Schools get serious about a different kind of bully: Cybercriminals
Des Moines Public Schools interim Superintendent Matt Smith announces that school will be canceled due to a cybersecurity incident, Jan. 10, 2023, in Des Moines, Iowa. The district is one of several that has faced disruptions this year.
Zach Boyden-Holmes/The Des Moines Register/AP
The first inkling of cyber trouble for the Judson Independent School District came around 1:30 a.m. on July 17, 2021.
By 3:30 a.m., a district employee lost all contact with the servers. By the time he got to the school at 4:30 a.m., a ransom note had appeared on all the computer screens. The employee called the police and the FBI.
The Texas district 鈥 with more than 24,000 students and more than 4,500 employees 鈥 had been the victim of a ransomware attack targeting its data and network systems. Ultimately, the district paid a $547,000 ransom and embarked on a recovery process that took more than a year to complete, according to Lacey Gosch, the district鈥檚 assistant superintendent of technology, who recently testified before the U.S. House Oversight Committee.
Why We Wrote This
Part of education is providing a safe environment. As the use of technology increases in schools, how can they ensure that not only students but also their private data are protected?
鈥淭he mentality that any organization is too small or insignificant to be affected by a cybersecurity breach is living under a false sense of security,鈥 she wrote in a along with her in-person testimony. 鈥淭he truth is that cybersecurity events in organizations need to be viewed not as improbable but as absolute.鈥
Ms. Gosch鈥檚 cautionary tale delivered on Capitol Hill provides insight into what experts say is a growing threat facing schools across the United States.听Cyberattacks in recent years have hobbled school systems and operations, putting sensitive information at risk and, in some cases, pausing education. Schools in Des Moines, Iowa; Nantucket, Massachusetts; and Rochester, Minnesota, all temporarily closed earlier this year after digital intrusions.
What鈥檚 at stake, experts say, is private information ranging from medical records to Social Security numbers being exposed 鈥 all of which could cause immediate or future harm to students, parents, or employees. The attacks can trigger lost instructional time and cost districts money they don鈥檛 necessarily have.听
Schools are hardly the only target of cybercriminals. Last month, casinos in Las Vegas made headlines after hackers breached their systems, causing a technology meltdown in the tourism hub. Unlike large corporations, though, school districts typically have much smaller cybersecurity teams 鈥 if they have dedicated staff at all.听
The continued attacks in the K-12 sector, however, have been garnering more attention, prompting a White House summit in August. Fortifying schools could hinge on everything from policy changes and staff training to vendor compliance and resource investments, experts and district technology leaders say.听
鈥淢any people outside of education still think of the education sector as little kids with crayons and chalkboards,鈥 says Doug Levin, who serves as national director of the K12 Security Information eXchange (K12 SIX). 鈥淭hey don鈥檛 understand how the sector has changed and what鈥檚 at risk.鈥
A 鈥渨icked problem鈥
For years, Mr. Levin has been tracking the burgeoning problem, sifting through information that is publicly available.听The 听he created, updated annually, shows 1,619 location markers through 2022, spread across all 50 states and in cities big and small.听
The incidents have also gotten the attention of the Cybersecurity and Infrastructure Security Agency, a subset of the U.S. Department of Homeland Security. Early this year the agency released its first report about cybersecurity threats against schools. Now, CISA says, they鈥檙e at 鈥渦nprecedented risk.鈥
The CISA warning mirrors what Mr. Levin has been trying to flag for years. He calls it a 鈥渨icked problem鈥 that has been building over time with no easy solution. First came computer labs in schools. Then smartboards and carts full of laptops for classroom use. Now, some schools boast a 1-to-1 technology ratio, meaning every child has a tablet or laptop 鈥撎 a trend accelerated by the pandemic鈥檚 remote learning.
The technology boom in the classroom coincided with a steep increase in monetary demands when a school district gets hit by ransomware.
Seven or eight years ago, the ransom demands ranged from about $5,000 to $10,000, Mr. Levin says. Today, the extortionists routinely demand millions of dollars in exchange for the stolen data. Districts targeted have taken different approaches, with some paying either out of their own budgets or through insurance. Others have refused to comply.
Identity thieves may be particularly inclined to steal student information, he says, because adults鈥 data tends to be better monitored.
鈥淪chool districts have plenty of information about students and their families 鈥 more than enough for an identity thief to start to establish, essentially, a credit record and then abuse it,鈥 he says. In the case of children, it could be years before they catch on, such as when 鈥渢hey apply for a student loan or [go] to rent their first apartment.鈥
In 2016, Mr. Levin noticed a smattering of news stories about school networks compromised by cybersecurity incidents. In early 2017, the IRS issued an 鈥渦rgent alert鈥 about a tax-related email phishing scam spreading to other sectors, including school districts.
鈥淚 was just trying to draw attention to it,鈥 he says. 鈥淲hat I saw was district after district after district falling for this same attack, and I was like, 鈥榃hoa, something is going on here that鈥檚 bigger.鈥欌
More discussion about solutions
Fast forward to this year, and it鈥檚 no longer an under-the-radar issue. A cybersecurity conference about threats against schools 鈥 hosted by K12 SIX 鈥 garnered so much interest that it sold out in February. About 150 people from 25 states as well as Canada and New Zealand attended the program in Austin, Texas. He expects a similar sell-out crowd at next year鈥檚 conference in Savannah, Georgia.
The gathering came nearly three years after the formation of K12 SIX, which operates as a hub where school districts and their information technology teams can share threat intelligence and help each other ward off network hacks. The organization also prioritizes research and advocating for better defense practices.
鈥淲e鈥檙e all facing the same exact issues,鈥 says Neal Richardson, a director of technology and chief information security officer for the Hillsboro-Deering School District in New Hampshire. 鈥淚t鈥檚 all the same problems, all the same threat actors.鈥
Mr. Richardson typically starts checking his email at 5 a.m. and doesn鈥檛 stop until he goes to sleep around 11 p.m. He鈥檚 checking for any alerts generated by the district鈥檚 security defense systems 鈥撎齛 bid to be one step ahead of any problems.听
But the alerts aren鈥檛 his main worry.
鈥淲hat scares me the most is something that doesn鈥檛 trip our alerting sensors,鈥 he says.
The 1,200-student district in southern New Hampshire hasn鈥檛 experienced a cyber intrusion听so debilitating that it forced a school closure, Mr. Richardson says. But the district has endured denials of service, which flood the internet router with so much inbound traffic that the system becomes overloaded.听
Other types of cyber incidents include data breaches, email phishing scams, website and social media defacement, and invasions of online classes or virtual meetings.
The common refrain among K-12 technology leaders is that it鈥檚 a matter of when, not if, a major intrusion will occur.听
The Los Angeles Unified School District (LAUSD), which educates more than 565,000 students, experienced a large-scale incident that it disclosed in September. The breach involved 鈥2,000 student assessment records,鈥 as well as driver鈥檚 license and Social Security numbers, according to from The 74.
The perpetrators 鈥 an extortion hacking group known as Vice Society 鈥 demanded an undisclosed ransom amount from LAUSD. It鈥檚 a tactic that has grown increasingly common: The K-12 Cyber Incident Map run by K12 SIX documented 62 instances of ransomware attacks on U.S. public school systems in 2021.
Balancing education and cyber defense
As cybercriminals fix their gaze on the K-12 sector, school districts are struggling to beef up their cybersecurity teams.
Don Wolff, chief technology officer for Portland Public Schools in Oregon, calls himself a 鈥渦nicorn.鈥 Unlike many of his peers, he has a small team, including a manager of operational security, dedicated to cybersecurity issues.听
The nearly 50,000-student district is building a cybersecurity program that will train people about the risks and how to avoid them, adopt policies for how data is stored and accessed, and evaluate technology.
But with more enticing salaries in the private sector, he says, school districts often run into challenges even hiring for cybersecurity-related positions.听
鈥淥ur primary operative is to educate students and any dollar we take ... to do cybersecurity is taken away from the education of students,鈥 Mr. Wolff says, describing districts鈥 financial conundrum. 鈥淪o how do we manage best efforts and keep our students as safe as we can?鈥
Some dollars have already started flowing. The State and Local Cybersecurity Grant Program, a federal initiative through CISA and the Federal Emergency Management Agency, has been doling out money to state and local governments, including school districts. to states and the District of听Columbia ranged from $4.2 million to $17.4 million last fiscal year.听听
And, in tandem with the White House cybersecurity summit, the Department of Education released a 听that offers some guidance. It notes that school districts should adopt multifactor authentication systems, enforce minimum password strength standards, report phishing attempts, and regularly update software.
鈥淚t鈥檚 still likely to get worse before it gets better, but at least we鈥檙e sort of beginning to marshal resources and get to some consensus on the best ways to move forward,鈥 Mr. Levin says.听
But the rapid expansion of artificial intelligence technology is adding another layer of complexity to the situation. Cybercriminals may be able to leverage AI to replicate someone鈥檚 voice, for instance, and hack into accounts, says Eileen Belastock, CEO of Belastock Consulting, which specializes in educational technology.
鈥淥n a positive note, what I鈥檓 seeing from these companies that have a cybersecurity prevention program is they鈥檙e using AI to detect blips in a network,鈥 she says.
Students, parents, and employees can help in a number of ways. For starters, Mr. Richardson, who oversees technology at his New Hampshire district, says they should avoid trying to circumvent district content filters.听
In other words: Signing up for a free service as a workaround to access TikTok could backfire by exposing a student鈥檚 personal information.听
鈥淭he threat is real,鈥 Mr. Richardson says, 鈥渁nd it鈥檚 not going away.鈥