‘They’re attractive targets’: Cybersecurity attacks on schools are becoming more frequent and severe
The frequency and severity of cyberattacks against K-12 schools are increasing, with a new incident affecting a school district south of Seattle being just the most recent case.
That’s according to Doug Levin, co-founder and national director of the K12 Security Information eXchange (K12 SIX), a national nonprofit tackling school cybersecurity issues. The organization identified at least 325 ransomware attacks on U.S. school districts between April 2016 and November 2022, but the situation has only worsened, Levin said.
On Sunday, Highline Public Schools announced that it had “detected unauthorized activity on our technology systems and have taken immediate action to isolate critical systems.”
The breach forced the 17,500-student district to cancel classes on Monday, which would have been only the fourth day of school for most kids, and the first for Highline’s kindergartners. Update: The district has announced that classes, athletics and meetings will be canceled Tuesday as well.
When it comes to schools and cyberattacks, “they’re attractive targets,” Levin said.
Educational institutions use a lot of technology but don’t have the resources, expertise or mandate to put strong cybersecurity protections in place. At the same time, they hold large amounts of valuable and sensitive information, and their operations are essential, creating significant problems in a shutdown.
The attackers are mostly based in foreign countries that are not allied with the U.S., Levin said. The criminals extort payments in order for them to release control of the computer system and/or to prevent them from publishing or selling personal information from staff and students. That data can be used for identity theft, and includes private mental and physical health records and academic details for students.
“Largely, this is about money,” Levin said. “And starting in about 2019, school systems as well as other state and local government agencies started being systematically targeted by a number of these criminal groups.”
Levin called out three main entry points for waging a school cyberattack:
- Compromised credentials for logging into school systems, perhaps including reused names and passwords, and not requiring multi-factor authorization for accessing accounts.
- Phishing emails that trick users of a school system to share their credentials.
- Exposure due to online systems or programs that are out of date and needing a patch or are insecure in general.
The recent shift to hybrid and remote instruction models spurred by the pandemic makes the education sector especially susceptible to cyberattacks, said Sam Rubin, vice president and global head of operations for Unit 42, a cybersecurtity advisory unit of Palo Alto Networks.
“The reliance on technology in education has expanded the attack surface, with schools using online learning platforms, student information systems, and other digital tools that may be vulnerable to exploitation,” Rubin said.
Highline took down its internet access, but the district’s website is intact and staff has access to email, said district spokesperson Tove Tupper.
“Our investigation into unauthorized activity on our technology systems is ongoing, and critical systems are still offline. We have not seen evidence of staff, family or student information compromised,” Highline officials said on Monday afternoon. “If this changes, we will notify impacted individuals.”
The decision to cancel class is tough, Tupper said.
“We know it impacts our families and our students in a really big way,” she said. “But school safety is our top priority and we just can’t have schools without some of these systems in place.”
School operations are reliant on online access for much more than just classroom instruction. For Highline, that includes managing bus transportation and routes, tracking attendance, emergency communications and other functions.
Levin noted that a cyberattack can also disable building security locks and cameras, cafeteria payments, student schedules and authorizations for who can pick up students after school.
“We’re working with some third-party and state and federal partners to help us with the investigation and to restore our systems,” Tupper said.
In one of the most notable cybersecurity incidents in Washington state, the Northshore School District near Seattle was hit with a serious ransomware attack in 2019. It took the 24,000-student district about three weeks to repair critical digital operations and more than three months to recover completely, according to StateScoop.
The long-term solutions to these cyber assaults are tricky and expensive. In general, there are no security requirements that schools are legally required to meet, and there’s limited funding to bolster their safeguards.
“Public schools are already significantly understaffed in IT, especially with security professionals,” said Rubin.
This summer, the Federal Communications Commission announced a three-year, $200 million Schools and Libraries Cybersecurity Pilot Program to gather information on cybersecurity tools that would help these institutions better protect themselves.
In August 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released a report called K-12 Digital Infrastructure Brief: Defensible and Resilient that addressed online security and privacy in the schools.
On average, there is more than one attack on K-12 schools per school day, according to CISA.
Levin recommends the staff and students with connections to a school system place a freeze on their credit check to prevent identity theft.
“We’re going to need technology companies to step up and do more. We as individuals are going to need to do more,” he said. “At the end of the day, we’ve been fairly trusting about the technology that we use. But the internet is not a particularly safe or friendly place, as it turns out.”
In the past year in the Seattle area, The Port of Seattle (which includes Seattle-Tacoma International Airport), the city’s library system, and the Fred Hutchinson Cancer Center have also been targeted for cyberattacks with varying degrees of disruption and harm caused.
Comments
Post a Comment