Cybersecurity Innovation Zone: cooperation and exchange are crucial

Reason for innovation zone

The Cybersecurity Innovation Zone has a double reason, says Albert Hankel, Programme Manager for the Cybersecurity Innovation Zone: "Firstly, SURF developed a new strategy in 2021, defining three roles for ourselves. One is the role of innovation workshop. If, as a cooperative, we come across a complex issue that an institution cannot solve on its own, we can give it a place in an innovation zone. Cybersecurity is such a complex issue. Secondly, at the same time, there was a hack at Maastricht University, which caused a lot of controversy. In response, the education inspectorate published a report , which led the industry associations within the education sector to each draw up a plan of action. This indicated that all institutions should grow to a maturity level 3 (on a scale of 5) in terms of cyber security."

Regiegroep

The Cybersecurity Innovation Zone does not work on the basis of a fixed programme, but the participants assess together what is needed to take the next step. To this end, a direction group has been formed with broad representation from the educational institutions. The three sectors (wo, hbo and mbo) have each delegated a representative from both the CSCs(Coordinating SURF Contacts) and the CISOs (Chief Information Security Officers). There is also a representative from the two security-related communities: SCIPR (focused on policy) and SCIRT (focused on technology). Both communities have more than 500 members.

Security Expertise Centre

Cybersecurity is a comprehensive field in which developments are rapid; cooperation can bring many benefits. Paula Duijnhoven, Concern Information Security Officer at Hogeschool Leiden: "The great thing is that now, thanks to the community, we don't have to reinvent the wheel. Together we can achieve much more than if each institution had to work out the entire spectrum itself. We are making great strides, particularly with the Security Expertise Centre that was started up at the same time as the direction group. Three employees from SURF are working on that and we will launch it in mid-2023. That will be the spider in the web in everything we do, and we really need that as a community. The expertise centre provides direction and monitors that agreements are made and implemented. The direction group can help with that again by setting the right priorities."

Projects

The Security Expertise Centre is the first project of the Innovation Zone Cybersecurity. The focus in this phase is strongly on maturity level 3, says Albert: "For institutions, that means mainly that they have to describe in detail how security is arranged. That is 80% the same for all institutions, so it is very useful if we can do that centrally. We can't do that on our own as SURF, the expertise of the institutions is really needed here."

Cyber resilience testing

But the innovation zone is also working on other projects, such as a pilot with cyber resilience testing: "This is mainly about the technical resilience of institutions," Albert explains. "In this, we work with redteaming, we hire hackers to attack institutions. These are extensive investigations that can take quite a few months. Such an investigation provides a good insight into where weaknesses lie and where technical resilience can be improved. By the way, such a test is not only about technical security, hackers can also exploit the habits or gullibility of employees."

Cyber threat assessment education and research

Other Innovation Zone projects include the annual Cyber Threat Assessment, which identifies the biggest risks in education and research in the Netherlands. A new addition to this is the cyber protection picture published in mid-2023, which links the risks to the options institutions have to mitigate them. Furthermore, SURF is developing compliancy services. "That is a service we are going to include in the basic package," says Albert. "In it, we carry out privacy and security checks on suppliers. This is important because many institutions no longer have their ICT in-house, but rely on suppliers from the cloud." "It would be a waste of effort for us as institutions to conduct such tests separately," Paula adds. "It is much more efficient to tackle this jointly."

Challenges

Asked about the cybersecurity challenges faced by the colleges, Paula first mentions the recording of all security processes: "We don't immediately get better from that," she adds immediately. "But we can make the risks more transparent and thus take more targeted measures. Furthermore, at Hogeschool Leiden we are now very concretely implementing MFA (multi-factor authentication) for students. This was already mandatory for employees, students could join on a voluntary basis, but it is now becoming mandatory for them too. That immediately raises the level of security."

Cyber security is much more than technology, this conversation shows: a key issue is awareness of the risks, among staff and students. "We actually ask our staff and students to have a healthy distrust of everything they receive digitally," Paula says. "It's not just a link you shouldn't click on, you can also receive a voice message from a voice you think you recognise. That is why we are going to launch a campaign with an external party this year to raise awareness about cyber risks."

Artificial Intelligence and cyber security

That healthy mistrust has everything to do with the rise of AI (Artificial Intelligence) and the impact it could have on cyber security. "We can't assess that right now, we really need to develop a vision on that," Paula says. "It is playing out on all fronts and it is changing education. When it comes to information security, awareness is important, hacking innovates, there are always new ways to fool people. And AI can make it easier on the technical side to circumvent measures. It's a cat-and-mouse game."

In any case, both conversation partners agree that watertight security is an illusion. "The really good hackers do get in, with or without AI," says Albert. "No institution is at the level of professional hackers. If they want to and they have the money and resources, they will get in." Paula agrees: "It's an unfair battle. As an institution, you have to have everything in order, hackers only need to find one weakness. That is why the measures are not only aimed at keeping hackers out, but also at detecting and minimising the imact. The question is not whether we will be hacked, but when. And if it happens then, the trick is to minimise the damage as much as possible."