After a ransomware attack caused Albuquerque Public Schools, the largest district in New Mexico, to close for two days in mid-January, K-12 cybersecurity experts stress cyberattacks against schools will only likely worsen in 2022.
The district “worked around the clock” with third-party experts to restore systems taken over by the ransomware attack, APS said in a statement. The compromised systems included those for managing safety procedures such as taking attendance, reaching out to family emergency contacts and assuring which authorized adults could pick students up from school, according to the district.
The district said it could not disclose further details about the ransomware attack because it is an ongoing investigation. Meanwhile, Albuquerque students must make up missed “cybersecurity snow days” at the end of this school year.
Earlier in January, the Albuquerque Bernalillo County government offices also faced a ransomware attack temporarily closing many county buildings, according to a county news release.
As schools nationwide increased reliance on remote learning throughout the pandemic, they have likely become more susceptible to cyberattacks, according to a December 2020 joint report by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center.
Schools have not always been a target, but now cybercriminals see K-12 as “low hanging fruit,” and an easy means to take money from a district is by withholding data or completing a ransomware attack, said Eric Lankford, regional director of K12 Security Information Exchange, a nonprofit focused on helping prevent cyberattacks in school districts.
When there’s a security gap and a district begins transitioning to remote learning, criminals will find ways to seize on opportunities, said Sara Spencer, CEO of SolonTek, a cybersecurity software provider. Schools, just like hospitals, gas pipelines and other critical institutions and services, could also be targeted by countries, such as China, Russia or Iran, she said.
“If we’re not secure and we don’t secure our systems, then I would expect nation-state actors to also take advantage of these environments, like schools,” Spencer said.
Securing K-12 cybersecurity funds
Most K-12 schools do not have a dedicated staff member or budget for cybersecurity, Lankford said. But there are some federal funds funneling in that districts can use.
The two-month-old Infrastructure Investment and Jobs Act is set to provide $1 billion in federal grants to improve state and local government cybersecurity between 2022 and 2025. States must also match a certain percentage of the grants. But while this federal funding is available, it’s not easily accessible for districts, Lankford said.
To secure funds, states will have to submit a plan to the Cybersecurity and Infrastructure Security Agency with a statewide planning committee that represents a wide array of people, he said. And at least half of those members must also have experience in IT or cybersecurity.
“What we’re recommending is that schools reach out to their state CIO, CISO [chief information security officer], and say, ‘Hey, look I’m willing to serve as a public education representative on that planning committee,’” Lankford said. “That’s one source of funding. Is it guaranteed? Is it going to be very much? No.”
Lankford said he’s hopeful the report mandated by the K-12 Cybersecurity Act passed in October will open more people’s eyes to the matter since the issue will be backed by a government study.
“Everybody around K-12 understands physical security,” he said. “Cybersecurity needs to have the same urgency and importance as physical security.”
Working with available resources
If more federal dollars become available for K-12 cybersecurity, it’s important those funds are spent in the right way, Lankford said. Schools need to first focus on the basics, which include looking closely at third-party vendor security measures.
Some basic ways to enhance K-12 cybersecurity include issuing students laptops controlled by virtual private networks, Spencer said.
Multi-factor authentication can prevent 90% of cyberattacks, she said. It’s also key for districts to begin integrating cybersecurity education into classes to prevent ransomware attacks that can start through phishing emails sent to students.
While there are a lot of free resources available through CISA, nonprofits and ed tech companies to help districts navigate cybersecurity needs, Spencer said there’s still not enough federal funding.
It’s also possible districts could address cybersecurity needs by using available funds from the $122.7 billion awarded to districts nationwide in supplemental Elementary and Secondary School Emergency Relief aid provided through the American Rescue Plan, said Robert Redd, senior director of enterprise networking at ConvergeOne, an IT services provider.
Redd considers cybersecurity a way to prevent learning loss, as cyberattacks can cause districts to shut down for days. But addressing K-12 cybersecurity is going to take a collaborative effort among federal, state and local agencies as well as ed tech companies, he said.
“It’s going to continue to be a staggering problem because it’s so lucrative. The target is learning and education,” Redd said. “Districts need to have an answer.”