Privacy & Security

COVID-19 and Cybersecurity: ‘Catastrophic Attack on Our Technology Systems’

By Mark Lieberman — December 01, 2020 7 min read
BRIC ARCHIVE
  • Save to favorites
  • Print

Two large school districts have been rattled in the last week by incidents related to internet security and privacy, as vulnerability to cyberattacks remains high during the current pandemic-era period of increased technology use.

In Baltimore County, Md., classes shut down the day before Thanksgiving due to what school officials have called a “catastrophic attack on our technology systems.” Schools remained closed Monday and Tuesday and are expected to reopen Wednesday. The district had been in fully remote learning mode that will last at least into January.

Meanwhile, in Chicago, parents and elementary school students were alarmed over this weekend when they received a series of unsavory, profanity-laced emails in their school inboxes during a 90-minute period in the morning. According to a Chicago Sun-Times report, the initial message read, “I do not know who I am. I do not know why I am here. All I know is that I must kill,” and was followed by a series of replies that included question marks and vulgar language.

The incidents are different and unrelated. Baltimore County district officials have confirmed that the hack was a ransomware attack. District officials have been circumspect so far about the nature and extent of the breach, and whether sensitive data has been compromised or made public.

The Chicago incident, by contrast, “did not pose an information security risk or permit access to anyone outside the CPS network,” according to a statement from the district. A districtwide email group had inadvertently been set to allow anyone to respond to the entire group, the statement said. The district has not shared further details about the source of the messages.

These two incidents are the latest in a growing pile of reports from districts experiencing cybersecurity challenges this school year.

In Toledo, Ohio, district officials confirmed in early November that a ransomware attack had taken place in September after months of speculation among community members. That attack resulted in the dissemination of student and staff data, school officials said in a letter to families.

Some districts have yet to confirm apparent cyberattacks. The New Haven district in Connecticut was working with law enforcement officials last month to determine the extent of an apparent attack on middle school students’ email accounts. The Norfolk district in Virginia shut down some virtual classes for a couple days as a preemptive measure after a district official noticed possible disturbances on the network.

The threats also extend to education companies. Stride, the for-profit education provider previously known as K12 Inc., announced Monday that it is paying ransom to cybercriminals who recently invaded its network and is working with a third-party provider to determine the extent of the hack. A recent federal report found that cyberattacks on education companies, while rare, can be serious because they can affect students across numerous districts.

Schools are among the institutions most likely to be targeted by hackers during this current period of heightened attention on cybersecurity threats, said Richard DeMillo, interim chair of the School of Cybersecurity and Privacy at the Georgia Institute of Technology. Public institutions that have a strong motivation to protect their data are always at a higher risk, and the pandemic has increased that risk because far more school activity is occurring using digital tools.

“It’s not that the threats are changing, it’s that the risks are growing,” DeMillo said. “You should assume the more you’re doing online, the more the risks have gone up, the more serious the consequences would be if there were a serious breach.”

See Also

The Federal Bureau of Investigation alerted K-12 schools earlier this year that ransomware attacks on the rise, and has been assisting districts including Baltimore County when cybersecurity breaches crop up. The superintendent of the Hartford school district in Connecticut is among the scheduled speakers at a U.S. Senate hearing Wednesday on the topic of cybersecurity threats facing state and local governments.

The Consortium for School Networking (CoSN), a membership organization that represents school IT leaders, has been advocating even prior to the pandemic for the Federal Communications Commission to allow funds from its E-Rate program for school connectivity to go towards strengthening cybersecurity protections. Districts have reported spending anywhere from $25,000 to $150,000 a year for basic firewall protections alone, according to a 2019 survey of CoSN members.

The recent spate of cybersecurity incidents affecting major districts only reinforces the urgency of those funds, said Keith Krueger, CEO of CoSN. He believes ongoing discussions about closing the digital divide need to more strongly touch on cybersecurity as a key component.

“Just getting devices and broadband connectivity, Wi-Fi, that alone is insufficient if the network isn’t usable, isn’t safe and secure,” he said.

Understanding the Risks

Sean Gallagher, a senior threat researcher for the technology security firm Sophos, worked prior to this February as a journalist for the technology publication Ars Technica. In that capacity, he was researching Baltimore school networks last year in the aftermath of a ransomware attack on the Baltimore city school district, which is separate from the county district.

Using a search engine that detects cybersecurity vulnerabilities, he found that Baltimore County’s network protections hadn’t been updated to protect against one of the possible culprits of the Baltimore City attack.

Gallagher said in an interview he contacted the district at the time to flag those concerns, but never heard back. A district spokesperson didn’t respond to a request for comment.

A state audit released just one day before Baltimore County schools closed last week reinforced Gallagher’s findings, identifying “significant risks” within the district’s network.

There’s not enough public information yet to determine whether the vulnerabilities identified in Gallagher’s 2019 research or the 2020 state audit played a role in the current breach. But Gallagher said the series of events illustrates the importance of schools prioritizing cybersecurity efforts, and governments prioritizing funding for those efforts.

“They really need to look at how they’re doing remote access, and take a really deep look at how their networks are connected to allow people to get in,” he said.

In a survey conducted by the EdWeek Research Center in November, only 16 percent of teachers, principals, and district leaders said their school or district is engaged in full-time in-person learning. That means all the remaining districts have at least some remote learning currently taking place.

The more that schools have typically in-person activity happening on digital devices, the higher the risk becomes for a cybersecurity breach, according to DeMillo.

“Staring at a computer screen in the privacy of your own home has now become a fairly public activity,” DeMillo said. “The level of hygiene it takes in order to keep that safe has to grow accordingly. That’s not a natural thing for a teacher to think about.”

How to Strengthen Protections

In the near term, experts said schools need to focus on raising awareness among employees of cybersecurity threats, and the role that their own activity could play in facilitating them.

Several Baltimore County teachers have shared on social media that their files have a Ryuk extension on them, according to a Baltimore Sun report. The district has not confirmed that the breach was a Ryuk attack.

Regardless, the nature of Ryuk attacks is instructive, Gallagher said. They typically happen as a result of a single user clicking on an email message that contains an attachment or link. Clicking that link activates malware that can quickly spread to the whole system.

Most people are aware to some extent that cybersecurity is an issue, but getting them to follow through on that awareness with action can be much trickier, DeMillo said. Constantly reinforcing to administrators and teachers the importance of diligence is crucial, he said.

Schools also need to have policies and procedures in place for sharing the right amount of details of a hack that’s taken place.

“Especially when you’re in the middle of a problem, you can’t always say everything publicly or you’ll create a worse problem,” Krueger said.

Fewer than 20 percent of school districts have a dedicated employee whose sole focus is cybersecurity, according to a 2020 survey of CoSN members. IT officials were stretched thin for tackling these issues even before COVID-19 and widespread digital learning.

“This isn’t something the average teacher or principal can handle. These are sophisticated cybercriminals targeting K-12,” Krueger said. “It’s just getting harder and harder.”

A version of this news article first appeared in the Digital Education blog.

Events

Jobs Virtual Career Fair for Teachers and K-12 Staff
Find teaching jobs and other jobs in K-12 education at the EdWeek Top School Jobs virtual career fair.
Ed-Tech Policy Webinar Artificial Intelligence in Practice: Building a Roadmap for AI Use in Schools
AI in education: game-changer or classroom chaos? Join our webinar & learn how to navigate this evolving tech responsibly.
Education Webinar Developing and Executing Impactful Research Campaigns to Fuel Your Ed Marketing Strategy 
Develop impactful research campaigns to fuel your marketing. Join the EdWeek Research Center for a webinar with actionable take-aways for companies who sell to K-12 districts.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know
More than 4 million records held by school safety software company Raptor Technologies were left inadvertently exposed online.
5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
Nicolas Herrbach/iStock/Getty
Privacy & Security As Cyberattacks Mount, Lawmakers Double Their Efforts to Protect Schools
But the legislative push is not matched by funds to build better cyber defenses.
2 min read
Conceptual illustration of computer with a pixelated lock on screen.
Nanzeeba Ibnat/iStock/Getty Images Plus
Privacy & Security 3 Superintendents Share Cybersecurity Best Practices
Cyberattacks cause major disruptions to learning, but school districts are still struggling to put in place effective protections.
3 min read
Image of a red glowing caution sign over a dark field of data.
Getty
Privacy & Security Saturn Is a New App for High Schoolers. Here’s Why It Has Educators Concerned
Saturn is billed as a time-management app, but experts see potential privacy concerns in allowing it broad access to students' schedules.
6 min read
Image of a clock, calendar, and a pencil.
Tatomm/iStock/Getty