Cabinet working on law to improve cyber security

"Today it is happening to TU Eindhoven, but tomorrow it could be our energy supply or our operating theatres," said MP Barbara Kathmann (GroenLinks-PvdA) on Tuesday. Kathmann wants all vital sectors (such as ports, hospitals and educational institutions) to make a 48-hour plan to get their ICT systems back on the air quickly or else go analogue.

Teun Struycken (NSC), Minister of State for Justice, answered her questions. A bill is coming to the House of Representatives looking to increase cyber resilience. Sectors such as healthcare, government and the food industry, to name but a few examples, will soon be required to take security measures. He expects that these measures will also be related to the response in the first 48 hours.

Cuts
Higher education institutions may also be affected by that law. Kathmann saw that coming, as she knew that the government had earmarked additional funds for cybersecurity. However, she wondered, if the government is simultaneously cutting back hard on the budget for higher education, how will that affect cybersecurity?

Teun Struycken replied that security is a core priority. "That prioritisation will come through in the deployment of people and resources." In other words, educational institutions must have safety in order even on a tight budget.

Others also participated in the debate. Jesse Six Dijkstra (NSC) wanted to know if the cabinet knows about the current state of "cyber resilience" of the higher education sector as a whole. Struycken did not know. He said that the government is currently assessing this, partly to determine whether higher education will soon be covered by the law.

Co-responsible
Don Ceder (Christian Union) wanted to know more about cyber security oversight. He referred to a famous attack on Maastricht University five years ago, wondering if Eindhoven had learned from that event.

Struycken replied that the investigation in Eindhoven is still ongoing, so he does not know exactly what happened. However, he expects the investigation to show whether anyone has made a mistake.

In the new law, administrators will be jointly responsible for security measures. So, this may also apply to university administrators, who will "have to be trained to adequately carry out that supervision."

Cyber attack
TU Eindhoven suffered a cyber attack last Sunday. On Monday, the wifi and internal systems went down, classes were cancelled and canteens were closed. Last year, research funder NWO was attacked too. In 2021, the personal data of 530,000 people were stolen at the universities of applied sciences of Arnhem and Nijmegen. The biggest cyber attack against a higher education institution happened in Maastricht. Systems were taken hostage during the Christmas holidays of 2019/2020. The university ultimately decided to pay a ransom because the attack was hindering its education and research.