In December 2019, Maastricht University’s computer systems were suddenly brought to a standstill. Cyber criminals demanded a ransom, which the university actually paid, too. It was a wake-up call for higher education, although it certainly wasn’t by any means the final incident.
As recently as this month it turned out that the HAN University of Applied Sciences in Arnhem and Nijmegen didn’t have the proper security in place. A hacker made off with private data and likewise demanded money. The institution wouldn’t pay and the data was made public.
Last year, the Inspectorate of Education started an investigation to survey the state of digital security in higher education. The report was sent to the House of Representatives this week.
It could be done better, is the conclusion. Educational institutions have done a lot with passwords, backing up data and raising awareness of students and staff, but it still isn’t enough.
This puts the Inspectorate in a quandary. In the Netherlands, higher education institutions are considerably autonomous. They make their own decisions about housing, teaching, human resources policy, and so on, and therefore also about their cyber security.
“The step from autonomy to a lax attitude is, however, a small one”, the inspectors fear. The autonomy of educational institutions limits the possibilities of improving cyber resilience nationwide.
The government has to take “more control” is the conclusion. Right now, digital security at higher education institutions sometimes rests on the shoulders of a few specialised individuals. And that’s not really a good idea, no matter how dedicated they are to their work.
Some educational institutions aren’t hooked up to specialised cyber security platforms and networks, the report says, which means that they don’t have access to shared know-how, information about cyber threats and collective evaluations.
How much control should the government have? The inspectors don’t give any hard and fast answer, but seem to suggest that the government should come up with a financial solution. Right now educational institutions pay for their security measures from their total budget; therefore, extra investments will come at the expense of teaching, research and facilities.
The individual institutions also foot the bill for the financial repercussions of a hack. Suppose that the computer systems are down for three months, should you then pay the ransom money? Maastricht University did just that, but it’s actually not what’s wanted: it supports the criminals’ earnings model.
The Inspectorate is calling for solidarity within the educational system. “The burden of the cost of preventing breaches and finding solutions to hacks has to be collectively shouldered.”
Thus, one of the recommendations is that institutions of higher education have to join forces. They have to work together more closely and share more information. Due to fast-moving developments in IT, they also have to “keep learning and innovating jointly and actively.” Administrators have to factor cyber security into their risk analyses.
That can certainly do no harm. And yet the Inspectorate isn’t sure that this will be enough, the report reveals. There’s a problem with “stragglers”. A new regulator for cyber security doesn’t make sense either: it would take away from the openness, resulting in universities being less able to learn from each other’s mistakes.
In other words, the government has to shoulder its own responsibility. “Centralised control doesn’t necessarily have to be in conflict with decentralised management of teaching and research”, the Inspectorate writes in a hopeful vein.
But it would demand a major policy intervention. Presumably outgoing ministers will pass that decision on to the next government. It will all become clear on 30 September when the House of Representatives is scheduled to debate the topic of cyber security in education.