Two large school districts have been rattled in the last week by incidents related to internet security and privacy, as vulnerability to cyberattacks remains high during the current pandemic-era period of increased technology use.
In Baltimore County, Md., classes shut down the day before Thanksgiving due to what school officials have called a “catastrophic attack on our technology systems.” Schools remained closed Monday and Tuesday and are expected to reopen Wednesday. The district had been in fully remote learning mode that will last at least into January.
Meanwhile, in Chicago, parents and elementary school students were alarmed over this weekend when they received a series of unsavory, profanity-laced emails in their school inboxes during a 90-minute period in the morning. According to a Chicago Sun-Times report, the initial message read, “I do not know who I am. I do not know why I am here. All I know is that I must kill,” and was followed by a series of replies that included question marks and vulgar language.
The incidents are different and unrelated. Baltimore County district officials have confirmed that the hack was a ransomware attack. District officials have been circumspect so far about the nature and extent of the breach, and whether sensitive data has been compromised or made public.
The Chicago incident, by contrast, “did not pose an information security risk or permit access to anyone outside the CPS network,” according to a statement from the district. A districtwide email group had inadvertently been set to allow anyone to respond to the entire group, the statement said. The district has not shared further details about the source of the messages.
These two incidents are the latest in a growing pile of reports from districts experiencing cybersecurity challenges this school year.
In Toledo, Ohio, district officials confirmed in early November that a ransomware attack had taken place in September after months of speculation among community members. That attack resulted in the dissemination of student and staff data, school officials said in a letter to families.
Some districts have yet to confirm apparent cyberattacks. The New Haven district in Connecticut was working with law enforcement officials last month to determine the extent of an apparent attack on middle school students’ email accounts. The Norfolk district in Virginia shut down some virtual classes for a couple days as a preemptive measure after a district official noticed possible disturbances on the network.
The threats also extend to education companies. Stride, the for-profit education provider previously known as K12 Inc., announced Monday that it is paying ransom to cybercriminals who recently invaded its network and is working with a third-party provider to determine the extent of the hack. A recent federal report found that cyberattacks on education companies, while rare, can be serious because they can affect students across numerous districts.
Schools are among the institutions most likely to be targeted by hackers during this current period of heightened attention on cybersecurity threats, said Richard DeMillo, interim chair of the School of Cybersecurity and Privacy at the Georgia Institute of Technology. Public institutions that have a strong motivation to protect their data are always at a higher risk, and the pandemic has increased that risk because far more school activity is occurring using digital tools.
“It’s not that the threats are changing, it’s that the risks are growing,” DeMillo said. “You should assume the more you’re doing online, the more the risks have gone up, the more serious the consequences would be if there were a serious breach.”
The Federal Bureau of Investigation alerted K-12 schools earlier this year that ransomware attacks on the rise, and has been assisting districts including Baltimore County when cybersecurity breaches crop up. The superintendent of the Hartford school district in Connecticut is among the scheduled speakers at a U.S. Senate hearing Wednesday on the topic of cybersecurity threats facing state and local governments.
The Consortium for School Networking (CoSN), a membership organization that represents school IT leaders, has been advocating even prior to the pandemic for the Federal Communications Commission to allow funds from its E-Rate program for school connectivity to go towards strengthening cybersecurity protections. Districts have reported spending anywhere from $25,000 to $150,000 a year for basic firewall protections alone, according to a 2019 survey of CoSN members.
The recent spate of cybersecurity incidents affecting major districts only reinforces the urgency of those funds, said Keith Krueger, CEO of CoSN. He believes ongoing discussions about closing the digital divide need to more strongly touch on cybersecurity as a key component.
“Just getting devices and broadband connectivity, Wi-Fi, that alone is insufficient if the network isn’t usable, isn’t safe and secure,” he said.
Understanding the Risks
Sean Gallagher, a senior threat researcher for the technology security firm Sophos, worked prior to this February as a journalist for the technology publication Ars Technica. In that capacity, he was researching Baltimore school networks last year in the aftermath of a ransomware attack on the Baltimore city school district, which is separate from the county district.
Using a search engine that detects cybersecurity vulnerabilities, he found that Baltimore County’s network protections hadn’t been updated to protect against one of the possible culprits of the Baltimore City attack.
Gallagher said in an interview he contacted the district at the time to flag those concerns, but never heard back. A district spokesperson didn’t respond to a request for comment.
A state audit released just one day before Baltimore County schools closed last week reinforced Gallagher’s findings, identifying “significant risks” within the district’s network.
There’s not enough public information yet to determine whether the vulnerabilities identified in Gallagher’s 2019 research or the 2020 state audit played a role in the current breach. But Gallagher said the series of events illustrates the importance of schools prioritizing cybersecurity efforts, and governments prioritizing funding for those efforts.
“They really need to look at how they’re doing remote access, and take a really deep look at how their networks are connected to allow people to get in,” he said.
In a survey conducted by the EdWeek Research Center in November, only 16 percent of teachers, principals, and district leaders said their school or district is engaged in full-time in-person learning. That means all the remaining districts have at least some remote learning currently taking place.
The more that schools have typically in-person activity happening on digital devices, the higher the risk becomes for a cybersecurity breach, according to DeMillo.
“Staring at a computer screen in the privacy of your own home has now become a fairly public activity,” DeMillo said. “The level of hygiene it takes in order to keep that safe has to grow accordingly. That’s not a natural thing for a teacher to think about.”
How to Strengthen Protections
In the near term, experts said schools need to focus on raising awareness among employees of cybersecurity threats, and the role that their own activity could play in facilitating them.
Several Baltimore County teachers have shared on social media that their files have a Ryuk extension on them, according to a Baltimore Sun report. The district has not confirmed that the breach was a Ryuk attack.
Regardless, the nature of Ryuk attacks is instructive, Gallagher said. They typically happen as a result of a single user clicking on an email message that contains an attachment or link. Clicking that link activates malware that can quickly spread to the whole system.
Most people are aware to some extent that cybersecurity is an issue, but getting them to follow through on that awareness with action can be much trickier, DeMillo said. Constantly reinforcing to administrators and teachers the importance of diligence is crucial, he said.
Schools also need to have policies and procedures in place for sharing the right amount of details of a hack that’s taken place.
“Especially when you’re in the middle of a problem, you can’t always say everything publicly or you’ll create a worse problem,” Krueger said.
Fewer than 20 percent of school districts have a dedicated employee whose sole focus is cybersecurity, according to a 2020 survey of CoSN members. IT officials were stretched thin for tackling these issues even before COVID-19 and widespread digital learning.
“This isn’t something the average teacher or principal can handle. These are sophisticated cybercriminals targeting K-12,” Krueger said. “It’s just getting harder and harder.”
A version of this news article first appeared in the Digital Education blog.