Municipalities And Schools Prepared For Cybersecurity Defense – Security
(December 23, 2022) - Karen I. Bridges of Wilson Elser discusses
the evolving cyberthreats faced by educational and governmental
organizations and new requirements from regulators intended to
improve their cyber protections.
It's the middle of August, and teachers are busy getting
their classrooms ready for another school year, while parents
complete last-minute registration tasks. All of a sudden the
computer network is down with a message that a threat actor is
demanding a ransom. Nothing can get done and the busiest time of
year for teachers has come to an abrupt halt.
School administrators are faced with an untenable choice: do you
pay the ransom and get school started on time or do you delay
school and try to restore from backup? The school administrators
must address these questions while being flooded with inquiries
from the media, concerned parents and teachers asking what
information was impacted.
This is the nightmare scenario that all too many schools faced
this August. The threat actors know that schools and municipalities
can be easy targets and public pressure will force a quick decision
on a ransom payment. Understanding these pressures can help schools
and municipalities avoid this fate.
Threat actors are targeting schools and municipalities
In 2021, education and research organizations suffered high
rates of ransomware attacks. On average threat actors targeted
1,605 education and research organizations per week. The second
most targeted group was the military and government organizations
that suffered approximately 1,136 attacks per week.
This shows a distributing trend for education and government
organizations.1 The threat faced by governments grew so
large that in October 2019, the FBI issued a high-impact
cyber-attack warning.2 The FBI issued additional
warnings for education institutions on March 16,
2021.3
Why are threat actors targeting schools and
municipalities?
Threat actors tend to see schools and governmental entities as
low-hanging fruit that likely store personally identifiable
information such as social security numbers, credit card numbers
and tax information.
Due to lack of funding, however, they are not likely to have
that information properly protected. These entities also are
targeted by threat actors because they can easily learn about their
financials and networks through publicly available documents, and
public pressure often forces quick decisions on ransom
payments.
Lack of funding
The newspapers are full of stories about how school districts
and municipalities are suffering financially. Many school districts
have problems finding qualified teachers let alone cybersecurity
professionals.4 They do not have the funding to purchase
and maintain the latest state-of-the-art equipment and patches to
avoid a ransomware attack.
In a survey by the nonprofit State Education Technology
Directors Association and Whiteboard Advisors, only six of the 80
respondents said their state provides "ample" funding.
Thirty-two respondents said they received "very little
funding."5
This leaves schools in the position of collecting substantial
amounts of personally identifiable information while having minimal
funds to protect that data. The threat actors know this, creating
the perfect recipe for a cyber-attack. In another survey of 280
school administrators from around the country, 37 percent
identified lack of funding as the greatest cybersecurity challenge
in their districts.6
School districts are pushing for more federal funding to improve
their cybersecurity. In September 2022, more than eleven hundred
school districts signed off on a letter to the Federal
Communications Commission asking it to expand the funds available
for computer updates. The districts specifically requested that
federal funds from the schools and libraries universal service
support program (E-Rate Program) be used to improve school
firewalls.7
Open access to financial information
Many people don't realize that threat actors treat data
theft as a full-time job. Prior to starting an encryption event,
they will extensively research an entity, including its financial
reports and the amount of its cybersecurity insurance. The threat
actors generally want to know this information so they can make a
ransom demand that maximizes the amount of a potential payment, but
not so high as to exceed an entity's ability to pay.
For many public entities such as schools and municipalities, the
ability to pay a ransom may be derived from public information. In
fact, many states have laws similar to FOIA that restrict what
information a public entity may keep private, such as K.S.A. 45-215 et seq.
The threat actors also are able to use public information to
determine the amount of cybersecurity protection an entity has. For
example, a threat actor can see how much is spent on cybersecurity,
what cybersecurity protections are currently in place and if the
entity is considering spending funds upgrading their systems. This
may help a threat actor determine how easy it would be to access a
school or municipality's systems.
Public pressure to get systems back up and running
Threat actors like many legitimate companies want to ensure that
they are paid quickly. To achieve this end the threat actors rely
on public pressure. Often they select high-pressure times when it
will be very visible that the computer systems are down.
For example, August is a popular time for these attacks on
schools. Media reports also can be a source of pressure on schools
to force a ransom payment. When schools and municipalities are not
able to function due to a ransomware attack, media outlets often
follow the story closely. Several breaches illustrate these
problems:
In October 2022, the Los Angeles Unified Public Schools revealed
that over Labor Day weekend a threat actor had attacked their
systems. The story was so large that CNN and other major news
outlets ran with the story. This forced the school district to
justify their decision not to pay a ransom and to act extremely
quickly to address the media questions.8
Another school district in Albuquerque, New Mexico, was forced
to close for two days as a result of a ransomware attack that
occurred just after the students returned from winter break. That
attack prevented teachers from accessing databases that tracked
attendance, emergency records contacts and which adults are allowed
to pick up students at the end of the day. This event made both CNN
and NPR.9
Municipalities face a similar issue, for example ransomware
attacks have shut down city computer systems in Atlanta, Georgia;
Baltimore, Maryland; St. Lucie, Florida; New Bedford,
Massachusetts; New Orleans, Louisiana; Greenville, North Carolina;
and Pensacola, Florida. All of these attacks made the national and
local news.10
All of this media attention forces schools and governments to
address these issues quickly. Often, these entities may not want to
explain why it is taking weeks to restore from backup. They may
decide that the public pressure is too great and pay the ransom,
hoping to get the systems back online faster. Also, due to public
pressure these entities may not have sufficient time to weigh their
options.
How are regulators responding?
Regulators and law enforcement agencies appreciate this trend,
and have started taking action to help schools and municipalities
stay safe from ransomware attacks. They appear to use both the
"carrot" and the "stick" to encourage these
entities to improve their cyber protections.
What are the carrots?
Among the carrots regulators offer are the E-Rate Program and a
cyber-hygiene program through the Cybersecurity and Infrastructure
Security Agency. The E-Rate Program has existed since the mid-1990s
and was originally created to help school districts and libraries
connect to the internet.11
Schools that apply to use the E-Rate Program can obtain
discounts on telecommunications equipment and data transmission
services. The E-Rate Program will cover software upgrades and
security patches only "if the service or equipment would only
function and serve its intended purpose with the degree of
reliability ordinarily provided with these specific
services."12
While this program is not entirely focused on cybersecurity,
often the latest telecommunications equipment comes with additional
protections against ransomware and allows schools to funnel money
into cybersecurity. The E-Rate Program currently has a $4.4 billion
spending cap.
In 2021, however, it provided $2.5 billion to schools, an
increase from $2.1 billion provided in 2020.13 There are
clearly more funds available to schools to improve technology in
their districts.
Another carrot that is designed specifically to stop ransomware
attacks is the Cyber Hygiene Services offered by the Cybersecurity
and Infrastructure Security Agency (CISA). That agency provides
cybersecurity vulnerability screening at no charge to federal,
state, local, tribal and territorial governments.
It also provides services to public schools. This program is
intended to stop ransomware attacks by showing public entities how
they are vulnerable to attack, and easy ways to prevent it. In
addition, CISA provides information on the current threats to these
entities on its website.14 The federal government also
has provided a $1 billion fund for state and local governments to
improve their cybersecurity.15
What are the sticks?
In addition to these incentives, regulators across the country
have begun implementing measures requiring municipalities and
school districts to implement the same high standards as a
corporate entity.
For example, investigations by state attorneys general often
require these entities to identify what security policies and
procedures are in place, such as multifactor authentication (MFA)
and written information and security policies. "We are just a
small school district in a rural area and we do not need to worry
about this" is no longer a defense.
Unfortunately, many school districts fail to meet these
requirements with respect to implementation of cybersecurity
policies. For example, MFA, which is one way to prevent these
attacks, has not been widely implemented. A report from the Center
for Internet Security published in November 2022 found that 81
percent of schools have not fully implemented MFA, while 29 percent
were not using MFA at all.16
Another stick that legislators use is the creation of laws to
protect student data. Some examples of this trend are the Kansas
Student Data Privacy Act (K.S.A 72-6214) and the Illinois Student Online
Personal Protection Act (105 ILCS 85, et seq.).
These laws expand the definition of protected information beyond
what is normally considered personally identifiable information.
Under these laws, many schools are required to protect
students' grades, test courses, date of birth and grade level.
Such legislative expansions confirm schools' duties to protect
this information.
Conclusion
Schools and municipalities need to be especially concerned about
improving cybersecurity. Because of the lack of funding and unique
pressures these entities face, they are the perfect targets for
ransomware groups. With increased awareness of these challenges and
additional availability of resources from state and federal
sources, however, public entities are becoming better able to
address the risk.
Footnotes
1. https://bit.ly/3YHwu4z
2. https://bit.ly/3BQUFDR
3. https://bit.ly/3VfNmMO
4. https://bit.ly/3HR69eD
5. https://bit.ly/3PJJd2F
6. https://bit.ly/3FIKB10
7. https://bit.ly/3PJJd2F
8. https://bit.ly/3HSWCnc
9. https://bit.ly/3Veltor
10. https://bit.ly/3BQUFDR
11. https://bit.ly/3PJJd2F
12. https://bit.ly/3hNux5Y
13. https://bit.ly/3PJJd2F
14. https://bit.ly/3YEL7G4
15. https://bit.ly/3PJJd2F
16. https://bit.ly/3VfOOPg
Originally published by Westlaw Today.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss