A look back on 2020 with Nick Bos, vice chair of the Executive Board
No, 2020 was certainly not an easy year, admits Nick Bos, vice chair of the Executive Board. But – barely a minute into the interview – he also says that he doesn’t want this to be the story of a board member complaining about long working days and high work pressure. On the contrary. “I realise all too well that I’m in a privileged position: my children have already moved out, my home situation is simple. It’s very different from that of the lecturers who, last spring, had to move their teaching online overnight, with two or three children to homeschool, sometimes in small houses. It was and still is very difficult for everyone. We’re asking a lot of our staff and students. At the same time, I’m proud of how we all managed to ensure the continuity of our teaching and research together. I’m grateful that the students are quite content despite everything, even if the situation isn’t ideal.”
He won’t be complaining, but he will be telling the story of how to deal with two major crises in quick succession: first the cyber-attack that hit UM on 23 December 2019, followed by the COVID-19 pandemic in mid-March 2020, when the university was still feeling the aftermath of the cyber-attack. Both times, Bos was the head of the crisis management team (CMT). “I had never experienced a crisis of that magnitude before. We had practiced, though, and of course we’d also learnt from smaller crises. No, I won't mention any – I don’t want to bring them back up.”
Healthy level of stress
He proved resistant to the pressure that comes with these kinds of events. “I don’t get nervous easily, but I do always feel a healthy level of stress. That’s good; it helps you think clearly, which was necessary. The most important question in those first few days around Christmas 2019 was: were we going to pay the cybercriminals? What would happen if we didn’t? We thought through all the options, supported them with arguments and then presented them to the Supervisory Board, the deans, the directors. In the end, we agreed. If we didn't pay [the sum of nearly 200,000 euros], UM would be out of commission for about three to four months. The damage would be between 20 and 25 million euros per month, our calculations showed. This included 18,000 students being delayed in their studies, graduating later than expected, having to rent a room for a longer period, taking out higher student loans, research being delayed, and so on.”
Press waiting outside
And then there was the press literally waiting outside the ICTS office on Grote Looiersstraat, where the CMT was headquartered. “What were we going to do about them? We eventually made a conscious decision to go public with everything when the moment was right for us – once we had a clearer idea of what had happened and our systems were up and running again. This meant that the outside world would have to be patient. It was quite stressful. We knew there would be questions, interpretation, speculation. Some media outlets were already reporting that we had paid the criminals one million euros.” As early as 2 January, Observant broke the news that the university had paid a ransom of about a few hundred thousand euros. It was picked up by various outlets, up to and including the national television news. At the time, the university refused to confirm or deny this. “The report in Observant wasn’t really troublesome, but it did interfere with our communication policy of not discussing the amount of money involved at an early stage.”
In early February, UM organised a meeting to open up about the situation. “In my not so humble opinion, we did well and we were praised by parties like the Dutch Inspectorate of Education [which investigated the matter and published a report on it in June 2020] for sparking a wider debate in Dutch society about how to improve the resilience of universities and other organisations. This wouldn’t have happened if we had tried to keep it hidden – which would have been difficult anyway, but many organisations keep their curtains and mouths shut for fourteen days following a cyber-attack. Hacked organisations still regularly call me for advice. A French film crew recently visited us. They wanted to know what we did and what we learnt from it. There are a lot of cyber-attacks in France, but they’re not very open about it there.”
The CMT did literally close the curtains on 24 December, from the moment when Fox-IT employees entered the building. “We decided to hire Fox-IT on the first night of 23 to 24 December. They didn’t want any prying eyes. Imagine someone taking a photo of what was written on our whiteboard. And the Fox-IT employees wanted to remain anonymous – they didn’t leave through the front door, where the cameras were.” Looking back on it now, Bos thinks that hiring Fox-IT was one of their best decisions. “You need that kind of expertise. They had already been through two hundred cyber-attacks and helped us negotiate. Step one was: let the hackers prove that they have the decryptor. After that, you can continue negotiating.”
Could the hack have been prevented? “Yes, with the increased 24/7 security we have now – which costs an additional one million euros per year – we would have stood a better chance of keeping them out. But there are no guarantees now, either. We’re dealing with highly professional cybercrime organisations here. If they do get in, we can trace them earlier. We are currently paying for the increased security ourselves, but it will hopefully become a shared facility within VSNU [the Association of Universities in the Netherlands] in the future. We have to keep investing in it. These cybercriminals are professionals, they’re constantly evolving as well. No organisation is untouchable. Even Fox-IT was hacked two years ago. By now, though, we are quite certain that there was no data breach; so far, there is no reason to believe that any data was tampered with.”
The lessons learnt from the cyber-attack were helpful during the COVID-19 lockdown, says Bos, even though the crises themselves were very different. The cyber-attack was unexpected; Maastricht was the only university affected and had to deal with the situation all by itself. It also involved a moral question: “Do we pay the hackers, however reprehensible, or not?” Now, with COVID-19, the entire academic world is in the same boat and there are rules and guidelines being issued by the government. “The decisions are not very difficult. They’re fairly straightforward, especially if you also listen carefully to the organisation.”
“What didn’t help was the fact that our people – like our IT and teaching staff – were still tired from the cyber-attack, and now we had to call on them again to move teaching online.” What did help was the experience with the CMT, which was reassembled during the COVID-19 crisis. “The core team consists of about seven people. Together, we determine what the issues are and who the target groups are. Then, we determine who needs to have a seat at the table, which experts. The CMT is at the top of a tree diagram with branches reaching deep into the organisation. If you want to know about scheduling, for example, the expert first goes to the heads of the Education Offices and then to the schedulers. Our goal is always to mine valuable information from deep within the faculties and service centres. We make our decisions based on that information. It also works the other way around, with us considering questions from within the university. You also work partly with the same people. And we continuously coordinate our policy with directors, deans, and external parties like VSNU, the Ministry [of Education] and the Dutch Inspectorate of Education.” After a number of months, this version of the CMT was disbanded and the Executive Board took over its role. The approach didn’t actually change much: the rector and chair are now responsible for all things related to education and internationalisation in the tree diagram.
Seven qualities of an effective crisis leader
In early October, Dutch newspaper NRC devoted an entire section to the seven qualities of an effective crisis leader. These qualities largely overlap with the qualities that Bos says helped him as a crisis manager. “I know the organisation well, across the board. This helped me understand which parts were affected and what we needed to take into account. I’m also able to absorb a lot of different information and analyse it quickly, distil it to its essence. Moreover, I’m comfortable making decisions quickly and I don’t just look at our own organisation. You need to take a broad view. We kept our sister organisations in the loop. We weren’t the only ones under attack; several other universities were also in danger. Our information allowed them to escape just in time.” And, finally, “I tried to be an example. If I call on people to work on Christmas, I have to be there myself as well.”
He worked about twelve hours per day and still spent his car rides home on the phone with various people. He chuckles at the question: yes, his wife still recognises him. And, to put it all into perspective, he didn't work nearly as much during the summer and was recently “off work for two weeks”. He doesn’t go into detail about this. Instead, he enthusiastically produces a few photos of their six-month-old dog, a German Shorthaired Pointer. The puppy is a source of joy in a year he calls an “annus horribilis”, with “things I’d rather not have experienced”, but also a year in which he “lived very intensely. It was a profound experience, with an incredible sense of solidarity within UM. Because apart from an angry article in Observant [written based on submitted letters in which staff complained that they couldn’t, or didn’t feel like they could, refuse the request to come into work] partly based on anonymous complaints and speaking of actual coercion, something I don’t recognise, I only know people who wanted to help during Christmas, so much so that we had to turn them down or else we would get in each other’s way. That loyalty, that level of cooperation within the Executive Board, with the deans, directors, IT staff, teaching staff, communication, during the cyber-attack and now during COVID-19 – it gave me so much strength, and it still does.”
Christmas interviews Observant
In Observant's Christmas special we ask employees and a student to look back on 2020. It was an eventful year for many.
You can read here the interviews with HR-adviser Pierre Schröder, Medicine student Vera Schriebl, physician and researcher Chahinda Ghossein, Mark Vluggen, director of the Bachelor Programmes at the School of Business and Economics, and Dave Mattheijs, district attorney in the case of Nicky Verstappen and lecturer at UM (will be published Wednesday 16 December).
On Wednesday 16 December the digital Christmas special, including the six interviews, will be published on our website in PDF.