Bart van den Heuvel believes that creating awareness is crucial now that universities are being targeted more frequently by hackers, he emphasised in the discussion on Thursday afternoon, 11 February. And it seems like the devil’s work, because a couple of days later the IT services of the research financer NWO are hacked. After that, it was the University of Amsterdam’s and Amsterdam University of Applied Sciences’ turn. But the consequences for the two latter institutes seems to have been limited, because the attack was quickly detected and they had learned from the experiences in Maastricht, various media write.
Maastricht University was targeted by ransomware hackers at the end of 2019. Systems were encrypted and access denied. The university chose to pay the ransom of almost 200 thousand euro.
At the beginning of this month, the UM sent an e-mail to all its employees to check their awareness. It included a link to quiz about privacy and cybersecurity. One of the questions was: Which password is stronger? A. qqwwee112233, B. *6tR2&) or C. CapibaraTrampolineSchaatsen. The correct answer is the last one, because the longer the password, the stronger it is.
The Executive Board wants to know how much basic knowledge staff has. Should the guidelines be made clearer? Should this be a job for managers? Is there a need for training? To be fair, in the case of poorly written e-mails, vague links or ZIP files from strangers, many will think twice. But hackers are becoming cleverer. And Dutch universities are becoming increasingly more interesting targets.
“We have the best research network in the world,” Van den Heuvel says during the round-table discussion. “Dutch researchers have an open attitude, want to share their knowledge. But how open should this be?” The cost of cybersecurity is high, he continues. But it is not the first priority of many universities. After all, their main concern is education and research. Yet, the UM did set money aside for cybersecurity last year. “We know how important it is.”
Money is one thing, but awareness is just as important, says Jean-Paul Beusen, information manager at the Faculty of Law, who has also joined in the online discussion. Hackers use cunning tricks, ways to gain someone’s trust, say Beusen and Van den Heuvel. This is called social engineering.
Messages seem ‘normal’ because someone writes for example: ‘Applause for the good work that you have done’ or ‘Are you available?’ A researcher is probably not suspicious and sends a reply. Then another e-mail arrives, this time with a link.
Another devious trick is mimicking (spoofing) the e-mail account of a researcher and using it to write to his/her colleagues. This happened to Gijs van Dijck, professor of Private Law and Law & Tech Lab researcher. “It is inventive, but also shocking,” he says. In his case, colleagues caught onto the hacking attempt quite quickly. “It was the holidays and in the e-mail they asked if they were in the office ‘today’.
Four law students* speak prior to the discussion on cybercrime; they individually researched the common ground between law and cybersecurity. Otso Karttunen, first-year student at the European Law School, delved into the world of hackers. What do grey hat hackers do and is it legal? They are not big bad criminals with bad intentions, like black hat hackers. But their activities are in a grey area, he explains. They hack into an institute’s or business’s system without permission. They subsequently report the vulnerabilities that they have found to those responsible for the systems. Sometimes apologising for their infiltration, but well, they did actually ‘help’ them out.
They then sometimes ask for money or some other reward, says Karttunen. Van den Heuvel also knows them. They come knocking on the UM’s door a couple of times a year, he says. “But they are not advanced hacks. These people let you know how things could be improved and sometimes only ask for a ‘thank you’, goodies, a T-shirt or something like that.”
Later on, he says when asked: “These bounty hunters – they don’t call themselves grey hat hackers – don’t intend to make their discoveries public or abuse them. Sometimes a ‘thank you’ in itself is warranted because by making a minor adjustment we can prevent other bounty hunters from coming to us with the same discovery.”
Simone Gurkova, third-year student of European Law School, became intrigued by the hack on Bulgaria’s national tax office in 2019, in which the personal data of more than five million Bulgarians was leaked. “Income details, CSN numbers, addresses: it had all been stolen,” she says. “That makes me wonder: how well do public institutes actually protect their citizens’ data?” For her research, she delved into the General Data Protection Act, the rules that apply within the European Union regarding the processing of personal data.
Even on a small scale, such as within the UM in the case of confidential research with respondents, it is of the greatest importance that personal data does not become public. But does everyone know how to act if things go wrong? Van den Heuvel, together with HR, are going to work on a training course in which new employees learn about the rules regarding cybersecurity and privacy. Beusen adds: “There is a need for a long-term approach on various levels”. From students to support staff to academic staff. "Students are the researchers of the future", says Raoul Winkens, data protection officer at the UM. They also need to be actively aware of this. Van den Heuvel agrees with Winkens: “We know that the students’ curriculum is full, but this is important.”