As Kids Head Back to School, So Do Cyber Gangs—Here’s How Educators Can Fight Back
With ransomware attacks on schools surging, government agencies are stepping in with guidance, though it’s unclear how much of their message is getting through. It’s time to turn up the volume.
As students across the country return to campus for the start of a new school year, administrators are bracing to combat an unsettling trend: the rise of ransomware attacks permeating the education sector.
In June, for example, the Hawai’i Community College network fell victim to a ransomware attack by an unnamed bad actor that compromised personal information of 28,000 individuals. Four months earlier, a ransomware attack struck Gaston College in North Carolina; the Snatch ransomware group later claimed responsibility and exposed personal information from its databases, including Social Security numbers, posting them on the dark web. This attack shut down various systems for faculty and students and took on-campus Wi-Fi offline for several weeks.
From January through June, more than 120 schools—both K-12 and higher education institutions—suffered ransomware attacks, a significant spike from the 188 total incidents reported in 2022, according to a recent report from the Global Resilience Federation (GRF). This increase propelled the education sector from No. 7 to No. 6 in GRF’s total attacks per sector compared to the previous reporting period.
Having tracked these trends, the U.S. government is initiating what seems to be a full-court press on the problem. In recent months, the White House, the Federal Bureau of Investigation (FBI), the Department of Education (DOE) and other agencies have issued a series of plans, strategies, and guidebooks to help educate the educators on cybersecurity best practices.
But are they heeding the call? Or, more to the point, have they even heard it?
“I’ve long held the belief that the government would benefit from the creation of a chief marketing officer to more effectively socialize the incredible work it accomplishes,” says Parham Eftekhari, founder and chairman at the Institute for Critical Infrastructure Technology (ICIT). The sheer volume of resources coming out of government, he contends, is hobbled by limited marketing and communications. “It’s challenging for stakeholders in any sector to have full situational awareness of the guidance materials that are available,” he says.
That’s got to change, cybersecurity experts assert. The education sector is too tempting a target, and cybercriminals are wasting no time squeezing schools for every gigabyte of data they can get.
Why cyber gangs target schools—and when
The impact of ransomware attacks on schools is significant. According to the U.S. Government Accountability Office (GAO), the loss of learning following a cyberattack ranged from three days to three weeks, full recovery from the event took up to nine months, and school financial losses ranged from $50,000 to $1 million.
“The education sector is an attractive target for several reasons, but the primary one is the relatively high return on investment, given the sheer amount of student data that can be sold,” says Doug Thompson, chief education architect at cybersecurity software firm Tanium (which publishes this magazine). Timing, he adds, is another factor.
Whereas a company’s most vulnerable period can be hard to predict—it requires knowledge of the inner workings of a firm and the industry at large—schools are on schedules. “Attacks tend to strike at the beginning of the school year and the start of the spring semester, when vast numbers of new students arrive on campus, faculties change, and the existing IT staff is tied up with mundane tasks like password resets and basic system maintenance,” says Thompson.
This rise in ransomware attacks has also impacted cyber insurance premiums, which increased a staggering 51%, according to a Fitch Ratings report. Thompson advises educational institutions to rely more on investing in personnel, tools, and resources other than cyber insurance to combat this trend. “We’ve started to see a forced paradigm shift away from this model due to the increasing severity of rising cyber insurance costs coupled with the transition from malicious encryption to outright data theft by threat actors,” he says.
Spearheading these threats to the education sector is Vice Society, a ransomware group known more for extortion attacks on the healthcare and manufacturing industries. According to a joint report published last fall from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center, Vice Society orchestrated 21 ransomware attacks against the education sector in the second half of 2022 and 15 incidents in the first half of 2023. Following closely in Vice Society’s wake is LockBit 3.0, a ransomware group that accounted for 13 incidents in the first of 2022 and 25 incidents in the first half of 2023. The Cl0p ransomware group (most recently linked to the MOVEit breach) also surged ahead in the first half of this year with 13 incidents, the report finds.
Federal and state plans help education counter cyber risks
With ransomware attacks on the rise, GRF’s report underscores the need for robust defenses, proactive policies, and industrywide collaboration.
It’s challenging for stakeholders in any sector to have full situational awareness of the guidance materials that are available.
In July, the White House released its National Cybersecurity Strategy Implementation Plan, which identified the nation’s critical infrastructures as its first pillar of defense and emphasized the need to fortify national security and public safety. It calls for standardizing cybersecurity across these essential sectors and identifies investments in collaboration and cybersecurity workforce development as essential actions to safeguard the nation’s critical infrastructure.
In a bid to fortify the cybersecurity defenses of the nation’s K-12 school systems, the Biden administration announced in August a series of strategic actions and resource commitments. Leading the initiative, Federal Communications Commission Chairwoman Jessica Rosenworcel proposed a pilot program under the Universal Service Fund that aims to allocate up to $200 million over three years for cyberdefenses in K-12 schools and libraries.
To ensure effective coordination between federal, state, local, tribal, and territorial education leaders, the DOE also plans to establish a Government Coordinating Council. The GCC will spearhead efforts to reinforce the cybersecurity resilience of K-12 schools by facilitating communication, policy formulation, and collaborative activities, the DOE says.
In addition, the DOE and the CISA have jointly released comprehensive guidance materials and have committed to providing tailored assessments, conducting cyber exercises, and delivering cybersecurity training for 300 new K-12 entities in the upcoming school year. The FBI and the National Guard Bureau are also contributing to the effort by updating resource guides to ensure that state officials have the resources to report cybersecurity incidents and harness federal cyberdefense capabilities effectively.
Boosting school defenses starts here
Some of these government initiatives may in part be fueled by a troubling GAO report released last year, in which the watchdog agency outlined a major communications gap. “There are no formal channels for how agencies coordinate with each other or with K-12 schools to address cybersecurity risks or incidents,” the report stated. The GAO offered recommendations to improve how agencies coordinate cybersecurity assistance.
Attacks tend to strike at the beginning of the school year and the start of the spring semester, when vast numbers of new students arrive on campus.
Another obstacle, less discussed yet significant, is school administrators’ receptiveness to what must seem an onslaught of new and complex information. Despite its critical importance, the guidance being released from government agencies can feel overwhelming to some, the ICIT’s Eftekhari concedes.
There are, however, some relatively simple first steps that even the least cyber-savvy leaders can take to bolster school defenses. Start with these four:
1. Keep tabs on new information
Educators should sign up for alerts from agencies, including the National Institute of Standards and Technology (NIST), CISA, DOE, and ICIT to diversify their information channels, Eftekhari says. He also suggests setting up Google Alerts for relevant keywords, such as “education sector cybersecurity” and “federal guidance cybersecurity educators” to stay on top of the latest news and information.
2. Cultivate cybersecurity interest early
Educators should consider how school curriculum and extracurricular activities can drive interest and enthusiasm for science- and math-based careers, Eftekhari says. “While CISA, NIST, Education, and other agencies have and will continue to support programs around cybersecurity education and workforce development, there is a sense of urgency for educators to innovate and usher in a new era of digital learning.”
3. Invest in more than just devices
Too often, schools are laser-focused on getting X number of computers in classrooms to facilitate student learning, notes Tanium’s Thompson. “Classroom technology without the equivalent safeguards in place is more dangerous than a lack of devices,” he says.
So how do schools with limited budgets afford expensive cybersecurity platforms and IT personnel? They share.
In what is now a growing trend, many municipalities and K-12 school districts are adopting a “whole-of-state” solution by banding together and pooling resources. This approach encourages a state to provide support for cybersecurity management of smaller local government groups, schools, and tribal entities, by offering pre-approved tools, threat intelligence and secure reporting, training, or funding, to boost cyberdefenses.
[Read also: A practical guide to building a whole-of-state cybersecurity strategy]
4. Lean on experts
Reach out to a local FBI field agent and regional CISA for additional advice on where to start in boosting the school’s cybersecurity defenses, Eftekhari adds. Other expertise can be found at associations like the National Association of Counties and the Association of School Business.
Educators should also seek out a local chapter of a cybersecurity group—InfraGard, Cybersecurity Collaboration Forums, ISACA, ISC2, to name just a few—and see what resources and support they can provide. Like students who may initially feel timid about exploring extracurricular activities, school officials will find such outreach efforts well worth the time, Eftekhari advises.
“The cybersecurity community is a welcoming and community-oriented network of professionals,” he says. “They are almost always willing to spend time in support of our shared mission of resiliency and national security.”