Although Maastricht University has now been weathering a second crisis for weeks - the pandemic - data protection must remain high on the agenda. Maastricht IT staff say in their discussions with the Inspectorate of Education that now is the time to “keep the momentum going”.
There is a danger that the “UM community reverts back and doesn’t learn lessons”, the report states. More attention should be paid to details, continued awareness of present and new IT systems, a better set-up of checks (audit) and periodic testing for weak spots, says the list of recommendations. An important question is whether there is sufficient support. Does the Executive Board, staff and students feel that the subject is important enough to invest in? That will have to become apparent in the time to come.
The Inspectorate decided to carry out its own investigation (as is required by the Education Inspection Act) to find out whether “Maastricht University’s actions prior to, during and after the cyberattack” were proof of mismanagement. The answer is No. “Even before the attack, there was a focus on cyber resilience, the response to the incident was decisive, and the UM implemented the initial lessons learned adequately.”
Much of the information about the cyberattack was already known or was explained by the UM during a special symposium last February, so in that sense the report contains no surprises. The outside world already knows how it happened (two employees separately clicked on links in phishing e-mails in October) and that thirty bitcoins were paid as ‘ransom’ in order to secure the ‘key’. Other scenarios would have had much more impact on the continuation of education and research and moreover, would have been much more expensive, the management reported at the time.
In answer to the question as to what the security was like, Nick Bos, vice president of the Executive Board said that there were no indications that Maastricht’s security was less than that of sister institutes elsewhere in the country. “We were vulnerable, as many organisations are,” said Bos, but that doesn’t mean that security “was insufficient”.
The Inspectorate of Education thinks differently about this. Data security should have been better. The IT infrastructure - just like the UM’s organisation - showed “a number of weaknesses”. “The latest security updates had not been carried out on a number of servers in the networks and there was limited segmentation within the UM network.” Moreover, monitoring was “faulty, as a result of which there was no follow-up to reports from a virus scanner, which was eventually disabled manually by the hackers,” the report states, referring to an analysis by cybersecurity company Fox-IT.
The Inspectorate is positive about the actions after the actual ransomware attack on 23 December, and therefore implicitly also about payment of the ‘ransom’ to the cybercriminals. A remarkable point of view, because paying ransom in this kind of situation is regarded as undesirable. That is the general line by the government, the Inspectorate states in its report. The fact that the UM deviated from this, even led to questions in parliament. Yet there is an understanding for this choice in the report. The situation in December, according to the Inspectorate, was too “complex”. In covert terms, it approves the Executive Board’s choice: “The handling of the crisis was adequate.” The UM could not have taken “more suitable measures,” the Executive Board had its back against the wall. Education and research would have come to a complete standstill for weeks or months in other scenarios. Also, would systems and data have remained undamaged if the ‘decryption key’ had not been obtained? That remained to be seen. Not to mention the financial side of things: the cost of carrying out repairs to the IT infrastructure would have been the ransom many times over.
The report is also positive about the ‘increased security’, immediately after the attack, with the university’s IT systems being monitored continually. The same applies to communication. According to the report, the UM’s website, which was still intact, was used as a channel of communication. “Updates were published every day.”
However, this is where the Inspectorate seems to present too rosy a picture of things. The first days after the hack, it remained disturbingly quiet, to the annoyance of many employees and students, not forgetting the UM management itself, reliable sources stated at the time. It wasn’t until 27 December, when the regular spokesman, Gert van Doorn (who was on holiday) was replaced by an external party, Fons Elbersen, that a regular stream of messages started.
Finally, the symposium in February is seen as a classic example of how the UM warns other organisations and contributes to “the learning capability of the higher education system”.
The UM already announced in February that additional investigations would be carried out to determine whether research data had been wiped, looked at or processed by the hackers. Fox-IT could not give a 100 per cent guarantee. The Inspectorate encourages this investigation. “It is important for scientists, also in discussions with partners, to be able to indicate that their data is reliable”.