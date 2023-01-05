(December 23, 2022) - Karen I. Bridges of Wilson Elser discusses the evolving cyberthreats faced by educational and governmental organizations and new requirements from regulators intended to improve their cyber protections.

It's the middle of August, and teachers are busy getting their classrooms ready for another school year, while parents complete last-minute registration tasks. All of a sudden the computer network is down with a message that a threat actor is demanding a ransom. Nothing can get done and the busiest time of year for teachers has come to an abrupt halt.

School administrators are faced with an untenable choice: do you pay the ransom and get school started on time or do you delay school and try to restore from backup? The school administrators must address these questions while being flooded with inquiries from the media, concerned parents and teachers asking what information was impacted.

This is the nightmare scenario that all too many schools faced this August. The threat actors know that schools and municipalities can be easy targets and public pressure will force a quick decision on a ransom payment. Understanding these pressures can help schools and municipalities avoid this fate.

Threat actors are targeting schools and municipalities

In 2021, education and research organizations suffered high rates of ransomware attacks. On average threat actors targeted 1,605 education and research organizations per week. The second most targeted group was the military and government organizations that suffered approximately 1,136 attacks per week.

This shows a distributing trend for education and government organizations.1 The threat faced by governments grew so large that in October 2019, the FBI issued a high-impact cyber-attack warning.2 The FBI issued additional warnings for education institutions on March 16, 2021.3

Why are threat actors targeting schools and municipalities?

Threat actors tend to see schools and governmental entities as low-hanging fruit that likely store personally identifiable information such as social security numbers, credit card numbers and tax information.

Due to lack of funding, however, they are not likely to have that information properly protected. These entities also are targeted by threat actors because they can easily learn about their financials and networks through publicly available documents, and public pressure often forces quick decisions on ransom payments.

Lack of funding

The newspapers are full of stories about how school districts and municipalities are suffering financially. Many school districts have problems finding qualified teachers let alone cybersecurity professionals.4 They do not have the funding to purchase and maintain the latest state-of-the-art equipment and patches to avoid a ransomware attack.

In a survey by the nonprofit State Education Technology Directors Association and Whiteboard Advisors, only six of the 80 respondents said their state provides "ample" funding. Thirty-two respondents said they received "very little funding."5

This leaves schools in the position of collecting substantial amounts of personally identifiable information while having minimal funds to protect that data. The threat actors know this, creating the perfect recipe for a cyber-attack. In another survey of 280 school administrators from around the country, 37 percent identified lack of funding as the greatest cybersecurity challenge in their districts.6

School districts are pushing for more federal funding to improve their cybersecurity. In September 2022, more than eleven hundred school districts signed off on a letter to the Federal Communications Commission asking it to expand the funds available for computer updates. The districts specifically requested that federal funds from the schools and libraries universal service support program (E-Rate Program) be used to improve school firewalls.7

Open access to financial information

Many people don't realize that threat actors treat data theft as a full-time job. Prior to starting an encryption event, they will extensively research an entity, including its financial reports and the amount of its cybersecurity insurance. The threat actors generally want to know this information so they can make a ransom demand that maximizes the amount of a potential payment, but not so high as to exceed an entity's ability to pay.

For many public entities such as schools and municipalities, the ability to pay a ransom may be derived from public information. In fact, many states have laws similar to FOIA that restrict what information a public entity may keep private, such as K.S.A. 45-215 et seq.

The threat actors also are able to use public information to determine the amount of cybersecurity protection an entity has. For example, a threat actor can see how much is spent on cybersecurity, what cybersecurity protections are currently in place and if the entity is considering spending funds upgrading their systems. This may help a threat actor determine how easy it would be to access a school or municipality's systems.

Public pressure to get systems back up and running

Threat actors like many legitimate companies want to ensure that they are paid quickly. To achieve this end the threat actors rely on public pressure. Often they select high-pressure times when it will be very visible that the computer systems are down.

For example, August is a popular time for these attacks on schools. Media reports also can be a source of pressure on schools to force a ransom payment. When schools and municipalities are not able to function due to a ransomware attack, media outlets often follow the story closely. Several breaches illustrate these problems:

In October 2022, the Los Angeles Unified Public Schools revealed that over Labor Day weekend a threat actor had attacked their systems. The story was so large that CNN and other major news outlets ran with the story. This forced the school district to justify their decision not to pay a ransom and to act extremely quickly to address the media questions.8

Another school district in Albuquerque, New Mexico, was forced to close for two days as a result of a ransomware attack that occurred just after the students returned from winter break. That attack prevented teachers from accessing databases that tracked attendance, emergency records contacts and which adults are allowed to pick up students at the end of the day. This event made both CNN and NPR.9

Municipalities face a similar issue, for example ransomware attacks have shut down city computer systems in Atlanta, Georgia; Baltimore, Maryland; St. Lucie, Florida; New Bedford, Massachusetts; New Orleans, Louisiana; Greenville, North Carolina; and Pensacola, Florida. All of these attacks made the national and local news.10

All of this media attention forces schools and governments to address these issues quickly. Often, these entities may not want to explain why it is taking weeks to restore from backup. They may decide that the public pressure is too great and pay the ransom, hoping to get the systems back online faster. Also, due to public pressure these entities may not have sufficient time to weigh their options.

How are regulators responding?

Regulators and law enforcement agencies appreciate this trend, and have started taking action to help schools and municipalities stay safe from ransomware attacks. They appear to use both the "carrot" and the "stick" to encourage these entities to improve their cyber protections.

What are the carrots?

Among the carrots regulators offer are the E-Rate Program and a cyber-hygiene program through the Cybersecurity and Infrastructure Security Agency. The E-Rate Program has existed since the mid-1990s and was originally created to help school districts and libraries connect to the internet.11

Schools that apply to use the E-Rate Program can obtain discounts on telecommunications equipment and data transmission services. The E-Rate Program will cover software upgrades and security patches only "if the service or equipment would only function and serve its intended purpose with the degree of reliability ordinarily provided with these specific services."12

While this program is not entirely focused on cybersecurity, often the latest telecommunications equipment comes with additional protections against ransomware and allows schools to funnel money into cybersecurity. The E-Rate Program currently has a $4.4 billion spending cap.

In 2021, however, it provided $2.5 billion to schools, an increase from $2.1 billion provided in 2020.13 There are clearly more funds available to schools to improve technology in their districts.

Another carrot that is designed specifically to stop ransomware attacks is the Cyber Hygiene Services offered by the Cybersecurity and Infrastructure Security Agency (CISA). That agency provides cybersecurity vulnerability screening at no charge to federal, state, local, tribal and territorial governments.

It also provides services to public schools. This program is intended to stop ransomware attacks by showing public entities how they are vulnerable to attack, and easy ways to prevent it. In addition, CISA provides information on the current threats to these entities on its website.14 The federal government also has provided a $1 billion fund for state and local governments to improve their cybersecurity.15

What are the sticks?

In addition to these incentives, regulators across the country have begun implementing measures requiring municipalities and school districts to implement the same high standards as a corporate entity.

For example, investigations by state attorneys general often require these entities to identify what security policies and procedures are in place, such as multifactor authentication (MFA) and written information and security policies. "We are just a small school district in a rural area and we do not need to worry about this" is no longer a defense.

Unfortunately, many school districts fail to meet these requirements with respect to implementation of cybersecurity policies. For example, MFA, which is one way to prevent these attacks, has not been widely implemented. A report from the Center for Internet Security published in November 2022 found that 81 percent of schools have not fully implemented MFA, while 29 percent were not using MFA at all.16

Another stick that legislators use is the creation of laws to protect student data. Some examples of this trend are the Kansas Student Data Privacy Act (K.S.A 72-6214) and the Illinois Student Online Personal Protection Act (105 ILCS 85, et seq.).

These laws expand the definition of protected information beyond what is normally considered personally identifiable information. Under these laws, many schools are required to protect students' grades, test courses, date of birth and grade level. Such legislative expansions confirm schools' duties to protect this information.

Conclusion

Schools and municipalities need to be especially concerned about improving cybersecurity. Because of the lack of funding and unique pressures these entities face, they are the perfect targets for ransomware groups. With increased awareness of these challenges and additional availability of resources from state and federal sources, however, public entities are becoming better able to address the risk.

