or slow the spread of the incident. However, in the process of removing the devices from the network, do not turn them off, as doing so may lose valuable information contained in the flash memory. Attackers will often place items in the flash memory to hide their tracks. Turning off affected devices may lose these indicators. It is also crucial to capture and preserve forensic evidence to the greatest extent possible while ensuring system logs are also available for review.
CISA acknowledges that removing devices from the network, whether physically disconnecting them or blocking internet or intranet access, will affect users. This should be considered in the plan.
In the case of the University of Michigan breach, a good response was to shut off all internet access to and from the infected system. This is a necessary, albeit inconvenient, task to accomplish. Isolating the system from all outside connections can keep additional viruses, bots, or worms from further infecting the system, and prevent any stolen data from reaching servers operated by cyberthieves.