As remote learning continues to play a critical role in the world’s pandemic response, cybercriminals see another opportunity for exploitation.  The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued an Advisory warning of cyber-attacks to K-12 educational institutions.  The Advisory reports that in August and September, ransomware incidents targeting K-12 education reported to the MS-SAC made up 57% of all reported ransomware incidents, up from 28% reported from January through July.

As we previously reported, cyber-attacks—especially ransomware—have increased significantly during the Covid-19 pandemic across all sectors.  K-12 educational institutions are particularly vulnerable targets for attackers.  According to Curtis W. Dukes, the executive vice president of the Center for Internet Security, K-12 educational institutions often cannot afford even basic cybersecurity protections because of tight budgets.  They also often carry insurance policies that include coverage for ransomware attacks, increasing an attacker’s probability of payment.  And school districts can be a source of sensitive personal information on both students and teachers, making them an enticing target for theft.  Indeed, student data can be more valuable than other types of personal information on the black market because children—who often do not have bank accounts or credit cards—are unlikely to notice the effects or signs of identity theft until later in life.  All of these factors make K-12 educational institutions a target of opportunity for cybercriminals.  As the Advisory explains, institutions that outsource their distance learning programs are also more vulnerable to attacks because these institutions may not have control over or understanding of data security measures used by third parties.

The Advisory specifically identifies ransomware, malware, Distributed Denial-of-Service attacks, and video conferencing disruption as attack vectors on the upswing.  Examples are not hard to find.  A September ransomware attack in Hartford, Connecticut, caused the district to postpone opening its schools.  In November, a ransomware attack shut down public schools for days in Baltimore County, Maryland, causing over 100,000 students attending schools online to stop classes entirely.  As a result of ransomware attacks in Fairfax County, Virginia and Clark County, Nevada, private information about students was published online.

The Advisory makes several recommendations to mitigate the risk of cyber-attacks in the K-12 educational space, including maintaining business continuity plans in case of a cyber-attack.  The Advisory also includes a number of “Best Practices” that K-12 educational institutions can implement, many of which mirror sound data security practices more generally.  The Advisory’s recommendations include the following:

• Patching operating systems, software, and firmware as soon as manufacturers release updates, using multi-factor authentication, and auditing logs to keep track of new accounts.
• Training employees and students about threats and how they are delivered, and informing employees who to contact when they see suspicious activity or when they believe a cyber-attack has occurred.

• Enrolling in a denial of service mitigation service that detects abnormal traffic flow and redirects it away from the network, configuring network firewalls to block unauthorized IP addresses, and disabling port forwarding.
• Mandating policies such as requiring passwords for video session access and limiting screen sharing privileges to only the meeting host.

The Advisory also identifies several issues for K-12 institutions to consider when partnering with third parties, including educational technology services, such as the efficacy of the third party’s cybersecurity policies and plans in case of breach, and their data security practices, such as data encryption and security audits.  K-12 institutions should also be aware of additional risks such as social engineering, open or exposed Remote Desktop Protocol ports, and exploitation of End-of-Life software.

As Brandon Wales, the head of CISA, explained at a Senate hearing on December 2, 2020, even basic security measures can be important and impactful: “If [K-12 educational institutions] have done the basics, put in place the bare minimum levels of the security – there is a good chance they will go onto the next victim and not target you.”  This highlights the larger reality that, in many instances, cyber intrusions are crimes of opportunity, and each additional safeguard in place that makes exploitation more difficult creates an incentive for an attacker to move on to a more vulnerable target.  Educational institutions are no exception and, as for all public and private sector industries, schools and school districts need to implement a robust cyber risk mitigation strategy to ensure appropriate deterrence and continuity of service if they fall victim to cybercriminals.