Russian cyberattacks on U.S. schools could cause severe disruptions, Mardock noted.
“If schools are forced to go offline and parents can’t go to work because they have to stay home to care for their children, that could have a big impact on the local economy, law enforcement, all sorts of things,” she said. “If I was a bad guy trying to mess with the U.S. and I was using schools as my tool, I would probably try to scare parents, create a lot of fear and uncertainty and distrust. You’re looking to destabilize.”
School districts across the country are trying to shore up their cybersecurity after the federal government’s warning about potential Russian cyberthreats against America’s critical infrastructure.
“Some school districts are taking extra steps to protect themselves, like restricting the ability of traffic from countries beyond the U.S. to connect to school servers,” said Doug Levin, national director of the K-12 Security Information Exchange, a nonprofit organization that tracks cyber incidents affecting public schools in all 50 states.
Districts also are increasing the monitoring of their networks for malicious traffic and trying to share intelligence with their counterparts, as well as with state and federal officials, he added.
“School districts are unlikely to be the direct targets of Russian cyberactivity, but that doesn’t mean they couldn’t be wrapped up in broader attacks against the U.S.,” Levin said.
Districts should be taking heed of the U.S. Cybersecurity and Infrastructure Security Agency’s “Shields Up” warning last month about the growing Russian cyberthreat to organizations, including state and local governments, Levin noted.
The federal agency recommended organizations “adopt a heightened posture” and offered guidance on steps to take, such as updating software, testing backup procedures and ensuring that manual controls are available.
In the past several years, schools have been hit hard by cybercriminals. Some districts have been victimized in ransomware attacks, which hijack computer systems and hold them hostage until the victims pay a ransom or restore the system on their own.
An attack on a school district office can yield sensitive information about students and staff. Districts also can be compromised if students click on phishing links or download malware to school computers.
During the pandemic, there was a rash of attacks against school districts, many of which had switched to virtual learning. That made it easier for hackers because staff, teachers and students often used their own devices on personal networks connected to school systems, but didn’t have the proper security controls.
Some districts were forced to push back school reopening dates. Others that restarted school had to cancel classes for a day or more.
In some ransomware attacks on schools, cybercriminals not only encrypted the data and demanded ransom but also threatened to post sensitive information about students or staffers online if their extortion request wasn’t met. Sometimes, they ended up doing just that.
In October, President Joe Biden signed a law directing the federal cybersecurity agency to study the cyber risks facing elementary and secondary schools and develop recommendations to assist schools in facing those risks.
A March report by Levin’s group found that last year, there were at least 166 publicly disclosed cyber incidents affecting 162 school districts in 38 states. For the first time, ransomware was the most common such incident, often resulting in school closures and recovery costs ranging from hundreds of thousands to many millions of dollars.
In 2021, there were at least 62 reported ransomware cases; in 2018, there were 11, according to Levin.
“There is every reason to expect that, absent significant intervention, cyber incidents will continue to plague school districts, placing members of the public at significant — and avoidable — risk,” the report concluded.
So far this year, at least eight school districts across the U.S. have been victims of ransomware attacks, according to Brett Callow, a threat analyst for cybersecurity company Emsisoft.
Levin said districts should have cybersecurity risk management programs and adopt multifactor authentication — a security technology that confirms identity before someone logs in, usually through a randomized one-time password or number sent to a smartphone or email address.
“Schools have been moving slowly in this area,” he said. “But they can’t wait to implement it, given what’s going on.”
In Austin, Texas, where the school district requires multifactor authentication in its finance, human relations and technology departments, officials said they’re making sure their cybersecurity is even tighter in light of the potential Russian cyberthreat.
“A lot of the ransomware groups are from Russia, and now they have nothing to lose,” said Maxfield Marchlewski, information technology security director of the Austin Independent School District. “We’re taking it very seriously.”
Marchlewski said the district’s firewall vendor has beefed up the network’s IP address blocking and firewalls.
The district also hired a company last month to do penetration testing to look for system vulnerabilities, according to Chief Technology Officer Sean Brinkman. Penetration testing is a simulated cyberattack on a system performed to evaluate its security.
“We knew we wanted to do it before,” Brinkman said. “We finally hit the trigger on it.”
It isn’t just large school systems that are trying to boost their cybersecurity.
In Indiana, the Zionsville Community Schools, which has about 8,000 students, also has been taking more precautions, said Dan Layton, the chief innovation officer.
“Since the Russian attack, we’ve been stepping up, looking for vulnerabilities,” said Layton, who also chairs the Indiana Chief Technology Officer Council, a group of school district technology directors and chief information officers.
The district has started blocking more IP addresses and is continuing to monitor carefully for any signs of ransomware, Layton said.
“We’re making sure we’re keeping our networks buttoned up as best we can,” he said. “We have to be right 100% of the time, and a bad actor only has to be right one time.”
This story was originally published by Stateline, an initiative of The Pew Charitable Trusts, on April 5, 2022.