COVID isn’t the only virus threatening schools. The digital kind are too
For the past year-plus, the main goal of the U.S. public education establishment has been to keep teachers and students safe from the virus — the coronavirus.
Which is indeed a top priority. But there are other viruses and infections targeting schools as well — the digital kind — that have spiked during the pandemic. And while they aren’t physically lethal, they can disrupt online classes, hold school departments for ransom, and steal the personal and financial data of students, teachers and staff.
Cyber criminals are, after all, opportunistic. And they are disciples of that political axiom originally attributed to Winston Churchill: Never let a good crisis go to waste. A world (or any economic sector, like education) in crisis is a massive opportunity.
According to a report by the K12 Security Information Exchange and the K-12 Cybersecurity Resource Center, the number of publicly disclosed cyberattacks on school districts spiked 18% in 2020 from the previous year — from 348 to 408.
Keep in mind that those were just the ones were made public. There were likely lots more that weren’t disclosed.
Doug Levin, founder of the consulting firm EdTech Strategies and author of the report, noted that “there is no mandatory nonpublic reporting available for research such as this, although there could easily be 10 to 20 times more nondisclosed incidents.”
Which should be no surprise. The $760-billion education sector that serves about 50 million students is a vast, attractive, and unfortunately porous attack surface.
As the report puts it, “school IT systems collect and manage sensitive data about students; about their parents, guardians, and families; about educators and other school staff; and about school district operations. In some cases, these IT systems are locally hosted on school district premises or in shared hosting arrangements with other local government entities; increasingly, they are hosted by an ecosystem of vendors ‘in the cloud’ on systems accessible by any internet-connected device.”
Vulnerable to viruses
And while the education sector has sought to increase protection for students and employees from physical and public health risks, when it comes to cyber risks, not so much.
What the report labeled “significant gaps and critical failures” in the cybersecurity of the “K-12 educational technology ecosystem” led to multiple attacks that caused “school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.”
Just one example: The father of an elementary school student in the Toledo, Ohio public schools received notifications in the wake of an attack on the district that his son had been denied a credit card, denied a car loan, and also “qualified” for a solicitation for a Toledo Edison electric account, which offered a gift card for switching suppliers.
“They’ve got our children’s information and they’re trying to use it,” the father told a local TV station.
The large majority of the attacks were either denial of service (45%) or data breach (36%). Another 12% were ransomware. But the report said a new type of attack — class or meeting “invasions” more colloquially labeled “Zoom bombing” — took advantage of unsecure online learning platforms to harass participants with “hate speech; shocking images, sounds, and videos; and/or threats of violence.”
Much of this was entirely predictable, enabled by the fact that for the first two months of 2020 things were normal, and then suddenly everything was upended by pandemic lockdowns. School officials and staff were scrambling to transition to online learning with tools like video chat software, lesson portals and digital message boards. And when people are in a hurry, they make mistakes.
Levin told Wired magazine last summer that the rush to set up infrastructure for online learning meant that schools “went into that mode where everything is built with rubber bands and toothpicks.”
He noted in his report that schools were racing to deploy millions of new devices to students and teachers, adopt new teaching and learning platforms without adequate time to train users and otherwise prepare for their implementation, and allow staff to use free applications and services that had not been adequately vetted.
Not to mention that remote learning relies on millions of home networks. And experts have been documenting for years that most home routers are notoriously unsecure.
Also, as has been painfully illustrated in recent months with the SolarWinds hack, if vendors and other third parties in an organization’s supply chain are unsecure, the organization itself is unsecure. That was true in spades for the education sector in 2020. “For the second year running, at least 75% of all data breach incidents affecting U.S. public K-12 school districts were the result of security incidents involving school district vendors and other partners,” the report said.
Finally, overall security in the education sector has been weak since well before the pandemic. Wired profiled security researcher Jaggar Henry who, at age 17 in mid-2019 and still a high school student, appeared before the Polk County, Florida school board to present a list of security vulnerabilities he had found in the district’s digital systems. Among them was an endpoint vulnerability that allowed him to collect fellow students’ Social Security numbers, addresses, and emails. “They (the vulnerabilities) are high-impact but trivial to replicate,” he told the board.
“When I took a look, there was so much that was vulnerable — just a stupid amount of vulnerability,” Henry told Wired, adding, “I’m not some genius. It’s just very obvious that nobody else is looking.”
Which is a succinct summary of why public education is an easy target for hackers. It’s not that the sector is unsecure because it lacks highly sophisticated, cost-prohibitive tools and services that only a nation state could afford. It’s that it isn’t doing the basics.
Henry told the school board that by the time he appeared before them, the vulnerabilities he found had been patched, confirming that fixing security problems wasn’t beyond the budget or skills of school staff. Those bugs were there because, as he said, “nobody … is looking.”
Do the basics
All of which means that improving school security won’t require a new list of things to do. It will require following the recommendations security experts have been offering for decades.
Among them, school districts should be much more aggressive about vetting the security of third-party apps, platforms and services they use. In other words, don’t let their supply chain be the weak link in their security chain.
“There’s even more responsibility on app owners to secure applications and write secure code, because the threat landscape is greater than it has ever been,” said Rachel Zahr, security solutions manager with the Synopsys Software Integrity Group.
“Even though security education should target end users — teachers, children, administrators, parents — the people who need to quarterback the security initiatives are the app owners.”
“App owners shouldn’t assume that their users are inherently aware or will apply best practices regarding interaction with the web and apps,” she said. “If anything, many are likely novice internet users, and they’re the ones who succumb to both the obvious and less obvious traps that malicious actors set.”
That means training students and staff is also crucial. Because in some cases it’s not a failure of technology but a lack of awareness about the tricks attackers use. The report noted that four major spear phishing attacks in 2020 led to the theft of school district funds ranging from $206,000 to $9.8 million.
The report makes several recommendations, which should be familiar. They’re pretty much the same basic security hygiene recommendations that have been out there for years. But the reason they’re still out there is that they’re worth doing. They include:
- Invest in more IT security capacity dedicated to the unique needs of schools.
- Enact federal and state school cybersecurity regulations to ensure minimum school district and vendor cybersecurity practices.
- Support K-12 cybersecurity information sharing and research.
- Invest in the development of cybersecurity tools that are specific to the K-12 environment.
To those, Zahr adds that security has to be as much of a priority to the vendors of education applications, platforms and services as features and function as features are.
“Right now, getting features delivered ASAP to retain newly acquired customers/users is likely the top priority, while ensuring there’s solid security and risk management is a trailing initiative,” she said.
“Unfortunately, I think many organizations still have this ‘it won’t happen to us’ mentality, but they’re playing with fire and putting the data of their customers — teachers, parents, administrators, children — at risk.”
“That means they’re also putting their company reputation and revenue at risk.”