Schools and universities confronted an unprecedented increase in attacks.
In 2020, cybercriminals attacks affected at least 1,681 schools and universities across the country, according to research by Emsisoft. In 2019, only 89 were attacked with ransomware, although over 1,000 more were potentially affected. These numbers represent a minimum of ransomware attacks, Emsisoft said — there are no federal reporting requirements.
Seculore Solutions, a software company based in Maryland, has recorded 122 cyberattacks in California across the public safety, government, medical and education sectors since 2016. At least 26 of those cyberattacks have targeted California school districts, colleges and universities, including the University of California, Sierra College, College of the Desert and Visalia Unified School District.
If the data on cyberattacks seems sketchy and incomplete, that’s because it is. Nick Merrill, a cybersecurity researcher at UC Berkeley, said he doesn’t know of an archive for cyber attacks in California. “But if you find one, please let me know,” he wrote in an email to CalMatters.
While it’s ultimately a mystery how ransomware crews pick their specific targets, the education sector is vulnerable for a few reasons, according to multiple experts. Tight budgets prevent them from having the resources to stop cyberattacks. Unique characteristics — like an open WiFi network — make schools particularly vulnerable. And they are also dependent on their online systems: They wouldn’t be able to function without grading systems or other file-sharing software.
“They’re essentially low-hanging fruit,” said Andrew Brandt, a malware researcher with SophosLabs.
Schools could also be a quick and easy payout for “ransomware crews” who make a living off of these attacks, Merrill said. Experts believe that many of these cybercriminals are located in Russia or the former USSR, where ransomware is a lucrative business in an otherwise depressed economy.
“There are a lot of them, so you can keep hitting these (schools and colleges) all across the U.S., all across maybe even the world, and you can get a pretty consistent payout every time,” Merrill said.
But while ransomware attacks are increasing in schools across California and the country, key players are struggling to play catch-up. School administrators, experts and government officials are having different conversations, if any at all.
Do you pay ransomware attackers or not?
The week of the ransomware attack at Newhall School District, teachers uploaded videos to the school district’s website as a form of makeshift online school. All students in the district watched the same videos. Hall said some of her students felt that week was “a bit of a waste,” because the lesson plans were so generic. She said teachers felt guilty about “leaving our kids stranded without our support.”
Meanwhile, the district’s four person IT department was working overtime. The district’s 310 teachers were at a standstill until the systems were online and ransomware-free.
Luckily, the district had purchased cyber insurance a few years back. Its insurer — Alliance of Schools for Cooperative Insurance Programs — contracted with Alvaka, an advanced network services and security company, to help retrieve files, according to one Newhall administrator. District officials would not say if they paid the ransom or not. Doing so would be considered controversial; The FBI advises against paying ransoms.
But Superintendent Jeff Pelzel did say teachers’ intellectual property — their lesson plans — were taken into consideration.
“Of course, the FBI doesn’t want anyone to pay anything for the ransom,” Pelzel said. But if you put a dollar value on the time it takes to make lesson plans, some of which have been developed over a decade, it can become difficult to decide whether to pay or not. “It would be devastating for staff,” he said.
By the next week, students and teachers were able to access their online classrooms again. Within a few months, most of the district’s other programs and servers were running.
Newhall has since upped its cybersecurity efforts: more frequent phishing exercises, required cybersecurity training for every employee, more operations in the cloud, and two-factor authentication for administrators, among other measures.
Ransomware protocols for schools still evolving
A couple of months after the ransomware attack, Newhall applied for an exemption from the California Department of Education to add days onto the end of the school year. These are typically granted for school shootings, wildfires and other emergencies where students had missed days of quality instruction from school.
But the department initially denied Newhall’s request, only to reverse itself about half a year later. Cyberattacks did not meet the state’s criteria and it took months of advocacy from Pelzel to reverse the decision.
Pelzel has said the federal government should fund cybersecurity for all school districts. He also called for a crisis manual for ransomware attacks, similar to crisis procedures for active shooters and earthquakes.
“In general, we live in a society where governments are reactive rather than proactive,” Walters, president of Newhall’s school board, said. “It takes usually some sort of disaster for people to take a hard look at what needs to be improved. California is frankly, behind … but eventually (it shows) a history of catching up.”
Trade organizations — including the California School Boards Association and Association of California School Administrators — don’t offer cybersecurity resources or guidance and directed CalMatters to the California Department of Education.
But the department started working on cybersecurity for schools just recently.
Mary Nicely, the department’s point person for cybersecurity efforts, said she was tasked with working on cybersecurity just a few weeks ago, although the department’s data management team had previously provided resources to help schools understand digital literacy.
“We can’t say, ‘Hey, everybody put your money into cybersecurity or allocate this much of your budget to that,’” Nicely said. “Those are individual decisions of the school districts. I think we should be giving more guidance in that area. I don’t think (the California Department of Education) has done that in the past.”