American Rescue Plan Helps K-12 Schools Defend against Ransomware
 

K-12 schools can tap into a deep pool of federal COVID relief funds to strengthen their cybersecurity, as government and EdTech leaders rally to stem the crimewave of ransomware and other cyberattacks targeting remote learning. Additional funding was approved the first week in March, just as new research confirmed the grave extent of K-12 cyber risk.

2020 saw a record-breaking number of K-12 cyber incidents: two per school day, according to “The State of K-12 Cybersecurity: 2020 Year in Review.” And that’s only counting publicly disclosed incidents at U.S. public schools. “Moreover, many of these incidents were significant: resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud,” the report stated.[1]

Remote Learning Runs on Email

An ongoing flow of email messages and mobile notifications connects teachers, students and parents for instruction, administration and assessment — communicating lesson plans, attaching teaching materials, updating links to learning platforms and otherwise coordinating the people and digital resources needed to keep schooling kids.

But as educators themselves have been learning, email also opens them up to cyberattacks such as ransomware, when unwitting recipients download infected attachments or click on malicious URLs in phishing emails. What’s more, schools have become a primary target of ransomware. But greater email security management, web security and awareness training can stop most ransomware and help K-12 schools get a better handle on the problem.

Washington Issues Alert, Works to Free up Funds

In December, government cybersecurity agencies issued a clear warning:

“Malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations.” – Joint advisory by the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC).[2]

Funding to lower this cyber risk will become available as part of the $126 billion K-12 allocation in the $1.9 trillion American Rescue Plan signed last week by President Biden. The law includes significant discretion for spending money on everything from sanitation and ventilation to IT hardware, software and connectivity; school districts must apply for the money through their state education departments.[3]

The law does not break out a cybersecurity component of the IT spend, but federal agencies have begun to set precedent for allocating funds to cybersecurity. For example, the Federal Emergency Management Agency (FEMA) recently required state and local governments to devote at least 7.5% of grant awards to improving their cybersecurity planning, infrastructure and training.[4] “That will have a ripple effect through more federal grants, whether from FEMA, the Department of Education or other agencies,” said Jon Goodwin, Mimecast’s Director of U.S. Public Sector and Education.

Meanwhile, the Federal Communications Commission has been petitioned to cover cybersecurity under its E-rate program for universal service for schools and libraries. The petition, from EdTech associations and other education advocates, asks for more investment in cybersecurity, including a call to update the agency’s definition of “broadband” to include cybersecurity.[5] Congressional pressure for action on K-12 cybersecurity has also been increasing, including the proposed Enhancing K-12 Cybersecurity Act, with funds for more staffing and technology upgrades.[6]

K-12 Cyber Risk by the Numbers

Ransomware tops cybersecurity agencies’ list of threats, and its growth has been exacerbated by other increasingly troubling findings. Among them:

• Proliferating attacks: “The State of K-12 Cybersecurity: 2020 Year in Review” documented 408 disclosed incidents at public school districts in 2020, including data breaches, denial-of-service attacks and at least 50 successful ransomware attacks, which stood out as the most severe incidents. Altogether, that’s an 18% increase over 2019.
• Rise of ransomware: K-12 schools accounted for 57% of ransomware attacks on state and local institutions last August-September, up from 28% from January through July, according to that FBI-led joint advisory.
• Lack of preparation: More than half of educators and administrators recently surveyed by IBM said they had received no cybersecurity training.[7]
• Human error: More than one in four education and government sector respondents to a Mimecast survey say they’ve opened suspicious emails.

“Notwithstanding the heroic education IT-related efforts to ensure remote learning … it should hardly be surprising that school district responses to the COVID-19 pandemic also revealed significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem,” concluded the State of K-12 Cybersecurity report.

Educators Recount K-12 Ransomware Attacks

The severity of ransomware was underscored by Leslie Torres-Rodriguez, Superintendent of the Hartford, Connecticut, Public Schools, in testimony before a Senate oversight subcommittee on federal spending. The district was forced to postpone its first day back to school and spent months on repair and recovery, she said.

Even though no ransom was paid, significant costs were incurred on laborious activities such as restoration of servers, including 70 terabytes of information and reversion of every connected computer to factory settings. “These preventive measures impeded our ability to operate normally, and for teachers to provide student instruction, impairing even basic functions like scanning and printing,” she said.[8]

In the Hartford School District and elsewhere, malicious actors were demanding higher-then-ever ransoms in 2020 — in some cases well over $1 million per incident, according to the State of K-12 Cybersecurity report. In another 2020 development, more of the attacks stole personal information to use as an additional lever to negotiate ransom. And associated closures and class cancellations tripled from the previous year, to 15 districts.

As bad as it’s been, ransomware is just one of educators’ worries. In another example, spear-phishing attacks against K-12 school administrative staff and vendors have netted a median amount of $2 million per incident in 20 cases made public since 2016, the report said.

Garden-variety phishing attacks are so common they’re rarely reported. One California district CTO said his cybersecurity infrastructure defends against 10 to 15 cyberattacks every second, while its email filter blocks up to 3 million emails a day containing spam, viruses and malware including ransomware.[9]

The Bottom Line

K-12 schools pivoted toward digital transformation in a big way in 2020, to keep school in session remotely. Malicious actors followed, exploiting schools’ expanded cyberattack surface more aggressively with ransomware and other malware. The good news is that federal funding is coming available to help schools protect against cyberthreats — so that their pandemic-driven innovations can continue to serve them in the future, but at reduced risk.

[1] “The State of K-12 Cybersecurity: 2020 Year in Review,” K-12 Cybersecurity Resource Center

[2] “Alert: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data,” FBI, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center

[3] “American Rescue Plan Act of 2021,” U.S. Congress

[4] “DHS Announces Funding Opportunity for $1.87 Billion in Preparedness Grants,” Federal Emergency Management Agency

[5] “CoSN, SETDA, SECA, All4Ed, SHLB and CGCS Submit E-Rate Cybersecurity Cost Estimate to FCC,” Consortium for School Networking

[6] “Langevin, Matsui Introduce the Enhancing K-12 Cybersecurity Act,” U.S. Congress

[7] “Education Ransomware Study,” Morning Consult for IBM

[8] “Senate Testimony, Hartford Public Schools/City of Hartford Cyberattack,” U.S. Congress

[9] “Schools Strengthen Defenses Amid Increases in Cyberattacks,” EdTech