SAN DIEGO COUNTY, Calif. — Schools aren’t exactly known for their expansive budgets. Many struggle to pay for basic operations such as functioning air conditioning and employee salaries.
But this past year, cybercriminals have attacked a growing number of schools across California and the country. A handful of California schools, colleges and universities have experienced ransomware attacks, often with harsh consequences: Sierra College had some systems shut down during finals week, Newhall School District’s 10 elementary schools went a week without online school during the pandemic, and UC San Francisco paid a $1.14 million ransom.
The average ransom paid by mid-sized organizations across the world in 2021 is about $170,000, according to a survey by London-based software company Sophos. Still, cybercriminals try to make their ransoms affordable. UC Berkeley cybersecurity researcher Nick Merrill said he thinks would-be thieves will charge as much as schools are willing to pay.
“At the end of the day, (the criminals) don’t want this to drag out for a long time, that increases their liability,” he said. “I’m guessing they’ll pick the highest number that they think you’ll pay quickly.”
Ransomware attacks are increasing against schools not only in California but across the country, according to several experts. How schools respond and what security measures they have in place are evolving rapidly.
What do cyber criminals do first?
When cybercriminals first breach a school’s systems, they sometimes try to find financial documents and insurance policies to figure out how much schools can afford to pay, according to Kevin McDonald, chief information security officer at Alvaka Networks, an Irvine-based cybersecurity company.
“One example would be they have your insurance policy that says you have a million dollars of ransomware coverage,” he said. “And, because you always negotiate with threat actors, you say, ‘I can’t afford a million dollars.’ And they go, ‘Well, yeah, you can — here’s your policy.’ And they actually send back your policy as well.”
U.S. schools pay the ransom fairly often, too, according to three experts.
One other expert clarified that they will more than likely pay only if they have the resources to do so, and they lack good backups.
So, where do schools find the money to pay ransoms?
It’s unclear how many school districts in California carry cyber insurance. Cyber insurance is so new, in fact, that Mary Nicely, a senior policy advisor at the California Department of Education, said she wasn’t sure how schools would decide whether cyber insurance is necessary.
Brian Walters is the school board president for Newhall School District located in Santa Clarita. Through his work as a lawyer, Walters became aware of a rise in cyber attacks in 2015, and Newhall purchased cyber insurance on his advice a couple of years later. That came in handy last September when the district had its servers locked up by ransomware. But cyber insurance is “not widespread” for schools in California, according to Troy Flint, chief information officer for the California School Boards Association, who said cyber attacks are still “relatively rare.”
“Cyber insurance is just sort of a new realm and it would be a leap into the unknown for districts,” he said “With budgets being tight traditionally in school districts, is that an expenditure that you want to make when most districts are not able to provide all the programs and services they want to give their kids?”
Cyber insurance isn’t simple, either. There are several different types — ranging from cyber security to cyber terrorism insurance — and each policies affords different coverage.
Robert Fitzgerald, founder of Boston-based consulting firm Arcas Risk Management, said schools should make sure they understand what kind of cyber insurance they’re buying, and to not use insurance as an excuse to neglect other prevention.
“We cringe, literally cringe, when we hear, ‘Oh, we’re covered,’” he said. “More times than not, they’re not covered. And worse, because they haven’t maintained their IT systems the way they need to, there are times the insurance company will balk and say we’re not covering this because you didn’t have basic protections in place.”
Even if schools do pay ransoms through insurance or other funds, it’s unlikely they’ll get all of their data back: Less than 10% of victims across the globe recovered all of their data after paying a ransom, according to a report from London-based software company Sophos. Even if they do get their data back, there’s a chance that criminals have already sold some of it on the dark web, according to Ronald Manuel, a supervisor on the FBI’s Los Angeles cyber task force.
Cybersecurity hasn’t been a priority — until now
Cybersecurity just wasn’t a priority for many schools, especially with the sudden transition to online learning, said Chris Scott, director of security innovation for computer hardware giant IBM.
Instead, school administrators were focused on delivering online lessons and making sure their students had access to devices and WiFi.
A survey of 1,200 educators and administrators across the country, commissioned by IBM, found that half of respondents unconcerned about a cyber attack against their institutions.
National security expert Javed Ali, who teaches a class on cybersecurity at the University of Michigan, said cybersecurity isn’t part of the national consciousness yet, but will be once more schools suffer from cyber attacks.
“The more these types of operations get launched against institutions of higher learning, and the ones that will make major national headlines, that will probably compel some kind of action,” he said.
What’s more, some schools seem to have misplaced faith in their ability to handle cyber attacks: According to the same IBM survey, while 83% of administrators expressed confidence in their school’s ability to handle a cyberattack, more than 60% were unaware whether their school has cyber insurance. More than half of educators in the survey said they haven’t received any cybersecurity training.
Cybersecurity resources — and money — can be hard to come by
Little regulation exists around cybersecurity — for schools or otherwise — on either the state or federal level.
For example, no one knows for sure how many cyber attacks have been carried out against schools in California or the country. California laws require organizations to report data breaches that could lead to identity theft and federal law requires notification when healthcare records are stolen.
But while federal and state reporting laws also require schools and univerisities to report certain crimes, like hate crimes or sex offenses, they don’t require reporting most cybercrimes, including ransomware attacks.
Administrators — unless they’re plugged into cybersecurity circles — can have trouble finding resources on the topic.
Nicely said California’s Department of Education started working with the Multi-State Information Sharing and Analysis Center, a group funded by the federal government that offers free technical products, like malicious domain blocking and secure suite, to educators.
She happened upon the group on a whim while attending a cybersecurity webinar she found through a newsletter.
The cybersecurity nonprofit has over 2,500 members in the education sector — a number is growing fast, said Josh Moulin, a senior vice president at the Center for Internet Security, the nonprofit’s parent organization. But he admits it can be hard to reach everyone that needs help when some schools even lack IT departments.
“Often what we find, especially in these smaller organizations, is they don’t have the staff on hand to fully grasp what we’re offering or even know how to implement it,” he said.
Administrators and experts have consistently called lack of funding and staff a major obstacle to better cybersecurity.
Recently, one California school district was alerted to the presence of an unauthorized user who seemed to be readying its network for a ransomware attack, according to Sophos. But the school district declined to use the company’s services because of the cost, Sophos said, and the attacker ended up encrypting around 15,000 computers.
Nicely said the California Department of Education has no funding or staff dedicated to helping schools with cybersecurity. Cybersecurity “just kind of fell on me because I have a technical background,” she said. “Somebody’s gotta do it.”
Some experts have also called out a communication breakdown in guidance to educators.
While some government guidelines are relatively clear cut — one example is the Cybersecurity and Infrastructure Security Agency’s resources page for K-12 educators — others aren’t always accessible. An FBI ransomware notice in March 2021 told administrators to take actions like “air gapping” data and to “disable unused remote access/RDP ports.”
These steps, although common sense for security experts, failed to target audiences that might not know basic cybersecurity practices, UC Berkeley’s Merrill said.
“This communication breakdown is a structural reason why we’re not seeing changes,” he said.
How California’s college systems approach cybersecurity
Colleges and universities tend to be better staffed and have more resources for cybersecurity than K-12 school districts.
The California State University system, for instance, has a cybersecurity team of half a dozen employees with at least one cybersecurity expert per university, according to Ed Hudson, the system’s chief information security officer.
Almost everyone in the Cal State system is required to have multi-factor authentication, considered one of the best measures to stop cyberattacks. The security team also runs cyber attack drills a couple of times each year to see how well their backups work.
Similarly, the California Community Colleges system has over half a dozen employees dedicated to cybersecurity with at least one cybersecurity employee per college, according to Rafael Chavez, public information officer for the system.
These measures still haven’t prevented ransomware attacks, which experts say are almost impossible to protect against entirely.
In May, Sierra College was hit with a ransomware attack, taking several systems offline during their finals week.
In March, cyberattackers struck the University of California. The university repeatedly declined to comment on its cybersecurity resources.
Cybersecurity is also forcing colleges and universities to reckon with key philosophical questions, McDonald said. Should there be completely free access to the Internet? How do you deal with faculty who are resistant to better cybersecurity because of the burden it might place on their work? What happens when certain departments, like government or medical research, don’t have to follow the same guidelines as everyone else?
And certain websites, like porn and gambling sites, are known to be frequently infected with malware, but colleges and universities don’t want to filter those sites from their Wi-Fi networks, given how popular they are with students. Administrators said if they did start filtering sites, there would be a “war,” according to McDonald.
“It’s really a fight against the idea that it should be the wild, wild west, and you could do whatever you want and there’s no ramifications for that,” he said. “It’s just not true. You can’t run a system like that and not expect something to go wrong at some point.”