In a university-wide emergency, Groothuis, as vice-president of the Executive Board, is the first designated person to lead the Central Crisis Team (CCT). “My job is to keep everyone calm and provide direction and clarity when it comes to the approach, communications, and other relevant matters.” Since the first suspicious activity on Saturday night, he has devoted all of his time to the cyberattack.

Saturday evening, suspicious activities were seen in the network.What did those look like?

“The forensic investigation is still ongoing, so I can’t give too many details. You can compare it to securing a house. You have good hinges and locks and motion sensors connected to an alarm center. This is actually how it works with the network as well. Of course we try to secure the network as well as possible, but you can’t rule out the possibility that there’s a hole somewhere. Fortunately, the detection systems worked. Our IT experts saw that someone was breaking in. Based on that suspicious activity, measures were taken to stop the break-in, sort of like a cat-and-mouse game. Until, at some point, it was decided to pull the emergency brake.”

What did you do after that?

“We set up a CCT. This is permanently staffed by several directors, the secretary of the university, security experts, and spokespeople, and the addition of a dean and a managing director gave us expertise in the specific areas of IT and research. Four operations teams branch out from the CCT. In addition to the IT team, which of course was already up-and-running, an education team, a research team, and a campus team were also set up. These provided the CCT with information about which activities were still possible and which weren’t. This gave us an overview of the impact on the entire organization.”

How did the crisis team proceed?

“From Sunday until today, we held daily, in-person meetings with about twelve people. Staff from LIS and external IT experts worked through the first few nights, later switching to shifts and on-call duties, should a particular expertise prove necessary. A kind of primal instinct took hold of the entire team: we all felt that drive to find a solution as quickly as possible. We’re also seeing this with the people from ESA at the moment; they’ve been working through the weekend to provide clarity to students and support teachers. With myself, I noticed it too. You’re switched on and it’s hard to switch off. This was priority number one.

We chose to have a very clear line of communication, both internally and externally. Every day at noon there would be a briefing to management, directors, and deans. And then at four o’clock we would publish an update to the outside world, so people didn’t feel the need to constantly check if there was any news yet.”

How is the contact with the authorities going?

“Through our security officers we have all kinds of lines of communication, including to the police. A report was made there, upon which the police launched an investigation. They’re now seeing what they can find out regarding the identity of the hackers. So far they haven’t made any announcements, and it remains to be seen if we are ever going to find out. I am also in contact with the Ministry of Education, Culture and Science, the Inspectorate of Education, and other stakeholders. Minister of Education Eppo Bruins called just last week for information and to express his support. We’re getting support from all sides.”

Was TU/e adequately prepared for this cyberattack?

“We can conclude that the investments we’ve made in cyber resilience over the past four years have worked. If this had happened three or four years ago, I don’t know if we would have been where we are today. A university is a complex organization, including IT. You can’t rule out a hole in the system somewhere. Besides, if hackers can break into the FBI, they can also get into other places. All in all, I think we acted appropriately.”

Can we then speak of a failed hack?

“I’ll let other people be the judge of that. We were adequately prepared by way of our cyber resilience, which is about more than security. It’s also about detection and response and before that, of course, awareness among staff and students. In that respect, you can say that we had our affairs in order, but let me add right away: we must continue to invest and improve. It’s never finished.”

Are there already lessons to be learned from the response to the cyberattack?

“It’s too early for that. The forensic investigation is still ongoing and we have to wait for the outcome. We’re also having an evaluation done by an outside party, which will look at our crisis management in its entirety. There are undoubtedly things we can improve. We want to share those lessons both internally and externally. Based on forensic findings, IT experts have of course taken additional measures already. But I can’t share those.”

What did you think of the TU/e community’s response to the cyberattack?

“I am incredibly impressed by the resilience of all the students. You’re suddenly in a situation where you can’t do anything and there’s a lot of unclarity, with the exams coming up. I think students were very understanding of the circumstances. Of course there were concerns, but I think we mitigated those as best we could. There were also mostly positive signals from the departments, from the academic and support staff there.

Looking back, I think we made the right choice in how we tried to limit the impact. We had to find the right balance to minimize the impact on students and teachers. We didn’t want to increase the workload on either side or make anyone feel like they had to bear the brunt. Of course, some teachers are frustrated with the extra work, and we’re addressing that. But it’s something that’s hard to avoid altogether.”

Politicians responded by calling for a 48-hour plan to continue analogue operations in the event of a network disruption.Will TU/e make such a plan?

“It’s obvious that this will be looked at as part of the evaluation, but it also has to be feasible in terms or organization and finances. If there are certain events that have the potential to shut you down for three months, the impact is different than if you can solve most of the problems within a week. So you have to factor in the risk and impact when coming up with appropriate measures.”