Frederick M. Hess
School closures fueled by COVID and staffing shortages have been well documented of late. Far less attention has been paid to the spate of major school districts shuttered by cyberattacks.
Earlier this month, the Albuquerque public schools were forced to cancel classes due to a cyberattack that locked district staff out of the student-information database they use to record attendance, determine who is permitted to pick students up from school, and store student emergency contacts. Last March, the Buffalo, N.Y., district canceled classes for two days in response to a ransomware attack. Since the start of the pandemic, cyberattacks have also prompted school closures in districts including Hartford, Conn.; Newhall, Calif.; and Somerset Hills, N.J.
What can be done about this growing threat? Well, Eileen Belastock, the director of technology and information for the Nauset public schools in Massachusetts, tackles that issue in a fascinating, deeply troubling article for Education Next (remember, I’m an editor at Ed Next). In “Our Biggest Nightmare Is Here,” Belastock explores the cybersecurity risks facing America’s schools and just how ill-prepared many systems are for the challenge. At a time when schools have become extraordinarily reliant on vulnerable technology, it’s hard to think of a more important topic that gets less day-to-day attention (although Education Week’s own Alyson Klein deserves a hat tip for paying more than a little attention to it in stories like this and this).
As Belastock explains, “Of the 17 industries studied by information-security company SecurityScorecard, the education sector ranked as the least secure in 2018.” The explosion in online learning during the pandemic only exacerbated these challenges. In 2020, there were a record-breaking number of publicly reported cybersecurity incidents—“408 across 377 school districts in 40 states, according to the K–12 Cybersecurity Center,” or “a rate of more than two incidents per school day throughout 2020.”
Ransomware poses a particular danger to schools. First, hackers engage in “distributed denial-of-service attacks,” where a flood of internet traffic disrupts a district’s network and presents users from accessing payroll platforms, student schedules, or email applications. Then, while school networks are offline, they use malware to take control of a district’s data and demand a ransom to restore access.
As of this past August, Politico has reported that ransomware attacks have hit 58 education organizations and school districts, including 830 individual schools. Last March, the Broward County, Fla., district didn’t pay a $40 million ransom, leading the hackers to publish 26,000 stolen files online (these included student and staff Social Security numbers and addresses).
Things may only get worse, Belastock fears. The Consortium for School Networking has reported that hackers are shifting from companies “which are devoting increased resources to cyber defenses,” to more vulnerable sectors like “school districts, universities, and nonprofits.”
You’re not alone if you’re thinking, “Aren’t schools already wrestling with enough challenges?” I’m with you. But the reality is that the pandemic has yielded massive shifts to remote learning, with huge new outlays for hardware and software. Given the speed with which this all occurred, it’s no great surprise that much of this happened without a lot of attention to cybersecurity. And it’s not like K-12 was doing especially well on this score even before March 2020.
So, what now?
Belastock offers several practical suggestions, all of which seem wholly sensible. Since more than 90 percent of school-based cyberattacks start with phishing campaigns, in which cybercrooks try to get a user to reveal personal information or install malicious software on their computer or else impersonate a trusted party to obtain payments or financial information, she recommends cybersecurity training. Surveys suggest that educational administrators have not yet been prepared for these challenges, so such trainings could go a long way toward eliminating attacks that are the consequence of human error.
In an admonition that sounds all-too-familiar to those of us who’ve wrestled with less cataclysmic computer crashes, she also argues: “A robust backup system is the best protection against an attack, and the most effective backup systems are a) cloud-hosted or offline, b) not tied to a district’s domain, and c) inaccessible from the district network.” So, schools need to take backup seriously and do it pronto.
Finally, Belastock strongly urges school systems to obtain cyber liability insurance, which most insurance companies now offer to school districts—some for only $1,600 a year. The insurance typically covers not only any ransom itself but also experts to help analyze the breach, manage the district’s response, and recover lost revenue. Belastock argues that building this into a district budget is just accountable management and can potentially save millions.
This problem isn’t going away. Indeed, it’s a safe bet that it’s only going to get worse, as schools become ever more reliant on tech. Educational leaders and policymakers have spent the last two years investing heavily in education technology. It’s time to take aggressive steps to protect that investment.