It is not the grimmest of milestones in the broader context of the COVID-19 pandemic. But the outbreak has forced many schools to rely, perhaps now more than ever, on digital tools to support instruction. Which, in turn, has made them an increasing target for cyber criminals.
In the 10 days since passing the one-thousand mark, Levin has since added 29 reports to the map. Among the victims: Clark County School District, the fifth-largest U.S. school district, which had sensitive information about students and staff released by a hacker after the district refused to pay a ransom.
While the back-to-school season is usually a popular time for these attacks, the pandemic has painted an even bigger target on districts, says Levin.
“This year has been particularly intense,” he says. “Threat actors are now specifically targeting school districts with some success. School opening is a time of great leverage if you’re trying to extort money because they really can’t afford to be offline when people are trying to get oriented to remote learning.”
In an interview with EdSurge, Levin dives into the details of recent attacks, and how the state of K-12 cybersecurity has evolved since he started tracking these incidents in 2016. He also shares where he’s planning to take this project in the future so that he’s not, in his words, just the “bad news guy.” Below is a transcript of the conversation, which has been edited for clarity.EdSurge: What led you to start tracking these incidents? Could you have foreseen that, four years later, you’d tally over a thousand of them?
Levin: Late in 2016, I started seeing reports from local news sources about school cybersecurity incidents—in particular, W-2 form phishing attacks. These were bad guys who were targeting school districts and getting them to send all of their employees’ tax information.
Then I saw the IRS issued a warning specifically to school districts about this issue, and I don’t ever recall seeing a federal agency sending a warning to schools about cybersecurity, much less the IRS. Then I saw another dozen districts fall victim to this exact same attack after the IRS notice. I thought, all right, the least I could do is help to spread the word.
I went looking to see where else there might be data on school cybersecurity incidents. While I found cybersecurity industry reports that covered education, the way they did it didn’t make sense. They treated K-12 and higher ed as the same. They lumped public and private institutions together. They threw training companies in the mix, and also global incidents. So a higher-ed institution that got hit in South Korea was counted the same as an elementary school in Peoria.
I figured I could do something that made sense for K-12. When I first launched the map at the end of March 2017, there were roughly 100 incidents. I had no idea this would take off the way it did. I had some hypotheses that with more schools being connected to the internet, they would be exposed to these incidents. But I didn’t know how frequently they would be happening.
What kinds of cyberattacks are you seeing these days?
Schools are frustratingly still having issues with denial-of-service attacks. Miami-Dade [Public County Schools] just suffered a pretty high-profile one, which they put on a 16-year-old student in the district.
Student information systems, and those that manage student data have been implicated in attacks. HR and payroll systems have been a frequent target as well. We’ve also seen issues with ransomware and malware, though those tend to happen on Microsoft Windows systems… And email phishing remains exceptionally popular.
A new kind of attack that is COVID-related is what we call “Zoombombing,” but which also occurs on Google, Microsoft, Blackboard or any sort of real-time videoconferencing tools that schools are using. It’s very frustrating. It’s not about stealing data, but these incidents are pretty heinous, especially when young kids are exposed. We wouldn’t tolerate some stranger coming into class and dropping their pants and yelling obscenities. But that’s essentially what we have happening online.
How have K-12 cybersecurity attacks changed over time?
Historically, when school districts suffered cybersecurity incidents, they were not necessarily the target. These were mass phishing email campaigns sent to millions of people, and it just happened to reach into the district.
Now, criminal groups are specifically targeting school districts—doing research on them, finding out who the key employees are, understanding a little bit about the school calendar, and the [vendors and service providers] that the school district contracts with.
It’s one thing for schools to protect against mass, general threats … the sort of bad things that can happen when anyone connects any device to the internet. It’s fundamentally different when the bad guys are actually spending some time and developing tools targeted to school districts.
Are you seeing any changes in the severity or frequency of these attacks?
Ransomware actors are absolutely targeting school districts more frequently—though, in a broader context, lately they have been targeting all kinds of local government agencies, where the infrastructure tends to be older, IT teams tend to be smaller and less focused on security, but where the services they provide are essential to their communities.
When these systems are compromised, officials often feel motivated to resolve the issue by paying. But once they start paying, that emboldens the perpetrators to continue those sorts of attacks. So unfortunately, instead of a virtuous circle, it’s the opposite. It’s a vicious cycle.
There are examples of school districts paying several hundreds of thousands of dollars, others over a million dollars. And that’s led ransomware actors to focus more on the education sector.
Have you seen districts make meaningful strides in beefing up cybersecurity practices?
There have been modest improvements, but I think COVID has probably sidelined what progress we were making. In the spring, when school districts had to pivot to remote learning sometimes literally on a day’s notice, a lot of decisions were made that were not in the best interest of security in order to continue educational services.
Coupled with that are budget pressures. Whatever districts are spending on technology now, it’s likely to secure better internet access or devices for students at home, and not for the sorts of cybersecurity controls that are needed.
When it comes to signals of cybersecurity maturity in the education sector, one can look at dedicated budgets and whether they are cybersecurity experts on staff. One can look at password policies. How long and complex are they required to be? Are they using password managers?
One of the most effective techniques to prevent phishing attacks is second-factor authentication. And, related to that, using single sign-on services. But many school districts are not willing to inconvenience students and teachers to put those sorts of control in place. These practices require training and resources. They may be complicated, but we’re going to have to get there.
Your map is based on publicly disclosed incidents, but you estimate that the actual numbers may be much higher. By how much?
There could easily be 10 to 20 times more incidents occurring in school districts than what I’m reporting. In many cases, public disclosure isn’t required by school districts for a large number of these incidents. As you might imagine, a school district might be reluctant to share that they’ve had some issues, unless they absolutely have to.
I recently wrote about a school district in Ohio that had a ransomware incident. They had no intentions of sharing that information with their school employees or families. They only announced it when local news media covered it. A similar thing happened in Fairfax County. If it weren’t for the media and investigative reporting, that story would have never come to light.
As I talk to district IT leaders, they sort of joke with me. They don’t like seeing their school district on my map. But in moments of candor, they will tell me: “Oh, you have no idea. It is much worse than what you are reporting.”
Unfortunately, it looks like the months ahead will keep you pretty busy. What do you see in the longer term horizon for this project?
It’s absolutely valuable to have data on these issues that can inform decision making by school districts, the vendors that serve them and by policymakers. I’m hoping to continue this work. In some respects, I may be considered sort of a bad news guy. I’m documenting all the issues. You get a pin on the map. If there’s been a news report about you I’ll catalog it, I’ll tweet about it. If something went spectacularly wrong, I might even blog about it.
Now there’s value in raising awareness. But the thing I’m looking to pivot to, in addition to this work, is to provide some support to school districts. I will talk more about this new project soon, but it’s a new nonprofit organization that I’m launching in collaboration with the Global Resilience Federation. They’re in the business of launching threat-intelligence sharing communities.
Essentially this nonprofit would be a private community for school districts to share threat information to help them better protect themselves, to share best practices, and then to work together to help schools and their partners to respond to these threats.
Recently, Senator Mark Warner of Virginia wrote a letter to Education Secretary Betsy DeVos, calling on her to take steps to help schools with cybersecurity, [in light] of the incident at Fairfax County Public Schools in his state. He specifically called for the launch of what he called a K-12 ISAC (Information Sharing and Analysis Center), and that’s what we’re [coincidentally] launching.
We’ve reached out to both the [federal education] department and to Senator Warner’s office. We’re onboarding school districts now; we’re soft launching in October and expect to make a public launch in November.
This is something that exists in other sectors, but not in K-12. So I’m hopeful that this will help in part to address these issues.