A surge in cyberattacks has struck more than a dozen K-12 school systems in the current back-to-school season, following a spike in attacks on U.S. schools overall in the first half of 2023. And Doug Levin, for one, is not surprised.
As co-founder and national director of K12 Security Information eXchange (K12 SIX), a leading nonprofit in the education sector, Levin (pictured, at right) guides the formulation of cybersecurity best practices to help protect schools from cyber threats.
Like Tom Cruise in the latest Mission: Impossible movie, grappling with an aggressive artificial intelligence, Levin finds himself increasingly engaged in a man-vs.-machine cyberbattle, trying to defend school districts from cyberattacks, but without those racy sportscars and motorcycles Cruise gets to drive. The budget for Levin’s nonprofit, after all, has its limits.
Ransomware is slamming the education sector this year. From January through June, more than 120 schools—both K-12 and higher-education institutions—suffered ransomware attacks, compared to 188 total in 2022, according to a recent report from the Global Resilience Federation. And those numbers are destined to get worse thanks to AI, which will be used increasingly by cyber gangs (and disgruntled teens, no doubt), say experts.
It’s especially tough in the K-12 sector, which suffers more than one cyber incident per school day, on average, according to the U.S. Cybersecurity and Information Security Agency (CISA). We may top that statistic this year: In August alone, ransomware gangs claimed credit for 11 new attacks on K-12 school systems, including districts in New Jersey, Colorado, Washington state, and rural Alaska, notes an analysis by The 74, a nonprofit education news site. This month saw a breach of Florida’s Hillsborough County Public Schools, the seventh-largest district in the U.S., and a ransomware attack on Pennsylvania’s Chambersburg Area School District that shut down schools for three days.
The trend is just as serious in the UK, where a spate of cyberattacks has struck at least four campuses since the start of the school year.
So what’s a school administrator or educator to do when ransomware strikes? Don’t pay the ransom, both CISA and the Federal Bureau of Investigation (FBI) advise. OK… but then what? In an exclusive interview with Focal Point, Levin (who was just appointed this year to CISA’s Cybersecurity Advisory Committee) explains the unique vulnerabilities of schools and points to resources for shoring up defenses for the inevitable cyberattack.
[The following interview has been edited for clarity and length.]
Every organization hit by ransomware suffers, but for schools it’s especially tough. What pain points are unique to the education sector?
I’d argue there are three primary ways that ransomware attacks against school systems are unique.
School systems hold a treasure trove of sensitive information about not only current students and staff but also those associated with the school system in the past, including volunteers, vendors, [and] school board members.
First, in many cases ransomware attacks also entail data exfiltration, and school systems hold a treasure trove of sensitive information about not only current students and staff but also those associated with the school system in the past, including volunteers, vendors, school board members, and others.
That’s a lot of bank accounts and Social Security numbers.
Data held can also include anything from psychological and medical reports to involvement with law enforcement, legal issues, home-status issues related to homelessness, broken homes or protective orders, immigration status, gender and religious identity, etc. While victims are subject to identity theft via credit fraud or tax fraud, they also may face other harms due to the nature of the data collected by schools.
Second, schools are highly resource-constrained. When counting medium- and long-term costs of responding to and recovering from ransomware attacks, school systems victimized by ransomware may end up spending millions of dollars in remediating their systems. This is money that necessarily ends up getting diverted from other school-system priorities, such as teaching and learning.
Third, when a school system is disrupted by ransomware, sometimes they shut their doors. When students can’t come to school, parents and caregivers must make alternate arrangements, students may miss benefiting from school meals or other school resources, and—of course—their education is interrupted.
We’ve heard schools tend to see an uptick in cyberattacks come fall, as school starts, new students arrive, and a lot is in flux.
The start of the school year is indeed a fraught time for school systems. Threat actors have shown they understand that school systems are particularly vulnerable at the start of the school year and over school holidays like Thanksgiving. At those times, IT staff at K-12 institutions might not be able to monitor school networks as closely and staff may be less careful in responding to phishing lures.
Vice Society is a cyber gang well-known for attacking schools. Is there any insight into why Vice targets the education sector? Were these guys punished by their principals one too many times? I mean, given all the possible targets, many with much bigger bank accounts, why the laser focus on schools?
Vice Society is only one among many of the overseas criminal groups that target the education sector with cybercrime. While we don’t think of school systems as wealthy organizations, these groups have found that, given the relatively immature defenses of school systems, they offer a good return on cyberattacks. Their primary motivation is money and—whether they are targeting schools or hospitals—they really do not care about the wider ramifications of their attacks.
So what can school administrators do to boost their cyberdefenses? Where do they start?
While there is no shortage of guidance for organizations looking to shore up their cybersecurity risk management practices, we’d encourage school systems to look for K-12–specific guidance.
At K12 SIX, we’ve produced a set of baseline cybersecurity controls we believe every school system should implement. (Click here to learn more.)
We’d also encourage school administrators to rely on the K-12–specific advice and guidance produced by CISA. (Click here for that federal guidance.)