Two large school districts were rocked last week by incidents related to internet security and privacy, as vulnerability to cyber attacks remains high during the current pandemic period of increased use of technology.
In Baltimore County, Maryland, classes were closed the day before Thanksgiving because school officials called a “catastrophic attack on our technological systems”. Schools remained closed Monday and Tuesday and are expected to reopen on Wednesday. The district was in a fully distance learning mode which will last at least until January.
Meanwhile, in Chicago, parents and elementary students were alarmed this weekend when they received a series of unsavory and rude emails in their inbox for 90 minutes in the morning. According to a Chicago Sun-Times report, the initial message read, “I don’t know who I am. I don’t know why I am here. All I know is I must kill ”, and was followed by a series of responses including question marks and vulgar language.
The incidents are different and unrelated. Baltimore County District officials confirmed the hack was a ransomware attack. District officials have so far been wary about the nature and extent of the breach, and whether sensitive data has been compromised or made public.
The Chicago incident, on the other hand, “did not pose an information security risk or allow access to anyone outside the CPS network,” according to a district statement. A district-wide email group had been inadvertently created to allow anyone to reply to the entire group, the statement said. The district did not share further details on the source of the messages.
These two incidents are the latest in a growing pile of reports districts facing cybersecurity challenges this school year.
In Toledo, Ohio, district officials confirmed in early November that a ransomware attack took place in September after months of speculation among community members. This attack resulted in the release of data on students and staff, school officials said in a letter to families.
Some districts have yet to confirm the apparent cyber attacks. The District of New Haven in Connecticut was working with law enforcement officials last month to determine the extent of an apparent attack on middle school email accounts. The Norfolk District in Virginia closed some virtual classrooms for a few days as a preventive measure after a district official notices any disturbances on the network.
The threats also extend to educational businesses. Stride, the for-profit education provider previously known as K12 Inc., announced Monday that it pay a ransom to cybercriminals who recently invaded its network and work with a third-party vendor to determine the extent of the hack. A recent federal report found that cyber attacks on educational businesses, while rare, can be serious as they can affect students in many districts.
Schools are among the institutions most likely to be targeted by hackers during the current period of heightened attention to cybersecurity threats, said Richard DeMillo, Acting President of the School of Cybersecurity and Privacy at the Georgia Institute of Technology. Public institutions that have a strong motivation to protect their data are always more at risk, and the pandemic has increased that risk as many more school activities take place using digital tools.
“It’s not that the threats are changing, it’s that the risks are increasing,” DeMillo said. “You have to assume that the more activity you do online, the greater the risk, the more serious the consequences would be for a serious breach. “
The Federal Bureau of Investigation alerted K-12 schools earlier this year that ransomware attacks were on the rise, and has helped districts, including Baltimore County, when cybersecurity breaches arise. The superintendent of the Hartford, Connecticut school district is among scheduled speakers at a hearing in the United States Senate on Wednesday on the topic of cybersecurity threats facing state and local governments.
The Consortium for School Networking (CoSN), a membership organization that represents IT leaders in schools, advocated even before the pandemic for the Federal Communications Commission to authorize funds from its E-Rate program for school connectivity. move towards strengthening cybersecurity protections. Districts reported spending between $ 25,000 and $ 150,000 per year on basic firewall protections alone, according to a 2019 survey of CoSN members..
The recent spate of cybersecurity incidents affecting major districts only heightens the urgency of these funds, said Keith Krueger, CEO of CoSN. He believes that ongoing discussions on bridging the digital divide need to focus more heavily on cybersecurity as a key issue.
“Just getting broadband devices and connectivity, Wi-Fi, that alone is insufficient if the network is not usable, safe and secure,” he said.
Understand the risks
Sean Gallagher, senior threat researcher for tech security firm Sophos, worked as a reporter for tech publication Ars Technica before February. In that capacity, he was researching Baltimore’s school networks last year following a ransomware attack on the Baltimore City School District, which is separate from the County District.
Using a search engine that detects cybersecurity vulnerabilities, he discovered that Baltimore County’s network protections had not been updated to protect against one of the possible culprits of the attack on Baltimore City.
Gallagher said in an interview he contacted the district at the time to report these concerns, but never received a response. A district spokesperson did not respond to a request for comment.
A state audit released just a day before the Baltimore County schools closed last week reinforced Gallagher’s findings, identifying “significant risks” within the district network.
There is not yet enough public information to determine whether vulnerabilities identified in Gallagher’s 2019 research or the 2020 state audit played a role in the current breach. But Gallagher said the series of events illustrates the importance of schools prioritizing cybersecurity efforts and governments prioritizing funding for those efforts.
“They really have to look at how they do remote access and take a really deep look at how their networks are connected to allow people to come in,” he said.
In a survey conducted by the EdWeek Research Center in November, only 16% of teachers, principals, and district leaders said their school or district was engaged in full-time in-person learning. This means that all of the remaining districts have at least one distance learning going on.
The more schools typically have in-person activities on digital devices, the greater the risk of a cybersecurity breach, according to DeMillo.
“Watching a computer screen in the privacy of your own home has now become quite a public activity,” DeMillo said. “The level of hygiene necessary to ensure safety must increase accordingly. It is not a natural thing for a teacher to think about.
How to strengthen protections
In the short term, experts said schools need to focus on educating employees about cybersecurity threats and the role their own business could play in facilitating them.
According to a report by the Baltimore Sun, several teachers in Baltimore County shared on social media that their files had a Ryuk extension.. The district has not confirmed that the breach was an attack from Ryuk.
Regardless, the nature of Ryuk’s attacks is instructive, Gallagher said. They typically occur when a single user clicks an email message that contains an attachment or a link. Clicking on this link activates malware which can spread quickly throughout the system.
Most people are aware to some extent that cybersecurity is an issue, but it can be much more difficult to follow through with action, DeMillo said. It is crucial to constantly reinforce with administrators and teachers the importance of due diligence, he said.
Schools should also have policies and procedures in place to share the correct amount of details of a hack that has taken place.
“Especially when you’re in the middle of a problem, you can’t always say everything publicly or you’ll create a worse problem,” Krueger said.
Less than 20% of school districts have a dedicated employee whose sole focus is cybersecurity, according to a 2020 survey of CoSN members. IT managers have been strained to tackle these issues even before COVID-19 and widespread digital learning.
“It’s not something the average teacher or principal can handle. They are sophisticated cybercriminals targeting K-12, ”Krueger said. “It’s getting harder and harder.”