Hackers are ready to pounce on schools and universities as they attempt to restart classes 18 months into the coronavirus pandemic while already dealing with controversial subjects such as mask mandates and hybrid learning.
Both K-12 schools and colleges have been increasingly subjected to ransomware attacks, class interruptions on virtual learning platforms, phishing emails and identity theft, further disrupting an already challenging learning environment.
“Last year was quite rough,” Doug Levin, the national director of the K-12 Security Information Exchange, told The Hill. “This year unfortunately, given the continuing challenge of responding to COVID, I think we are likely to see some school districts bouncing back and forth again between in-person and remote learning, or at least making that option available.”
Threats against the education sector have spiked over the past year, as classes have moved online with little time to prepare and under-resourced schools and colleges have struggled to cope with the increase in cyber threats that digital learning brought.
While many educational institutions initially had to contend with the phenomenon of “Zoombombing,” in which virtual classes were interrupted by a malicious individual, cyber criminals have increasingly turned to more lucrative tactics, such as ransomware attacks, to extort vulnerable schools for profit.
In the run-up to the first day of school across the country, cyber criminals are prepared to take full advantage of the chaos still faced by many almost two years into the pandemic.
Israeli American cybersecurity group Check Point Software tracked a massive increase in the targeting of the education sector worldwide in July, up 29 percent from the first half of the year, with an average of more than 1,700 attacks per week.
Ekram Ahmed, a spokesperson for Check Point, told The Hill that while July is typically a break for schools and universities, the spike in activity was likely in advance of students returning to classes.
“It’s directly tied to back-to-school, and I think there is somewhat of a preparation dynamic going on,” Ahmed said. “There is this motion to seed schools with malware in preparation for major cyberattacks down the road, and I think that’s why we see it in July as these schools get back up and running.”
He warned that identity theft is becoming a major threat to students, noting that data such as Social Security numbers or birth dates is “higher leverage because you can get someone who’s young, and then years down the road attack them.”
Many colleges and K-12 institutions have already been in the headlines after facing crippling attacks in recent months.
The Broward County School District in Fort Lauderdale, Fla., was subject to a ransomware attack in March. According to The South Florida Sun Sentinel, when the district refused to pay the $40 million demanded by the Conti ransomware group, the hackers published nearly 26,000 stolen files online.
Districts in Miami-Dade County, Fla.; Baltimore County, Md.; and Fairfax County, Va., saw classes interrupted by cyberattacks last year.
The K-12 Cybersecurity Resource Center, which Levin founded, put out a report earlier this year finding that attacks against K-12 institutions had gone up 18 percent in 2020 compared to the previous year, an amount the center described as “record-breaking.”
“A year ago in March school districts had to pivot on a dime to online learning, they made huge changes in a very short period of time, invested in new equipment, availed themselves of new services, and as a result they exposed themselves to a lot of risk,” Levin said. “We saw more incidents targeting schools.”
Colleges and universities, such as the University of California, have also been targeted, and top officials are preparing to face the threats for another year.
Aaron Baillio, the chief information security officer at the University of Oklahoma, said during a webinar hosted by cybersecurity group Proofpoint last week that while ransomware attacks are the “No. 1 threat,” malicious phishing emails that allow cyberattacks to take hold were the “No. 1 problem.”
“The tactics just continue to get more sophisticated, where they are actually doing more research on the faculty side to look at ‘who is this department chair,’ and then try to spoof that chair,” Baillio said. “The campaigns seem to be a lot more targeted, a lot more sophisticated.”
Mary Dickerson, the chief information security officer at the University of Houston, said during the same event that email had increasingly become the “primary threat vector” for students.
“The attackers are getting more sophisticated, they are getting more targeted, and even our most reliable and best users can fall for some of these things,” Dickerson said.
While major universities often have security teams and adequate funding to address cyber and IT concerns involved in moving to more online learning, many K-12 schools do not.
In addition, efforts to address cybersecurity concerns have increasingly been muffled by controversy around mask mandates and vaccines for students amid the ongoing COVID-19 pandemic and an increasingly polarized society.
“Issues like being in-person or not being in-person, or being masked or not masked, or teaching X curriculum or Y curriculum, those are things that are much more salient and that people feel and see in the classroom from day to day,” Levin said. “Cybersecurity in some respects is invisible to the core business of schools.”
While K-12 institutions and colleges have learned lessons from the onslaughts of attacks during the COVID-19 pandemic and begun to implement more security measures as a result, cyber threats are high as the new school year begins.
“If nothing else, the pandemic has shown that with this digital transformation comes these new risks, and that these risks are not trivial, they have a real-world impact,” Levin said.
“We expect school districts to be able to protect students and teachers and staff online, just as we protect them physically when they are on campus,” he continued. “I think we have a long way to go in order to meet those expectations, but that conversation has started because of the experiences of the last year."
Levin added: "This is a marathon, not a sprint.”