Cyberattacks find easy target in nation's schools

Cyberattacks find easy target in nation's schools

School districts across the country are increasingly becoming a major target of malicious cyberattacks, leaving both the federal government and state governments scrambling to find ways to fight back. 

Recent cyberattacks on school districts in Louisiana, Virginia and Oklahoma have highlighted the threat. In Louisiana, Gov. John Bel Edwards (D) declared a statewide emergency last month in response to ransomware attacks on three school districts, and authorized state resources and cyber assistance to help the districts. 

Last week in Oklahoma, Broken Arrow Public Schools were also targeted by a ransomware attack, in which an attacker encrypts the system and demands payment to unlock it. School District Superintendent Janet Dunlop said in a statement that the district had experienced “network and server issues which are believed to be caused by criminal actors attempting to disrupt the operations of our district.”

ADVERTISEMENT

Dunlop said the district had notified the FBI and would work to “hold the wrongdoers accountable.”

And in Spotsylvania County, Virginia, the school district revealed this week that both it and the county government were the victims of email scams. The investigation has been turned over to the Virginia State Police, with local news outlets reporting that school officials fell for an email scam and paid $600,000 to a cyber scammer, thinking they were paying a contractor for a new football field. 

While school districts may not seem to be the obvious target for hackers in comparison to governments or essential services, Doug Levin, the founder and president of EdTech Strategies, a consulting firm, told The Hill that they are easy targets due to outdated systems and the fact that they handle large amounts of money.

“They are a soft target, for those that are doing not-very-sophisticated attacks and they are looking to ransom people and steal data, they are just scanning the internet for easy targets and outdated systems,” Levin said.

“They manage a lot of money, facilities, buses, food service, providing some degree of health care, providing special education services, telecommunications systems," he added. "Schools are major expenditures."

EdTech Strategies runs the K-12 Cybersecurity Resource Center, which tracks the number of reported cyberattacks that U.S. school districts have faced since 2016. According to their incident map, there have been 533 cyber incidents involving school districts since January 2016, with the majority of attacks concentrated in suburban and urban school districts. 

The map shows the majority of attacks targeting school districts involve “unauthorized disclosures, breaches, or hacks” of the personal information of school employees or students, while other types of cyber incidents include phishing emails, denial-of-service attacks, and ransomware attacks.

Levin noted that many school districts may not know they have been attacked in some way, or may not have publicly disclosed incidents, meaning that the actual number of cyberattacks against school districts may be “10 to 20 times higher.”

ADVERTISEMENT

School districts are not alone in their fight against cyber threats.

A Department of Education spokesperson noted that the agency’s Office of Educational Technology and its Office of State and Supportive Services provide cybersecurity resources to school districts. The department also offers various cybersecurity fact sheets for school districts to use to secure their systems.

At the state level, various governments have also taken steps to address cyberattacks on school districts. 

In Louisiana, authorities were able to quickly react to the recent attacks thanks to the establishment in 2017 of the Cybersecurity Commission, which brings together cyber professionals and key stakeholders in the state.

In June, Texas took steps to secure school districts when Gov. Greg Abbott (R) signed into law a bill that requires districts to adopt cybersecurity policies and mandates that the superintendent of each school district appoint a cybersecurity coordinator to serve as a liaison with the Texas Department of Information Resources.

The law was a direct response to a ransomware attack that impacted Crosby Independent School District outside Houston in February, an attack that reportedly involved a large bitcoin ransom and took down the district’s IT network. 

North Dakota went a step further than Texas, with a new law in April that enables the state’s Information Technology Department to “advise and oversee” a cybersecurity strategy for all executive branch state agencies, as well as counties, cities and school districts. 

There was pressure to addressing cyber threats in North Dakota, given reports that in February of 2018, one-third of the schools in the state were hit by malware attacks.

Levin saw these state actions as positive developments, but emphasized the importance of sharing information about attacks between school districts. He said if a cyberattack succeeds in one district, the actors tend to repeat it in others. 

He recommended that state governments promote “cyber hygiene” awareness, such as encouraging people to change passwords on emails and not click on attachments, as one way to combat these threats.

Levin said it was "unfortunate" that Louisiana was forced to declare a state of emergency.

"In 2019 and going forward, this is the norm. These attacks happen everywhere with increasing frequency and increasing severity," he said.

"This can’t be an emergency, this is the state of play at present.”