Experts Say Increase Owes to Lack of Funding, Virtual Learning
U.S. public schools faced a record number of cyber incidents in 2020, with over 400 attacks reported. This led to a spike in school cancellations, as IT staff members struggled to get systems back online while dealing with the COVID-19 pandemic, according to a report from the K-12 Cybersecurity Resource Center.
And there’s no letup in sight, experts say.
“Incidents so far in 2021 are continuing apace – from ransomware to class and meeting invasions to denial-of-service attacks. It is a little early in the year to make predictions on trends, but there is certainly no reason to believe that schools are either better situated this year than last, or that they are less of a target,” says Douglas A. Levin, president of the consulting firm EdTech Strategies and the K-12 Cybersecurity Resource Center.
The Buffalo Public Schools system is among the most recent districts to be attacked, issuing a report on Sunday. Classes in the district were canceled on Monday.
The 408 cyber incidents tracked by the nonprofit K-12 Cybersecurity Resource Center represent an 18% increase over 2019, with data breaches and ransomware attacks being the most destructive attack types. These attacks struck 377 different public institutions in 40 states, with urban, suburban and affluent districts being most often targeted.
The impact COVID-19 had on the number of attacks faced by schools was also readily apparent, Levin says. He notes that during the first quarter of 2020, the number of attacks was in line with earlier years, but climbed steadily throughout the school year, peaking in the third quarter when 160 attacks were reported.
Adding to the school districts’ already considerable cybersecurity burden, Levin notes, is that many of them have also been affected by the recent Microsoft Exchange issues and internet of things video camera compromises (see: How Did the Exchange Server Exploit Leak?).
School Funding Crisis
Levin says school districts are in the difficult position of needing additional security, but lacking the funds to make it happen, resulting in little or no additional money devoted to protecting students and staff.
“While we don’t have a systematic way to track aggregate school district spending on cybersecurity, we haven’t seen any anecdotal evidence yet to suggest that districts are devoting more of their scarce resources to this issue,” he says.
But there may be a bright spot, Levin says. There are indications that at the state and federal levels, policymakers are paying more attention to the issue, and some of them could provide new funding to school districts.
In place of additional funding, the K-12 Cybersecurity Resource Center says school districts can take these low-cost steps to improve security:
- Develop incident response plans;
- Launch a training and awareness campaign among students and staff;
- To the extent feasible, begin the migration to multifactor authentication, at least for staff members with access to sensitive IT systems;
- Ensure the availability of immutable, offline backups to guard against the threat of ransomware and other malware outbreaks;
- Shift to a faster patching cadence, especially for critical systems;
- Audit user access to devices and services and limit elevated (administrative) access as much as possible.
The COVID-19 pandemic led to not only an increase in attacks, as schools necessarily boosted their use of technology to host extended learning classes and equip employees to work from home, but to a new class of attacks, such as Zoom bombing.
Levin notes that threat actors quickly took advantage of developments related to COVID-19 – such as the quick deployment of devices, the rollout of new learning platforms without training, and the use of free applications and services by staff without any security vetting taking place. These all led to new styles of attacks.
Particularly vexing were class and meeting invasion incidents in which malicious actors entered online classes, staff or PTA meetings, inserting hate speech; shocking images, sounds and videos, as well as threats, Levin says.
Ransomware and Data Breaches
Ransomware attacks targeting schools actually decreased 24% during 2020, dropping to 50 instances being reported across 25 states. While fewer in number, these attacks tended to be more costly and damaging as threat actors used new tactics, such as data exfiltration and extortion, to force districts to pay their ransom.
“While the number of incidents alone should be alarming to K-12 leaders and policymakers, what sets 2020 apart from prior years is … the increase in the severity of incidents,” Levin says.
The report says that seven cyber incidents of the 145 reported data breaches last year were situations in which attackers removed data and then threatened to expose it publicly unless the district met their demands. When the school districts refused to bow to this pressure, it resulted in the compromise of the personally identifiable information of 560,000 current students and 56,000 current staff members.
Levin notes that there are no reports of public schools paying a ransom in 2020, a switch from 2019, when several districts, including the Rockville Centre, New York school district took this option. The districts’ decisions to not pay may have been due to the ransom amounts demanded, the report states.
Levin notes, “Anecdotal reports suggest that extortion demands made to schools may have significantly increased, in some cases far exceeding $1 million per incident.”
The impact on the children was also severe, with 15 school districts being forced to cancel classes, up from five in 2019, and school being halted for more than a week in several cases, the report says.