School districts struggle to defend against rising ransomware attacks

Cyber criminals are stepping up their efforts to hack into vulnerable school districts, often launching ransomware attacks like the kind that shut down the Colonial Pipeline earlier this month.

The number of cyberattacks targeting schools has increased during the coronavirus pandemic, jumping almost 20 percent in 2020 compared with the previous year, according to one industry report.

The impact of those attacks is all the more damaging as the majority of districts have migrated to some level of virtual learning to comply with COVID-19 restrictions, making it easier for hackers to disrupt classes or take them offline altogether.

“We have seen major school districts, lots of students, essentially shut down, no learning going on for days,” Doug Levin, the national director of the K-12 Security Information Exchange, told The Hill.

“It’s sort of adding insult to injury when schools have already been pushed to a remote learning environment and have put that in place with rubber bands and toothpicks. … They don’t have the ability to respond,” said Levin, who is also founder of the K-12 Cybersecurity Resource Center, which tracks ransomware and other cyberattacks in the United States.

The center put out a report earlier this year that said schools were hit with a record-breaking 408 cyberattacks last year, up 18 percent from 2019.

Those numbers track with the seemingly daily reports of school districts hit by ransomware attacks in places such as Fairfax County, Va., and Baltimore County, Md.

The attacks often involve the removal of student information, making remote learning difficult or impossible. Some districts, Levin said, have reported cases of young students facing credit fraud or identity theft in the months after an incident.

When cyber criminals successfully access and encrypt vital data, school districts often face pressure to pay the ransom in order to regain access to their systems and prevent student information from being posted online.

The ransom demands, however, are sometimes far beyond what a school system or local government can pay.

Last month, Broward County School District in Fort Lauderdale, Fla., was hit with a ransomware attack that demanded $40 million. After the district refused to pay that amount, the hackers published nearly 26,000 stolen files, according to the South Florida Sun-Sentinel.

But more than a year into the pandemic, K-12 schools have learned valuable lessons about protecting themselves, and lawmakers are proposing new funding to help.

On Capitol Hill, lawmakers have increasingly taken notice of the threat posed by ransomware attacks to schools and other critical entities, such as hospitals and government agencies.

Rep. Yvette Clarke, chairwoman of the House Homeland Security Committee’s panel on cybersecurity, will soon introduce bipartisan legislation that would provide $500 million annually to state and local governments to defend against ransomware attacks.

The odds of passage are far from certain, though, especially after other efforts have fallen short.

Reps. Doris Matsui (D-Calif.) and Jim Langevin (D-R.I.) introduced legislation in the House last year to establish a $400 million grant program to help expand the cyber workforce and improve infrastructure to better protect K-12 institutions against attacks.

The measure did not get a vote in the House. Matsui and Langevin are planning to reintroduce the legislation this year.

“Even as millions of students and families have leaned on remote learning to make it through this pandemic, criminals have used COVID-19 to exploit cyber vulnerabilities in our K-12 school systems at record levels,” Langevin said in a statement provided to The Hill.

“We must do a better job protecting schools against ransomware, and I will continue working with Rep. Matsui to promote cybersecurity, protect student privacy, and prevent interruptions to distance learning,” he added.

While Levin, who works with school districts to help confront cyber threats, noted that any government funds could be useful, he said it would not be enough to fully address the “wicked problem” of ransomware attacks.

“Schools could benefit from purchasing various cybersecurity products and services that might help protect them. Certainly school districts could use money that might help them implement cybersecurity risk management plans. They could use money to help hire cybersecurity staff,” Levin said.

“In the context of that need, $500 million that would be annually appropriated is not likely to be the whole solution,” he noted.

And while the pandemic has heightened the cyber risks faced by districts, Levin said he’s hopeful that the past year will help bolster defenses for more schools going forward.

“For better or for worse, I think COVID did shine a spotlight on the vulnerability of school district IT systems and data,” Levin said. “I am hopeful that we will take some lessons from this rough last year, and put in place some pieces that will help over the next year.”