As remote learning spreads, so have cyberattacks. Are schools ready?

Students in the Newhall School District in Santa Clarita, California, were just hitting a rhythm with remote learning this fall when the district suddenly had to cancel online classes in mid-September due to a cyberattack that shut down the entire district computer network.

In a typical year, such an attack would result in teachers turning off technology and shifting lessons to the classroom, but that’s not an option with remote learning, says Superintendent Jeff Pelzel. 

“In this situation, the challenge was our kids didn’t get to interact with their teachers on a daily basis with live instruction,” he says. “And on the back end, we lost access to our drives. It’s never easy when you get shut down.” 

Cyberattacks this fall across the U.S. have caused school districts to delay the start of school, cancel classes, and in some cases, resulted in the release of sensitive staff and student data. Cybersecurity experts say that K-12 education is increasingly targeted by criminals who are drawn by the rich trove of sensitive data held by school districts and their historically weak online defenses.

The unprecedented reliance on remote learning during the pandemic has further emboldened hackers. Increased use of student and staff devices at home creates more avenues for cyberattack. Technology leaders are making years worth of changes rapidly, sometimes leading to less secure use of new applications. They warn that schools should anticipate further attacks, but also say that incidents can be reduced by better training and investing in strong cybersecurity defenses. 

“I think there’s clearly a shift,” with school superintendents and school boards viewing cybersecurity as a priority now, says Keith Krueger, CEO at the Consortium for School Networking (CoSN), a professional association for school technology leaders. “Especially with front page problems of networks failing or being attacked all around the country.”

Spike in attacks 

Recent high-profile cases include one in Miami-Dade County Public Schools in Florida, where a local teenager was arrested in September on charges of launching multiple attacks that flooded the district’s online learning system with internet traffic and prevented thousands of students from logging in to class.

Clark County School District in Las Vegas refused to pay a ransomware attack on its system in August, which reportedly resulted in the release of sensitive data, including employee Social Security numbers and student mailing addresses. Ponca City Public Schools in Oklahoma and Hartford Public Schools in Connecticut delayed the start of their school years after cyberattacks. 

The number and intensity of cyberattacks on school districts has increased for several years, says Doug Levin, an education consultant from Arlington, Virginia, who tracks cyberattacks on public K-12 school districts. 

In 2019, Mr. Levin recorded 348 cybersecurity incidents, a three-fold increase from the prior year. This year the number of cyberattacks dwindled during the first few months of the pandemic, but have shot up since the start of the school year and, if trends continue, may surpass last year’s totals. 

“It is a challenge for school districts no doubt,” says Mr. Levin. “Unfortunately the issue of cybersecurity has not been a priority by and large in schools.”

For Chris Gaines, the superintendent of Mehlville School District in St. Louis, the importance of cybersecurity best practices was reinforced this August when hackers overtook the email account of a construction company the district worked with and misdirected a $334,000 payment, according to Mr. Gaines. The district recouped most of the money, but is still working to get the last $75,000. 

“It boils down to human behavior is what allows access,” says Dr. Gaines, who initiated new business office protocols after this incident and a prior one, in which an individual tried unsuccessfully to use a hacked email account to change Dr. Gaines’ personal direct deposit account.

Cybersecurity solutions 

Mehlville Schools invests in cybersecurity by paying for cyberliability insurance, as well as hiring firms to deliberately conduct attacks to spot weaknesses. The district trains employees by running phishing campaigns to see if staff click on fraudulent links. Since the training, staff clicking on faulty links – one of the most common ways that cyberattacks begin – fell from 25%-30% to just 4%, says Dr. Gaines. 

School districts, like other local government entities, are often attractive targets because of the likelihood they are using older technology, relying on small IT teams, and holding sensitive data.

Vicki Anderson, a special agent with the FBI in Cleveland, says the FBI released a warning this summer to school districts nationwide about cybersecurity attacks during remote learning. She recommends that districts take preventative steps like training staff and students to use strong passwords and not to click on suspect links. The FBI advises schools not to pay ransomware attacks and instead get in touch with them immediately.

Groups like CoSN, the school technology association, are helping superintendents, school boards, and technology directors with cybersecurity by providing resources such as tip sheets and training. They’re also lobbying the Federal Communications Commission to allow cybersecurity to be covered under eligible services in the $4 billion E-rate program, a major source of funding for school technology. 

Mr. Krueger of CoSN says that school districts vary greatly in their ability to provide cybersecurity, with small and rural districts less likely to have the resources or expertise to enact strong policies. He also notes that the nation’s troubling digital divide extends to cybersecurity.

“We have to have the third leg of the stool, and that is secure broadband internet access,” along with enough devices and wireless connectivity for students, he says. 

Back at Newhall Schools in California, the district is working with an outside forensics team to restore access to their network drives. Teachers resumed live online lessons about 10 days after the ransomware attack. No student or employee data appears to have been released. 

Mr. Pelzel, the superintendent, says the experience was disconcerting for staff and families, and exhausting for the IT department working overtime. But “the silver lining out of this is you get lessons learned and things you can do to upgrade and support.” The district is reevaluating its cybersecurity and plans to take recommendations to its governing board. 

From using strong passwords and multifactor authentication to storing data in a mix of virtual and on-site secure locations, districts are taking action to thwart attacks. “I tell everyone now that there are things right away that you can do,” Mr. Pelzel says.