Originally published in Democracy Journal on December 11, 2019.
In September, in a small school district located in the Missouri Ozarks, computer printers started mysteriously shooting out ransom letters. The pages instructed their recipients to send an email in exchange for a code, which would then show that hackers had taken control of their files. The district would have to pay up, the hackers said, to get the data back.
That same month, a small school district located in the Pocono Mountains of Northeastern Pennsylvania was hit by a different ransomware attack, forcing schools to close and the district’s 3,000 computers to shut down.
The damage from these attacks turned out to be relatively limited, but it came on the heels of bigger cybersecurity breaches this past summer, like when computers in the Syracuse City School District—one of the largest in New York—were also crippled from a ransomware attack. The school district was locked out of its own computer system, and ended up paying the hackers a $50,000 insurance premium to get back in. The same month, Louisiana’s Democratic Governor John Bel Edwards declared a state of emergency after a malware virus attacked several schools, knocking out their computers. This declaration enabled the state to pool experts and resources from the Louisiana National Guard and the Louisiana State Police, among others.
Cybersecurity attacks on schools are new, coming with increasing aggression and frequency, and schools’ ability to withstand them varies dramatically across the country. Sometimes it’s criminals looking to make easy cash or simply inspire fear—capitalizing on schools’ lack of sophisticated defenses. Sometimes it’s members of a school community carrying or causing the data breaches themselves.
The risks presented are not just mild inconveniences. Recognizing schools’ dependence on computers and Internet access, administrators have grown acutely aware that their institutions are now extremely vulnerable to lengthy closures, crippled operations, and costly litigation. According to the K12 Cybersecurity Resource Center, U.S. schools reported 122 cybersecurity incidents in 2018, resulting in the theft of millions of taxpayer dollars, stolen identities, tax fraud, and altered school records. Experts believe this figure significantly understates the real number of attacks, as many incidents are not even reported publicly.
“Is it as bad as it sounds?” said Lee McKnight, a cybersecurity expert and professor in the School of Information Studies at Syracuse University. “It’s worse. It’s a complete mess, and anyone in IT who hasn’t been hit is not sleeping well because they know there’s a target on their backs.”
While the available data is not great, experts know the problems have grown even more severe in the last twelve months. Doug Levin, president of EdTech Strategies, and author of the K12 Cybersecurity Resource Center report, told me when I spoke to him in September that he’s already tracked more than twice as many incidents this year as compared to 2018, with a particular increase in third-party vendor breaches and a spike in ransomware attacks.
When it comes to the risk of a mass shooting in school, politicians and the media have been known to greatly exaggerate the chances of future attacks. Despite the wall-to-wall panicked coverage, particularly following the horrific Parkland, Florida massacre in 2018, a study released this year from the U.S. Centers for Disease Control and Prevention found multiple-victim school shootings are still extremely rare events, accounting for less than 2 percent of all youth homicides in the country.
But that’s not the case with school cybersecurity attacks.
Amelia Vance, director of the Education Privacy Project at the Future of Privacy Forum, a D.C.-based think tank, agrees the “risk is definitely not exaggerated.”
Vance started working on student privacy issues about six years ago, and says she observed a real shift in the school cybersecurity conversation around fall 2017, when rural school districts in Iowa, Montana, Texas, and Alabama were all attacked by an international cyberhacking organization called The Dark Overlord. A few months earlier The Dark Overlord earned national attention for releasing forthcoming episodes of “Orange Is The New Black,” a popular Netflix show, after Netflix refused to pay their ransom demand. The Dark Overlord took to Twitter after this incident to suggest other television networks would face similar fates. “Oh, what fun we’re all going to have,” it wrote.
By autumn, the international cybercriminals had moved on to public schools. Parents in the Johnston Community School District in Iowa suddenly began receiving threatening text messages, sent by the hackers who had stolen student data. Examples of texts included “I’m going to kill some kids at your son’s high school” and “Your child is still so innocent. Don’t have anyone look outside.” Other texts sent to the parents went further, citing their children by name and school.
Nobody knew who was behind this harassment at first, and the Johnston school district shut down the following day. One day after that The Dark Overlord claimed responsibility for the attack on Twitter, and dumped student names, addresses, and telephone numbers online so as to make it easy for “any child predator to easily acquire new targets,” they claimed. The data had been compromised by a third-party vendor that worked with the school district.
Around the same time in Montana, more than 30 schools in the Columbia Falls School District closed after data was stolen, with parents again receiving graphic threats on their phones. The hackers demanded $150,000 in bitcoin in a seven-page ransom letter, and told a local reporter that they attacked the school district to rouse fear and make the government look bad. “The quaint, small, backwoods region of the US like yours is prime hunting grounds,” The Dark Overlord said. “This incident is the last thing you will expect to happen here.”
Their motivation for this particular attack appeared, in part, to be an effort to punish the FBI. “We’re escalating the intensity of our strategy in response to the FBI’s persistence in persuading clients away from us,” a Dark Overlord hacker told the Daily Beast at the time.
Like in physical kidnappings, the FBI discourages schools and other institutions from paying ransom in response to cyberattacks, noting it’s no guarantee an organization will even get its data back, and it can embolden other criminals to target more places. But sometimes school districts feel they have no choice but to pay up in order to resume operations.
Levin of EdTech Strategies has worked in education technology for upwards of the last 25 years, doing jobs like helping connect schools to the Internet, developing digital textbooks and tests, and serving as executive director of the State Educational Technology Directors Association, which represents technologists working in state education agencies. “Cybersecurity never came up,” says Levin. “in the 1990s and 2000s, not at all.”
“I used to talk to superintendents and they’d say, ‘All we have is student names and email addresses, and how children scored on this quiz, nobody cares about that information,’” added Vance.
“They’d think because they didn’t have credit card numbers, or Social Security numbers, nobody would try and steal it. That attitude has changed dramatically.”
Keith Krueger, the CEO of the Consortium for School Networking, a national nonprofit that represents technology leaders working in U.S. public schools, agrees. “We’ve administered a national survey to district technology leaders for the last seven years and cybersecurity was never on the list of top priorities,” he tells me. “About three years ago it became a number 3 priority, last year it became number 2 priority, and this year it was the number one stated priority.” For people in charge of technology in schools, Krueger stressed, “Cybersecurity has become front and center, and is no longer seen as something we should maybe do, but something we have to address.”
Levin started noticing more local news stories about school cyberattacks near the end of 2016—stories like hackers posing as superintendents and sending phishing emails to business office staff. The fake superintendents would claim there had been an emergency and that they needed to be sent a PDF of all the school employees’ W-2s as fast as possible.
Levin grew more curious, and soon he realized there was no comprehensive data available on how common these attacks actually were. He started to compile the incidents he could find in the news and other public sources, and today he manages an interactive map of nearly 700 reported cybersecurity-related incidents dating back to January 2016.
While international cybercriminals tend to generate headlines, unknown actors cyberhacking for malicious purposes actually comprised just about a quarter of all the data breaches Levin tracked. By contrast, in 2018, he found that just over half of all digital data breach incidents in public schools were directly carried out or caused by members of staff or students in the affected schools.
“Mostly when staff are involved it’s because they made a mistake, but occasionally it’s because they have an axe to grind, like sometimes you have disgruntled employees who were fired so they release or take data they shouldn’t,” he says. “Sometimes you have more sophisticated hacking from students, who break in to access, review or change student records.”
Levin thinks what he has tracked is much lower than the actual number. Local news coverage has declined dramatically, and even if school districts report an incident to a state agency, that doesn’t mean that incident is ever reported publicly. In North Carolina, for example, Levin noticed that the state’s Department of Justice had released a report on 2017 data breaches and its figure was ten times greater than what he had counted in the news. But when Levin’s colleague filed a Freedom of Information Request to learn about the other incidents, they were largely stonewalled.
In the last two years, Illinois, Texas, and Missouri have passed laws requiring states to notify parents if there has been a school data breach, but most states don’t have such disclosure mandates.
Despite a growing recognition that cybersecurity is a real issue, addressing cybersecurity concerns is not so easy—particularly for strapped, small school districts.
“If you look at this issue over time, hospitals were getting hit by ransomware several years ago,” said McKnight of Syracuse University. “You don’t hear about that so much anymore. You know who has money to improve their security systems and has the funds to hire and train staff? Hospitals.”
Schools, by contrast, are typically much more constrained in how they can afford to respond. This basic reality is also what makes schools such easy targets for hackers looking to make a quick buck, even if schools may be less likely to have the kind of credit card information that cybercriminals typically go for. “School districts are often a city’s largest employer, and many times they lack technical expertise while managing a lot of staff and data,” said Krueger. “In a lot of ways schools are just low-hanging fruit,” adds Vance.
The challenges are particularly acute for smaller districts, most of which lack the funds to hire an individual or a team of experts dedicated to cybersecurity. Nearly two-thirds of U.S. school districts serve fewer than 2,500 students.
Another challenge is simply getting tiny, rural districts to accept that they, too, could be attacked. “Why this little school in Akron, Ohio?” asked Kelly Kendrick, the technology director for the Coventry Local School District, after its schools closed in May due to a malware virus. “It has really opened my eyes to how data of any kind is marketable, sellable.”
This realization Kendrick describes is key, Vance agrees. Yes, a criminal might not be able to run off with your bank account information if they hack a school district server, but “a lot of information is private because we don’t want our neighbors to know it,” she said. “Like maybe I don’t want my friends to know that I have trouble reading, or back in the second grade I slapped someone.”
Could part of the problem be that schools just have too much data? Is our data-driven policy culture leaving schools overly and unduly exposed?
It’s certainly true that schools, under real pressure to be innovative and forward-thinking, often adopt new education technology tools that some families fear are too invasive, or too vulnerable to hacking. For example, some schools use e-Hallpass, which digitally tracks student visits to the bathroom, the nurse’s office, and elsewhere. The company emphasizes that it is a more sanitary and efficient way to administer hall passes, that it is committed to student privacy and does not use GPS or other locating tracking services. But those assurances haven’t put everyone at ease.
Some parents have been organizing across the country to stop states from sharing personal student data with for-profit data-mining vendors. The Parent Coalition for Student Privacy was founded in 2014 by two parents in New York and Colorado, and advocates have since written letters to Congress to strengthen federal student privacy rights, disseminated resources to parents, and developed student privacy principles for schools, education agencies, and third-party vendors.
Yet while student privacy concerns around ed tech tools add more complexity to the cybersecurity situation, experts say they are overlapping but distinct issues. Even with strong student privacy laws and enforcement, and even if schools cut down or eliminated the use of apps that store chat logs and other student data, school districts would still have serious cybersecurity concerns to deal with.
“I don’t think it’s an issue of collecting too much information,” says Eva Vincze, a faculty member in the cybersecurity and police and security studies programs at George Washington University. “It really just goes back to that issue of people thinking we’re not big enough for anyone to care about us, because we’re small.”
That’s not to say there aren’t safer measures schools can take with the data they collect. Cybersecurity experts like McKnight say there should be basic “cyber hygiene” such as data backups and storing information on cloud servers.
“Data collection is important, but schools should only be collecting the information that they need to answer particular questions, and some of that is mandated by federal law,” says Vance. “Basically schools should figure out what data is so sensitive that they shouldn’t have it at all, figure out at what point data should be deleted, and figure out who in a district should have access to what information.”
Another challenge is figuring out how to get the right advice. It’s not easy for districts to attract and retain skilled cybersecurity experts, since those professionals can usually earn much more money out in the private sector. “It’s not unusual for technology leaders to cut their teeth in education and then go get a better paying job elsewhere,” said Levin.
And even if all districts did somehow find the funds to hire cybersecurity experts at top dollar, there aren’t actually enough trained people in the country to take those jobs on. “We’ll never have a Chief Technology Officer for every school district, the private sector can’t even do it,” said Levin. “It will have to be some sort of coordinated response, sort of like what Louisiana did this summer but not as an emergency.”
“Not every district needs a cybersecurity expert,” Vance agrees. “What is needed is useful resources and templates and almost like plug-and-play supports that outside organizations and the government can provide.”
Lan Jenson, CEO of Adaptable Security, a nonprofit, is trying to be part of that plug-and-play vision. She founded her organization in 2017 with the goal of helping governments, schools, and small businesses navigate cyber-threats without breaking the bank. Unlike the school IT specialist who then goes to work for the private sector, Jenson started her career handling cybersecurity for a well-heeled financial institution.
“But financial companies have major resources, and governments and small businesses and schools are left behind,” she explained. So Jenson and a group of similarly motivated experts started Adaptable Security with the hope of providing assistance to more vulnerable institutions. “A lot of these leaders have some money, but they don’t have so much money, and they are trying to figure out what it would look like if we pool our resources,” she said. “They are willing to do something bigger, something shareable, and even though they may have that vision, everyone is so busy and wears multiple hats, so they don’t have anyone to be the coordinator. We’re trying to be that.”
So far Adaptable Security is working with 12 counties and a few core cities in the Bay Area, and Jenson hopes to scale the public-private model up nationally if it proves effective. In early October, her group sponsored the second annual Cybersecurity Symposium for Smart Cities, a free-to-attend, volunteer-led conference hosted in San Jose for school districts, small businesses, nonprofits, and local governments. Last year 250 people turned out, and this year more than 500 did—reflecting the growing awareness and concern.
McKnight of Syracuse University thinks public-private partnerships are the best way to move forward, especially since federal agencies like the Department of Homeland Security are not the most popular with all communities across the country.
“We need more federal investment, but in partnership with nonprofits,” he said. “This is a democracy issue, a civil society issue. Things have to change because there’s no way every little school district will be able to do it on their own, and there’s no way to channel help from the federal level directly down everywhere—you need some new pluralistic entities to come in the middle.”
And there has been recent movement on the federal level. In the fall of 2018, Senate Minority Leader Charles Schumer called on the Department of Homeland Security to investigate the more than 50 New York school districts that were hit that year with a type of cyberattack known as Distributed Denial of Service (DDOS). These attacks caused Internet outages within schools by overloading the systems with traffic, though no information was actually released.
In June, House lawmakers passed a bill—the Department of Homeland Security Cyber Incident Response Teams Act—to establish a permanent team of security specialists that agencies could call on when their technology gets hacked. A Senate version was approved in late September. Senator Schumer, who backed the bill, also recently called on the FBI to help school districts and local governments better respond to attacks. “It’s time to hit ‘control-alt-delete’ on ransomware and take a megabyte out of hackers,” he said in a particularly corny statement.
Also in September, the Consortium for School Networking submitted public comments to the Federal Communications Commission (FCC), requesting a change to the Schools and Libraries Program, more commonly known as E-Rate. At nearly $4 billion annually, E-Rate is the biggest federal subsidy program to help public schools and libraries manage the cost of connecting to the Internet. But cybersecurity is not among the list of eligible E-Rate discounted services, and the Consortium for School Networking argues that the requirements and limitations of E-Rate heavily influence how schools then deploy basic cybersecurity tools.
The organization told the FCC that while the federal government should not be expected to cover all aspects of cybersecurity, “several simple changes to the E-Rate program would have a very profound impact on the ability of school systems to protect and defend their networks and systems from cyberattacks.” For example, the Consortium for School Networking requested an expansion in the range of firewall services that can be reimbursed through E-Rate. Right now schools can reimburse for “basic firewall” services, but that category excludes a number of features typically found under the banner of “standard firewall” services—like anti-virus and malware protection, and data loss prevention.
As school districts move forward, leaders will have to be on guard for security grifters who are looking to sell expensive, ineffective products that capitalize on communities’ growing fears.
“There will always be markets for that, and there are always security services out there to scare you or just to convince you to buy things,” says Vincze of George Washington University.
“My fear is that without real leadership support, without IT staff with capacity, these security tools will probably not be put to their best use, and will be expensive,” says Levin.
While cybersecurity experts have been stressing that the problems are serious and demand action to mitigate risk and damage—at the end of the day, they say, no school should expect to be completely risk-free.
“Bad things happen,” says Vance. “We need to be humble. If Target and Wal-mart and big credit card companies can be hacked, so can a school district.”