Shadowy criminal gangs with sinister names like The Dark Overlord are terrorizing schools. They hack into district networks and then demand hundreds of thousands of dollars in ransom payments, making threats of terrible consequences if schools do not agree to hand over the money.
It鈥檚 a growing problem that鈥檚 now tougher to tackle as districts lean further into the use of technology for teaching and learning and the management of schools and cyber criminals get craftier and more sophisticated. And, more and more, it is becoming a problem faced by districts of all sizes, all across the country.
鈥淚t is a bit of a cat-and-mouse game, meaning that as people learn how to protect themselves from attacks, the [bad] actors change their tactics and get more sophisticated,鈥 said Doug Levin, the national director of the K12 Security Information Exchange (K12 SIX) and one of the top experts in the country about cybersecurity for K-12 schools.
The increasing number of attacks and their growing complexity have big implications for teaching and learning, school budgets, parent communication, and the protection of sensitive data about students and employees.
But taking on the problem is expensive, tedious, and often thankless. Administrators鈥 and teachers鈥 eyes鈥 tend to glaze over when district IT workers start telling them about effective cybersecurity practices and how they should put them in place.
鈥淚t鈥檚 almost like a foreign language,鈥 said Ryan Cloutier, the president of SecurityStudio, which works with districts on cybersecurity. 鈥淓ven the biggest companies in the world struggle with this. There鈥檚 not enough time, dollars, or hours to address everything.鈥
It is a bit of a cat-and-mouse game, meaning that as people learn how to protect themselves from attacks, the [bad] actors change their tactics and get more sophisticated.
Why do hackers go after schools?
K-12 schools make tempting targets, in large part, because they have loads of data. And in most cases these days, nearly every computer system that stores data鈥攆rom gradebooks to door locks to salary information鈥攔elies on some sort of online network that is capable of being hacked.
To complicate matters, districts became much more reliant on technology during the pandemic, when they handed out millions of digital devices for remote learning, set up WiFi hotspots around their communities for students to access, and dramatically increased their use of online programs and apps for instruction.
Those changes have opened the doors much wider for hackers to infiltrate districts鈥 computer networks. And all it takes is for one teacher, student, or parent to click on a phishing email created by a cyber criminal and a ransomware attack could be underway.
Increasingly, education and technology companies that work with K-12 schools are also being targeted. In January of 2022, roughly 5,000 schools and colleges saw their websites go dark when a ransomware attack targeted Finalsite, a private company that provides webhosting and other communications services.
Who are the cyber criminals targeting schools?
Hackers can be disgruntled鈥or just bored鈥 students. Some have high-level computer skills, others may have stumbled on a teacher鈥檚 password.
They can also be low-level cyber criminals who send millions of spam emails to every single address they can find that include malicious attachments aimed at spreading viruses to help them harvest people鈥檚 credentials or steal money. Or they may pose as a popular company, say, Netflix, asking for a payment or credit card information. These hackers may not realize鈥 or care鈥攖hat they are reaching out to school districts. They are just trying to get someone, anyone, to fall for their scam.
Probably most menacing of all: in countries that are tough for U.S. law enforcement to reach. (Think Russia and China, among many others.) These hackers often know they are targeting schools and may do research into what education or technology companies work with a specific district and which staff members are responsible for handling financial transactions for the district.
Their crimes can take all sorts of forms. They may attack a district鈥檚 system with malware and . Or, using a real invoice from an actual education or technology company, they may change a bank routing number so that a district鈥檚 , and not the company鈥檚.
鈥淎 5-year-old today, if their information is stolen, maybe 20 years from now, they'll find out that they own a property in Las Vegas."
What are the common types of cyberattacks?
Data breach鈥This is what many people think of as the classic 鈥渉ack.鈥 Someone who is not authorized to see or change certain types of data breaks into a district or school鈥檚 system and copies, steals, transmits, changes, or just views the data. These attacks make up a little more than a third鈥36 percent鈥攐f all reported cyberattacks on schools,
The hackers can be sophisticated international criminals planning to steal staff and student data, or simply a high school student who retrieved a teacher鈥檚 password and logged in to the district or school network to change some grades.
And there are some bizarre twists to hacker personas. For instance, a mother in Florida, who also happened to be an assistant principal in the district, used her official district credentials to change the results of a student vote to .
Of course, the motivation behind hacks can be a lot more serious. Criminals may sell student and staff data to be used in identity theft.
Student data are especially valuable to identity thieves, said Rod Russeau, the director of technology and information services for Community High School District 99, near Chicago. That鈥檚 because credit checks are rarely conducted on children, so the fraud may not be discovered for years.
鈥淎 5-year-old today, if their information is stolen, maybe 20 years from now, they鈥檒l find out that they own a property in Las Vegas,鈥 Russeau said.
For instance, just last year, parents in in the names of their children, who are in elementary school.
搁补苍蝉辞尘飞补谤别鈥These are the attacks that typically get the big headlines. Cyber criminals break into a district or school鈥檚 network and take data and encrypt it, essentially preventing the district from accessing the data. They agree to decrypt and return the data if the district鈥攐r its insurance company鈥 pays a ransom, often in the hundreds of thousands of dollars. If school districts do not have a system that backs up their data and they choose not to pay the ransom, that data can be lost forever. Some of these attacks are becoming sophisticated enough to go after a district鈥檚 back-up data too, so that districts don鈥檛 have the option of using them to restore their systems. And sometimes a particularly sophisticated attack can happen multiple times.
Attackers may also threaten to release student and employee data to the public if they aren鈥檛 paid鈥攁nd some have made good on those threats. In 2021, hackers demanded $40 million from Florida鈥檚 Broward County School District, later lowering their price to $10 million. After the district offered to pay a smaller sum, the hackers published nearly 26,000 stolen files, And back in 2017, hackers sent personalized texts to parents in Iowa and other states threatening their children,
Denial of service鈥Cyber attackers inundate a district鈥檚 network by flooding it with unnecessary and meaningless requests until it either can鈥檛 respond to other users, or just completely crashes. That might block staffers, parents, students, and others from using district email, websites, and online accounts (including banking).
These days, you can even hire someone to carry out a denial-of -service attack for you, Cloutier said. A disgruntled student, parent, or employee could 鈥渆xecute a cyberattack for as little as five to ten dollars without any understanding of what was actually happening behind the scenes,鈥 he said.
Denial-of-service attacks made up 5 percent of reported incidents in K-12 education in 2020, according to K12 SIX. Often, the perpetrators are locals such as a student possibly looking for a day off from school, said Amy McLaughlin, the cybersecurity director for the Consortium for School Networking, a group that represents chief technology officers in school districts.
Other types of attacks鈥Schools also grapple with 鈥渃lass invasions,鈥 (also known as 鈥Zoombombing鈥) where an unauthorized person jumps into an online class, sometimes spouting hate speech, showing pornographic images, or shouting threats. Often, the attackers are just looking to disrupt class, get a laugh, or make students and teachers uncomfortable.
A close cousin to that approach: 鈥淢eeting invasions,鈥 which target virtual school board or PTA meetings, and other online events, often not for any specific reason other than to irritate district officials.
Hackers may also send bulk emails to parents, students, and district employees filled with inappropriate content, frequently as a prank.
Similarly, district websites can be taken over by offshore political groups using them to espouse propaganda, or maybe by students making fun of the district, Levin said.
And a more recent development: 鈥渉acktivism,鈥 in which a district may get hacked in protest of its stance on, say, COVID mask-wearing or curriculum changes.
What鈥檚 the impact of these attacks?
A lot of wasted time and money.
It鈥檚 not unusual for schools to close during a cyberattack, while the district works to get itself back up and running. In January of 2022, the Albuquerque, N.M., public schools, the largest district in the state, shut down for two days . That kind of closure is particularly tough to swallow when students are struggling to regain their academic footing due to the pandemic.
In the business world, cyberattacks mean lost profits, but 鈥渋n the school world we lose the ability to deliver learning,鈥 Cloutier said.
That鈥檚 not to say there isn鈥檛 a financial hit as well. The 鈥渓oss of a day of school is worth thousands to millions of dollars, depending on the size of your district,鈥 McLaughlin said.
What鈥檚 more, districts are finding that cybersecurity insurance costs are on the rise, she added. Insurance companies increasingly expect districts to have their own security systems in place before they will take them on as clients. For organizations that don鈥檛 have certain protections in place, premiums rose by as much as 300 percent over the past year,
McLaughlin credited those price hikes to a 鈥渕aturing market鈥 for cybersecurity insurance. In the past, districts assumed they didn鈥檛 need to worry much about risks, since they had insurance. Now, cybersecurity insurance is becoming more like, say, homeowners鈥 insurance, where policyholders will get a better deal if they have protections in place such as sprinklers and alarm systems.
You can invest billions of dollars in all of the highest-level, most sophisticated firewalls and detection mechanisms. And invariably, a phishing email is going to get through.
Cybersecurity measures: How can districts and schools protect themselves?
There鈥檚 no way to eliminate risk, only to mitigate it. But districts should still take steps to protect themselves, experts say.
鈥淵ou could do everything perfectly and you may still have a problem,鈥 McLaughlin said. By having safeguards in place, 鈥測ou鈥檙e gonna be less of a juicy target than somebody else.鈥
There鈥檚 a lot that districts can do that鈥檚 low-cost or free, Cloutier pointed out.
One good place to start: A risk assessment, to give districts an 鈥渦nderstanding of what they have, where is it? How valuable is it to the district, and then, in turn, to a criminal?鈥 Cloutier said.
Districts also need to have a technology and communications strategy in place for how they would respond to a cyberattack, and practice that plan, just as they would a fire or active-shooter drill.
The plan doesn鈥檛 have to be a 鈥淣obel Prize-winning document,鈥 Russeau said. A one- or two-page description of how the district will handle various types of cyberattacks would work.
And even though hackers have started infiltrating and monkeying with district back-up data, it鈥檚 still a good idea to back everything up, Levin said.
Districts should also implement multi-factor authentication so that staffers and students need more than just one username and password to access their systems. Some multi-factor authentication systems may text a code to the user鈥檚 cellphone, for instance, to confirm the person鈥檚 identity.
And school districts should teach employees not to use the same passwords on multiple sites, share them, or make them easily guessable. Employees also should learn to spot a phishing email, in which criminals posing as someone in the district, or a vendor, may ask for their login credentials. And they should immediately report any suspicious emails to their IT departments.
鈥淵ou can invest billions of dollars in all of the highest-level, most sophisticated firewalls and detection mechanisms. And invariably, a phishing email is going to get through,鈥 Russeau said. 鈥淎nd if a staff member doesn鈥檛 recognize it, and opens the attachment or clicks on the link, all of a sudden you鈥檝e got someone in the payroll department sending copies of everyone鈥檚 W-2 to someone they think is the superintendent but isn鈥檛.鈥
The top leaders in school districts also need to go beyond endorsing cybersecurity efforts, and get personally involved, Russeau emphasized.
Often, district leaders think, 鈥渨ell, that鈥檚 a technology thing, the technology department will worry about security,鈥 he said, adding, 鈥渂ut so many of the security decisions that we make as an IT department are really in direct response to what leadership tells us about how much risk they are willing to stand.鈥
What are federal and state policymakers doing about K-12 cyberattacks?
They are starting to take notice. State lawmakers introduced at least 170 cybersecurity bills last year that focused directly or indirectly on K-12. That鈥檚 a little less than double the number of such bills introduced in 2020, .
Fifty-one of those bills became law. They included measures such as new requirements on reporting incidents of cyberattacks, mandates for state cybersecurity planning, and new funds for bolstering cybersecurity.
In Congress, lawmakers introduced at least 19 cybersecurity bills in 2021 that were directly or indirectly relevant for K-12 schools, CoSN reported. That鈥檚 also about double the number for 2020.
And in October of 2021, President Joe Biden signed the , which calls for the federal cybersecurity agency to make recommendations about how to help school systems better protect themselves.
