For the fifth time, the IT organisation SURF devised a national exercise on cybersecurity: what do educational institutions and the Ministry of Education, Culture and Science do in the event of a nationwide attack on their systems? Last week, around two thousand employees from ninety different institutions took part.
Such a crisis is not unimaginable: last January, Eindhoven University of Technology had to fend off a dangerous attack. The most notorious hack occurred five years ago at Maastricht University, where ransomware locked down systems and files.
Protest
The story of these exercise days: a peaceful student protest takes a grim turn when a small splinter group of hackers disrupts the systems in vocational and higher education out of anger over budget cuts.
But how do they achieve this? According to the scenario, by signing a petition, people accidentally download malware that unwittingly turns their computers and phones into participants in a DDoS attack.
'Hard work'
“It was a bit of hard work”, says Tom Hoven. He is the spokesperson for SURF and participated in the exercise. Therefore, he was also unaware of the situation when it began. “The scenario is packed into six hours, so we had to switch quickly. But it was very educational. You see on such a day how the lines of communication work and where the gaps are. It is good to do something like this with the whole sector.”
It turns out to be useful to know each other in advance, he says. “Then you don’t have to start from scratch with an introduction. That really helps.”
Is it realistic that students turn out to be the enemy, rather than, say, Russians or North Koreans? “The scenario is always intentionally a bit exaggerated”, says Hoven, ‘but the crisis itself is realistic enough.”
Local protests
In the office of SURF, the crisis team gathered. The institutions participated from their own locations and sometimes faced their own issues. “For example, they had to deal with local protests”, says Hoven. “We didn’t have that at SURF.”
Students acted as journalists with challenging questions. The Association of Universities of Professional Education and the universities’ association UNL also practiced, but not together: higher education and universities each had their own training day. The Ministry of Education, Culture and Science participated on a different day, along with the vocational education institutions.
The staff, for instance, needed to exchange technical information: what are the ‘fingerprints’ of the cyberattack and how can they be neutralised? Who needs to receive this information?
Wise lessons
Hoven is not yet sure what the wise lessons from this exercise will be, but he found it helpful to experience the structure of the crisis meetings. “Such a meeting has to be as concise as possible because, in a crisis, you cannot spend an hour and a half talking. It was very valuable to practice this once. By the third crisis meeting, you can already tell that things are moving much faster.”
SURF will evaluate the proceedings and share the lessons learned. The outcomes of previous exercises have also been shared.
