On September 28, 2015, Rutgers University experienced another DDoS attack—the fifth such attack in less than a year. Now some students and parents are asking for a refund of a portion of the tuition they have paid, attributing the demand to the university's inability to keep services available. You see, the university's Board of Governors approved a 2.3% increase in tuition for the 2015-2016 school year with the explicit intention of putting the additional funds toward cybersecurity protections that would mitigate such attacks.
Engineering student Riccardo Mui says he isn't getting his money's worth from the tuition hike. In a change.org petition demanding a refund form the university's president, he wrote:
Since I came to college, I expected at least decent internet speeds, and while it usually holds up, we get DDoS attacks every time an exam rolls around. Now I would not say anything, yet I feel the need to tell all the students to join together to either get a refund or to make Rutgers change something on their own time. Why? Because Rutgers spent over 3 million on upgrading the network, yet only $160,000 actually went to physical upgrades. Also, they used Incapsula as a DDoS attack defender, which is decent for websites, but definitely not for a University. Besides, we literally wasted all of our money because as soon as an attack was launched, it took down the network. Since there was a tuition increase, it is only fair that we get that money back.
Within hours, the online petition had hundreds of signatures of similarly fed-up students.
After doing just a bit of research, I'd say these students have a very legitimate complaint about the way their tuition funds have been spent (or not) on boosting cybersecurity for the university. Let's look at what's been happening over the past year.
Apparently the problems started in November of 2014. Rutgers experienced a DDoS attack on November 19 at around 10:00 PM—a time when most first-year university students were preparing to register for their spring classes.
Then on Friday, March 27, the university was hit by a denial of service that also interrupted students’ and faculty members’ Internet access. Rutgers technicians were able to eventually restore full service on Tuesday, March 31. The FBI was called in to investigate the source of this attack.
Before the FBI could solve the March madness, another attack occurred. On April 27, the university’s Internet service went down at around 10:00 AM. Many online functions were unavailable to students, professors, and Rutgers staff for several days.
This is when the university decided to address the problem with better cybersecurity. In August 2015, The Washington Times reported that the university had hired FishNet Security, Level 3 Communications, and Imperva to enhance the university’s security as classes resumed for the 2015 fall semester. The newspaper also stated that Rutgers would spend between $2 million and $3 million on information security measures—thus the 2.3% increase in tuition and fees. Bruce Fehn, Rutgers’ senior vice president for administration and leader of the ongoing security effort, said at the time that the school has made progress in better protecting itself since the attacks earlier in the year. Prepare to eat your words, Bruce.
And that brings us to September 2015, when the latest attack took critical systems offline for hours at a time, prompting the demand for a tuition refund.
Is this really that hard of a problem to solve? The university has the money, and they've assembled some prominent technology and consulting firms. Maybe they should consult with some of their own Computer Science graduate students. After all, U.S. News and World Report says that Rutgers, The State University of New Jersey has the 34th best Computer Science graduate program in the country. Here's an opportunity for those bright young minds to get some real hands-on experience with implementing an effective DDoS defense solution.