Fake cyber attack: angry students shut down education

ICT organisation SURF carried out its fifth national exercise on cyber security to see what educational institutions and the Ministry of Education, Culture and Science would do if its systems were attacked nationwide. Last week, around 2,000 employees from 90 institutions participated in the exercise, including UU. 

Such a crisis is not unthinkable: in January, TU Eindhoven had to fend off a dangerous attack. The most notorious hack took place five years ago at Maastricht University, where ransomware locked the systems and files.

Protest
This time, the exercise was based on the following story: a peaceful student protest takes a grim turn when a small splinter group of hackers shuts down the systems from secondary vocational education and higher education out of anger about the budget cuts.

The hackers used a petition to do so. When signing the petition, people unknowingly download malware, causing their computers and phones to participate in a DDoS attack.

UU was one of the institutions joining the exercise. Eighty employees from the Faculty of Social Sciences, the legal department, the communication department, HR, ICT services, and the university council were involved.

Hard work
“It was hard work,” says Tom Hoven, a spokesperson for SURF who participated in the national exercise. He didn't know anything when it started. “The scenario is crammed into six hours, so we had to switch quickly. But it was very educational. On such a day, you see how the lines run and where the gaps are. It's good to do something like that with the entire sector.” For example, knowing each other in advance is pretty useful. “Then you don't have to start from scratch with an introduction round. That really helps.”

But is it realistic to assume that students would be the enemy, instead of, say, Russians or North Koreans? “The scenario is always a bit exaggerated on purpose,” says Hoven, “but the crisis itself is realistic enough.”

Local protests
The crisis team gathered in the SURF office. The institutions participated on their own campuses and were sometimes presented with specific problems. “They had to deal with local protests, for example, something we didn’t have to deal with at SURF,” explains Hoven.

Students also played the role of journalists asking difficult questions. The Association of Universities of Applied Sciences and the Association of Universities, UNL, also participated, though not together: each had their own practice day. The Ministry of Education, Culture and Science participated on another day, alongside secondary vocational education institutions.

Employees had to exchange technical information,  such as the ‘fingerprints’ of the hacker attack, how to neutralize them, and who should receive this information.

Lessons learned
Hoven does not know yet what the main takeaways from this exercise will be, but he thinks it is useful to experience crisis meetings and their structure. “Such a meeting has to be as concise as possible because you can’t talk to each other for an hour and a half in the middle of a crisis. It was great to practice this once. At the third crisis meeting, you already notice that things go a lot faster.”

SURF will evaluate the course of events and share the lessons learned, as it did in previous exercises.