The first working day after the hack
MAASTRICHT. To everyone’s relief, the e-mail system could be used this Tuesday. But on the first Monday of 2020, that wasn’t possible yet. How did that day go? And what do students and staff think about paying ransom money?
It never rains but it pours. Just like at the other faculties, employees at the School of Business and Economics can’t e-mail or use the Internet (they can if they use Wi-Fi), but they are also sitting in the cold: the heating has given up the ghost. Still, it was busy at the faculty New Year’s reception. It was announced there that e-mail and Internet would be operational the next day or at the latest the day after that, on Wednesday.
Just like other deans, already Peter Mollgaard returned from his holiday in December, in his case from Denmark, in order to offer help dealing with the hack. What does his working day look like today? The first thing he did this morning was to change his password and have his laptop checked. SBE staff can have their laptops protected at the info desk in the computer room. By midday, hundreds of employees have already been there.
After that, Mollgaard gauged the mood at the school, but all was well. The faculty crisis team also met this morning for an update. What is the state of affairs? At least the SBE resits this week can proceed.
A relaxing start, as is usually the case in January, won’t be possible for some lecturers, because the resit exams will have to be checked within five days. After all, at the end of the month there is the extra resit scheduled by the Executive Board. This means that an additional exam will have to be put together. Students who have already passed are also allowed to take part. This is something that SBE abolished years ago, but well, necessity knows no law.
No, movement scientist professor Matthijs Hesselink hasn’t had too many problems as a result of the hack. “I have plenty of work for which I don’t need to be online: marking block exams, writing papers. I saved my data locally, using SURF. And I work on my laptop. It is a nuisance that you can’t e-mail. I now exchange files through WhatsApp.”
He started again today, Monday 6 January. “I have had two weeks’ holiday. I did plan a couple of things, but well, those didn’t happen. I enjoyed it.”
The fact that ransom money was paid to get the systems up and running again, “well, they will have thought about that. It is easy to say that you shouldn’t give in to the pressure of blackmailers, but that might be just a tad too easy.”
Toxicologist professor Jos Kleinjans primarily misses the e-mail system not being operational. “One is very much dependent on it, agendas and such, everything is a mess. You don’t receive any information about deadlines of projects that are carried out within a consortium, there will be an evaluation from the European Committee, you don’t hear anything, you don’t even know if there has been any communication at all. That is quite difficult.”
Other than that, he says, they don’t have very many problems: “The hack focussed in particular on Windows servers, most of what I work with is Linux. I still don’t know if that has been affected, we have to know for sure before we can do any data analyses. That has been halted for the moment. By the way, I’m not afraid at all that those hackers will do anything with our scientific data, nobody can do anything with it, as far as I’m concerned, I can throw it out on the streets. To be able to do anything with it, you have to be well-up on the matter.”
Mathematics professor Ralf Peeters also mainly misses the e-mail system. “That is the greatest bottleneck. I am on an NWO committee that assesses proposals, there is a meeting in February and I am still expecting pieces. We are also working on scholarships for China, you don’t want to start using a different e-mail address for that, because it wouldn’t make good impression, I also don’t have the previous correspondence at hand. But otherwise? I work on a MacBook, I have my own files, I got a new computer at the beginning of December and I made backups of everything, so that turned out to be a good thing. The fact that Knowledge Technology is moving to Randwijck - a lot had been tidied up - is now a minor godsend.”
Asked what he thinks about paying ransom to cyber criminals Peeters says: “In principle, everyone is against payment of course, but if you can solve your problems in this relatively cheap way, then I understand that one would do so. Colleagues here said: ‘If they get everything up and running again within a month, then they will have paid.’ Look, two hundred thousand, that is the price you pay for a PhD position, one more or less is not going to make that much difference. You don’t need to think long and hard about amounts like this.”
Peeters is a little afraid of potential damage to the university’s reputation. “What would you do if you were about to choose a university? I don’t know.”
Professor Sally Wyatt, programme director of the new bachelor’s programme of Digital Society (FASoS), is especially glad that the cyberattack didn’t happen a week earlier, on 16 December 2019. “We had a lot of deadlines that week for our students: assignments, papers, exams. They had to upload them to the Student Portal. If that had not been possible, or if data had been lost, then that would have given us a lot of problems.”
She points out how closely all systems are connected to each other within the UM. “The digital projectors don’t work; you can’t give a PowerPoint presentation today. These are minor irritations. But if part of our IT system is attacked, that has consequences for the rest. We should work more in compartments. It makes me think of large ships: those are built in such a way that if the hull suffers a leak, only part of the ship is filled with water.”
“I have only just realised how dependent I am on e-mail,” she says on Monday, 6 January. All communication with colleagues is through Twitter, LinkedIn, phoning, WhatsApp and other e-mail addresses since the cyberattack. As far as the ransom is concerned: “I don’t think a couple of hundred thousand is a lot, it suggests to me that these were amateurs. I cannot judge whether it is wise to pay up. I would have to know more: what was the exact threat? Did they want to destroy all systems? Make all data public? What are the legal options?”
Wyatt is impressed by “how quickly and thoroughly” the university reacted. “Some colleagues complained about how little the UM communicated, but that is very difficult. You must be careful that you don’t play into the hackers’ hands. It is a balancing game: what do you say and not say.”
The book on digital threats by Volkskrant journalist Huib Modderkolk ‘Het is oorlog maar niemand die het ziet’ (It is war, but no-one sees it) has been on her reading list for some time, but since the cyberattack it has risen on her list, Wyatt grins.
Sense of justice
First-year student of Dutch Law Iris Schütt is studying in the common room of the law faculty for her resit, at the end of January. In answer to the question whether she has been put out by the cyberattack, she shakes her head. She has all her material at hand. The only minor point: “Printing isn’t possible.” In addition, she is very curious to know the grades for her second exam. She can’t find them online yet.
For third-year students Eelke Zurhorst and Bart Dings, the damage isn’t too great either. Dings: “I’m working on my thesis, which fortunately is on my laptop. But it’s a pity that I cannot access the Student Portal to check the guidelines for writing my thesis.” Dings and Zurhorst do not have any current blocks, only the moot court. Zurhorst: “It’s a drag that we cannot e-mail with lecturers or our client. Indeed, it is a ‘real person’, not a fictitious one. I think we should drop in on the moot court coordinator.”
They are, however, satisfied with the way Maastricht University has handled the matter. And the ransom that was paid? “Well,” Zurhorst starts. Her face says enough: paying ransom is not great, it keeps the criminals in business. “You don’t want to reward them.” At the same time, she realises that the trouble could have lasted longer and the costs would probably have been higher if the university had not paid up.
Dings’ sister works in cyber security and could see the payment coming, he says. He does understand the UM’s choice, “although it goes against my sense of justice. But how much do you think those professionals cost who were called in to help solve the matter?”
Master’s student of Strategic Marketing, Didier de Loo, who is working in the Student Services Centre, thinks that paying was the cheapest solution, however unethical it is. He was on holiday and did not have to worry about any deadlines. His proposal for a master’s thesis needs to be submitted soon, but he doesn’t need the Student Portal or EleUM to do so. He can find plenty of sources on the web.
The UM has handled things well, according to Carmen, a student of Biomedical Sciences who does not want her last name in the paper. “Although paying a ramson, if that’s indeed what has happened, gives me mixed feelings. It feels as if those criminals now get our lecture fees. Then again, if there was really no other choice, I understand.”
Medical student Laurens den Butter agrees. “Of course, one doesn’t want to encourage crimes like these, but if it cannot be solved in any other way, there is nothing else you can do.” He hasn’t been greatly affected by the cyberattack. “I was on holiday and we don’t have resits until the summer. In fact, it was a good reason for taking a break. You couldn’t look up anything anyway.”
In the hall of Universiteitssingel 40, Carolien Martijn, director of the Faculty of Psychology and Neurosciences, and Rosanne Janssen, head of the Research Support Department, are ready to answer questions that students may have. They are struck by the students’ relaxed attitude. “They come in waves, this morning it was busier than it is now, but nobody is panicking,” says Martijn. “Most of them have already changed their passwords and now need a little help getting back onto the Wi-Fi network. Or they have a question about the timetable, which we have printed and hung up. This morning, I dropped in on a lecture for second-year Psychology students to update them all in one go and we even got an applause.”
Wammes Bos, Wendy Degens, Cleo Freriks, Riki Janssen, Maurice Timmermans