As 2019 was drawing to a close, independent advisor Fons Elbersen and his wife were on their way to Zeeland for a low-key Christmas holiday, when he was suddenly called by Maastricht University. Two days prior, cyberhackers had taken hostage 267 computer systems at the higher education institute in Limburg. Elbersen was asked to come up with a communication strategy, take on the role of spokesperson and advise the Executive Board. He also joined the crisis management team.

Exam

“The attackers had already made their way into the systems in October,” he tells the communication network that holds monthly meetings and that has come to the Matrix building for this one. “A little door was left ajar and because that first hack wasn’t noticed, a lot more damage could be inflicted to the sixteen hundred systems used by the university. Hackers like to strike just before the Christmas holiday, when the ICT departments are on leave, but for Maastricht University it wasn’t a quiet period at all: 4,000 students were scheduled to take an exam on January 5.”

The very urgent problem was addressed by a rapidly assembled crisis team, which was assigned offices in a sequestered building. Elbersen prioritized including the Executive Board and the community as a whole in a transparent communication strategy. “It would have been foolish to bury our heads in the sand. The interests of our 22,000 students were at stake and we also had to take seriously the concerns of our 5,000 members of administrative, support and scientific staff. I wanted to be as open as possible. This didn’t mean we disclosed everything.”

Shame

At the end of December, massive media interest started developing. “People appreciated that we explained why we couldn’t yet disclose certain things and that we decided early on to answer all questions during a wrap-up symposium. Which we did, seven weeks later.” Until that moment, Maastricht University updated everyone twice a day via a website and via student associations,  and also set up a helpdesk in every building. “We even reported if there was nothing to report.”

It’s impossible to take out insurance for cybercrime for ethical reasons. There were no attempts to negotiate down the amount of the ransom and the payment was made in bitcoin, valued at a total of 200K euro at the time, motivated by a desire “not to irritate the criminals”. In July of last year, it was announced that part of the ransom had been found back and that it had gone up in value a lot thanks to the increased bitcoin exchange rate.

The communication strategist understand there’s an aspect of shame to a hack. “The fatal phishing email opened by a PhD student looked deceptively real. We also had to be honest about the ransom, as ethically I don’t think it’s right to not say anything about that. The thirty bitcoin was paid using public money. We owned up to not having had our security systems in order and to not having noticed the weak spot in time. This didn’t harm our reputation. If anything, I think the opposite is true.”

Internal awareness

It’s been said before, but Elbersen likes to reiterate: “Every university should expect to be targeted at some point. The question is how far you allow the attackers to get.” This is something that Martin Romijn, TU/e’s Chief Information Security Officer (CISO) at the time, warned the TU/e community about on the Cursor website shortly after the Maastricht hack.

To keep this awareness at the forefront of everyone’s mind, Maastricht University put up a fitting work of art in the central hall of its auditorium (see main photo). The little specks of light represent the hacking attempts made all over the world in the preceding 24 hours. Every country has its own color. The daily average is around ten thousand attacks. Eternal Blue, created by artist Richard Vijgen, shows that cybersecurity is a constant battle.

The meeting was also about what TU/e distilled from the crisis. Maarten van den Dungen, interim director of Communication Expertise Center until the end of this month, says there’s more awareness and serious drills are taking place. “Our Computer Emergency Response Team (CERT) is in active contact with other institutes of higher education. We’ve made a progressive model with a ‘what if, what if’ scenario. What’s certain in any case, is that each hack is different.”