Schools get serious about a different kind of bully: Cybercriminals

The first inkling of cyber trouble for the Judson Independent School District came around 1:30 a.m. on July 17, 2021.

By 3:30 a.m., a district employee lost all contact with the servers. By the time he got to the school at 4:30 a.m., a ransom note had appeared on all the computer screens. The employee called the police and the FBI.

The Texas district – with more than 24,000 students and more than 4,500 employees – had been the victim of a ransomware attack targeting its data and network systems. Ultimately, the district paid a $547,000 ransom and embarked on a recovery process that took more than a year to complete, according to Lacey Gosch, the district’s assistant superintendent of technology, who recently testified before the U.S. House Oversight Committee.

“The mentality that any organization is too small or insignificant to be affected by a cybersecurity breach is living under a false sense of security,” she wrote in a letter submitted along with her in-person testimony. “The truth is that cybersecurity events in organizations need to be viewed not as improbable but as absolute.”

Ms. Gosch’s cautionary tale delivered on Capitol Hill provides insight into what experts say is a growing threat facing schools across the United States. Cyberattacks in recent years have hobbled school systems and operations, putting sensitive information at risk and, in some cases, pausing education. Schools in Des Moines, Iowa; Nantucket, Massachusetts; and Rochester, Minnesota, all temporarily closed earlier this year after digital intrusions.

What’s at stake, experts say, is private information ranging from medical records to Social Security numbers being exposed – all of which could cause immediate or future harm to students, parents, or employees. The attacks can trigger lost instructional time and cost districts money they don’t necessarily have. 

Schools are hardly the only target of cybercriminals. Last month, casinos in Las Vegas made headlines after hackers breached their systems, causing a technology meltdown in the tourism hub. Unlike large corporations, though, school districts typically have much smaller cybersecurity teams – if they have dedicated staff at all. 

The continued attacks in the K-12 sector, however, have been garnering more attention, prompting a White House summit in August. Fortifying schools could hinge on everything from policy changes and staff training to vendor compliance and resource investments, experts and district technology leaders say. 

“Many people outside of education still think of the education sector as little kids with crayons and chalkboards,” says Doug Levin, who serves as national director of the K12 Security Information eXchange (K12 SIX). “They don’t understand how the sector has changed and what’s at risk.”

A “wicked problem”

For years, Mr. Levin has been tracking the burgeoning problem, sifting through information that is publicly available. The map he created, updated annually, shows 1,619 location markers through 2022, spread across all 50 states and in cities big and small. 

Chad McAuslin/Global Resilience Federation

Doug Levin speaks at a conference hosted by the K12 Security Information eXchange (K12 SIX), where he serves as national director, in February. The conference in Austin sold out given the growing cybersecurity issues facing school districts.

The incidents have also gotten the attention of the Cybersecurity and Infrastructure Security Agency, a subset of the U.S. Department of Homeland Security. Early this year the agency released its first report about cybersecurity threats against schools. Now, CISA says, they’re at “unprecedented risk.”

The CISA warning mirrors what Mr. Levin has been trying to flag for years. He calls it a “wicked problem” that has been building over time with no easy solution. First came computer labs in schools. Then smartboards and carts full of laptops for classroom use. Now, some schools boast a 1-to-1 technology ratio, meaning every child has a tablet or laptop –  a trend accelerated by the pandemic’s remote learning.

The technology boom in the classroom coincided with a steep increase in monetary demands when a school district gets hit by ransomware.

Seven or eight years ago, the ransom demands ranged from about $5,000 to $10,000, Mr. Levin says. Today, the extortionists routinely demand millions of dollars in exchange for the stolen data. Districts targeted have taken different approaches, with some paying either out of their own budgets or through insurance. Others have refused to comply.

Identity thieves may be particularly inclined to steal student information, he says, because adults’ data tends to be better monitored.

“School districts have plenty of information about students and their families – more than enough for an identity thief to start to establish, essentially, a credit record and then abuse it,” he says. In the case of children, it could be years before they catch on, such as when “they apply for a student loan or [go] to rent their first apartment.”

In 2016, Mr. Levin noticed a smattering of news stories about school networks compromised by cybersecurity incidents. In early 2017, the IRS issued an “urgent alert” about a tax-related email phishing scam spreading to other sectors, including school districts.

“I was just trying to draw attention to it,” he says. “What I saw was district after district after district falling for this same attack, and I was like, ‘Whoa, something is going on here that’s bigger.’”

More discussion about solutions

Fast forward to this year, and it’s no longer an under-the-radar issue. A cybersecurity conference about threats against schools – hosted by K12 SIX – garnered so much interest that it sold out in February. About 150 people from 25 states as well as Canada and New Zealand attended the program in Austin, Texas. He expects a similar sell-out crowd at next year’s conference in Savannah, Georgia.

The gathering came nearly three years after the formation of K12 SIX, which operates as a hub where school districts and their information technology teams can share threat intelligence and help each other ward off network hacks. The organization also prioritizes research and advocating for better defense practices.

“We’re all facing the same exact issues,” says Neal Richardson, a director of technology and chief information security officer for the Hillsboro-Deering School District in New Hampshire. “It’s all the same problems, all the same threat actors.”

Mr. Richardson typically starts checking his email at 5 a.m. and doesn’t stop until he goes to sleep around 11 p.m. He’s checking for any alerts generated by the district’s security defense systems – a bid to be one step ahead of any problems. 

But the alerts aren’t his main worry.

“What scares me the most is something that doesn’t trip our alerting sensors,” he says.

The 1,200-student district in southern New Hampshire hasn’t experienced a cyber intrusion so debilitating that it forced a school closure, Mr. Richardson says. But the district has endured denials of service, which flood the internet router with so much inbound traffic that the system becomes overloaded. 

Damian Dovarganes/AP/File

Alberto Carvalho (center, at podium), superintendent of the Los Angeles Unified School District, the second-largest school district in the United States, speaks about an external cyber incident on the LAUSD information systems in Los Angeles, Sept. 6, 2022.

Other types of cyber incidents include data breaches, email phishing scams, website and social media defacement, and invasions of online classes or virtual meetings.

The common refrain among K-12 technology leaders is that it’s a matter of when, not if, a major intrusion will occur. 

The Los Angeles Unified School District (LAUSD), which educates more than 565,000 students, experienced a large-scale incident that it disclosed in September. The breach involved “2,000 student assessment records,” as well as driver’s license and Social Security numbers, according to reporting from The 74.

The perpetrators – an extortion hacking group known as Vice Society – demanded an undisclosed ransom amount from LAUSD. It’s a tactic that has grown increasingly common: The K-12 Cyber Incident Map run by K12 SIX documented 62 instances of ransomware attacks on U.S. public school systems in 2021.

Balancing education and cyber defense

As cybercriminals fix their gaze on the K-12 sector, school districts are struggling to beef up their cybersecurity teams.

Don Wolff, chief technology officer for Portland Public Schools in Oregon, calls himself a “unicorn.” Unlike many of his peers, he has a small team, including a manager of operational security, dedicated to cybersecurity issues. 

The nearly 50,000-student district is building a cybersecurity program that will train people about the risks and how to avoid them, adopt policies for how data is stored and accessed, and evaluate technology.

But with more enticing salaries in the private sector, he says, school districts often run into challenges even hiring for cybersecurity-related positions. 

“Our primary operative is to educate students and any dollar we take ... to do cybersecurity is taken away from the education of students,” Mr. Wolff says, describing districts’ financial conundrum. “So how do we manage best efforts and keep our students as safe as we can?”

Some dollars have already started flowing. The State and Local Cybersecurity Grant Program, a federal initiative through CISA and the Federal Emergency Management Agency, has been doling out money to state and local governments, including school districts. Allocations to states and the District of Columbia ranged from $4.2 million to $17.4 million last fiscal year.  

And, in tandem with the White House cybersecurity summit, the Department of Education released a K-12 Digital Infrastructure Brief that offers some guidance. It notes that school districts should adopt multifactor authentication systems, enforce minimum password strength standards, report phishing attempts, and regularly update software.

“It’s still likely to get worse before it gets better, but at least we’re sort of beginning to marshal resources and get to some consensus on the best ways to move forward,” Mr. Levin says. 

But the rapid expansion of artificial intelligence technology is adding another layer of complexity to the situation. Cybercriminals may be able to leverage AI to replicate someone’s voice, for instance, and hack into accounts, says Eileen Belastock, CEO of Belastock Consulting, which specializes in educational technology.

“On a positive note, what I’m seeing from these companies that have a cybersecurity prevention program is they’re using AI to detect blips in a network,” she says.

Students, parents, and employees can help in a number of ways. For starters, Mr. Richardson, who oversees technology at his New Hampshire district, says they should avoid trying to circumvent district content filters. 

In other words: Signing up for a free service as a workaround to access TikTok could backfire by exposing a student’s personal information. 

“The threat is real,” Mr. Richardson says, “and it’s not going away.”