Since the severe cyber attack on Maastricht University, institutes of higher education are feeling the jitters. Due to a hack with ransom software at the end of 2019, Maastricht University was forced to pay nearly 200,000 euros in ransom to regain access to its servers.
One consolation: since that time, higher education has taken important steps in tackling cyber threats. It’s in a letter to Parliament written by outgoing Minister Van Engelshoven.
Limiting the damage
The Minister feels that institutions are collaborating well, exchanging information and not being secretive when an unexpected hack or attack takes place. This means that the damage experienced in recent incidents remains limited, she writes.
The Minister referred to hacks at Amsterdam University of Applied Sciences and University of Amsterdam and at Inholland University of Applied Sciences as examples. The ransomware attack on research funding body NWO was somewhat more problematic: the network was down for weeks and grant procedures had to be suspended. NWO, UvA and HvA will be evaluating the state of affairs and sharing lessons learned with the sector, the Minister writes.
In the meantime, educational institutions are hard at work on their ‘lines of defence’. The ICT educational foundation SURF helped out before with its own crisis team (SURFcert), but has now set up a security operations centre (SURFsoc) at the request of those in higher education.
Under the motto ‘an ounce of prevention is worth a pound of cure’, this information security centre will closely monitor the institutions’ networks and identify any potential threats. Surveillance goes on twenty-four hours a day, seven days a week.
The institutions will all eventually be linked to SURFsoc, the Minister anticipates. Wageningen University & Research was at the front of the line and in the coming weeks will be followed by Fontys University of Applied Sciences, Maastricht University and Leiden University Medical Center. The Dutch Research Council and research association Royal Netherlands Academy of Arts and Sciences will also be coming onboard.
Martin de Vries, who was appointed Chief Information Security Officer at TU/e in March of this year, says that our university will also join SURFsoc. TU/e is currently working hard to connect its ICT system, according to De Vries. “We expect it to be operational in the week of 14 June.” From that moment on, sensors within the TU/e network will send data to SURFsox, where it will be analyzed by Fox-IT experts. “They will give advice on how to deal with any suspicious activities they might come across. It’s good to this jointly, because that way universities can learn from each other.” TU/e will also start a university wide ‘security awareness’ campaign after the summer, about which his colleague Bart Luijten recently talked to Cursor.
Some institutions believe that the system can be more finely tuned to their needs. The universities of applied sciences will be looking into this together with SURF. The same holds for NWO institutes.
In addition, institutions are taking part in internal and external audits and large-scale cyber crisis exercises. They are also organising training sessions and information campaigns to raise awareness among staff and students regarding digital security. People are always the weak link, the Minister writes. Her final point is that the Inspectorate of Education will be presenting results of a study on digital security in higher education before the end of this quarter.
The Minister accepts the fact that, despite all the effort, educational institutions can never protect themselves 100 percent against cyber criminals; watertight security is not feasible in any sector, she writes.