School districts these days face a variety of major challenges, from pandemic-era learning loss to the threat of campus shootings. There’s another one always lurking — cyberattacks like the one experienced by L.A. Unified School District on its information technology systems over the weekend.
As L.A. teachers, parents, students and leaders felt the brunt of the attack on Monday, it begged the question: With so much of education these days relying on computer technology, how difficult would it be to properly conduct school in the case of such a crippling attack, especially if it was for an extended period?
Could a school and its staff make it through without the programs used to communicate with one another as well as with students and their parents? What about making lesson plans, collecting assignments and keeping track of grades, and so on?
Alhambra Unified School District’s Ashton Potter, director of technology, said cyberattacks are a huge concern.
“Alhambra Unified, along with every school district in the country, is constantly preparing for a cyberattack like the one LAUSD is suffering,” Potter said. “Cybersecurity is AUSD’s priority one safety concern alongside the physical safety of our students and staff.”
That said, Alhambra Unified is prepared in case of such an attack, officials said.
“AUSD could operate if we experienced a situation like LAUSD’s,” Potter said. “Most of the district’s communication tools are cloud-based apps. We back up our internal systems offline daily. We prioritize our time and resources on making sure our hardware and software systems are always up to date.”
The district’s stand-by servers would be employed, part of an array of tools that would enable administrators and the parents and students they serve to access student-information systems for grades and attendance.
But the nature of the attacks is becoming increasingly sinister, experts suggest.
“I think one thing that we have seen with ransomware actors, in particular — and this is a trend that has emerged over the last just couple of years — which is that ransomware attacks that sort of lock up school’s IT systems and infrastructure are almost never the whole story,” said Doug Levin, national director of K12 Security eXchange, or K12 SIX, a non-profit organization built to protect schools from cybersecurity threats.
The rest of the “story” is that the initial attack is accompanied by major data breaches, he said.
A ransomware actor could compromise a school district’s IT system for weeks — even months — before activating the malware, which is designed to threaten the publication of sensitive personal data unless the actor is paid a ransom, Levin said.
At stake is the release of sensitive data ranging from information on students, families and teachers to the business operations of school districts.
In the cases where school districts have not negotiated with the ransomware actors, that data has been dumped or sold off to criminal forums on the dark web. That has led directly to identity theft, not just of school employees and adults, but also of students as young as elementary-school aged.
School districts are taking precautions.
Manoj Roychowdhury, associate superintendent of Business Services at Hacienda La Puente Unified, said his district is very aware of the issue.
Roychowdhury pointed to “incremental steps” to harden the district’s infrastructure. Firewalls, virtual private networks (VPNs), ramped up data security and monitoring and a lot of employee training are all being employed to protect against hackers, Roychowdhury said.
Azusa Unified Superintendent Arturo Ortega said if his district experienced such an attack, it would affect the daily routine, but getting through it would be doable, he added.
“We have definitely become more reliant on educational technology in the last several years,” he said. “The loss of educational technology would cause some setbacks in daily operations, but we are fortunate to have both digital and hard copies of student curriculum and textbooks.”
He said attendance can be taken by hand and communication with parents could be done via letters sent home.
“Without access to classroom technology, daily instruction in some classes may look a little different from what students have grown accustomed to, but we would still be able to deliver an exceptional educational program,” Ortega said.
His technology manager, Manuel Sanchez, suggested that such instances are a sign of the times.
“As the number of online services needed to keep a school district operational in a digital world increases, the impact of an attack such as the one that has affected LAUSD makes it challenging for students and faculty to operate as they are accustomed to for an extended period of time,” he said.
“While IT departments work diligently to prevent such attacks, it is a reality that criminal organizations are looking to exploit systems.”
These attacks are expensive, Levin said.
“The cost of responding to the incident in the short term, can very well be dwarfed by the long-term cost,” he said.
He noted that Baltimore County Public Schools and Buffalo Public Schools within the past couple of years suffered cyberattacks.
“They reported that their sort of medium-term recovery costs were going to be roughly $10 million or more,” he said. “Baltimore County is a larger school district, but it’s not LAUSD-big. Buffalo is smaller than that. But it just goes to show that the longer-term costs for recovery are significant.
“And these are costs that are really incurred whether or a not a district pays the extortion demand. The fact that an outside unauthorized actor was able to not just break into the school’s IT systems, but to take them over, suggests that there may be quite a bit of work that is required to ensure something like that does not happen again.”
Levin said that this is indeed a brave new world for schools in this regard.
“For those schools that maybe were not relying on technology tremendously in years past, certainly in a post-COVID world with the rise of remote learning, schools are now relying on technology for not just teaching and learning in the classroom, but for all the back office operations.
In other words, for just about everything.
Levin said that because there is not a uniformed mandate on schools to provide a certain level of security services, school districts are in very different places with respect to cybersecurity programs.
He also said cybersecurity insurance is not easy to get because insurance companies require certain standards be met in order to qualify.
“For instance, you may not be able to get cybersecurity insurance unless you start putting in place some protections that we know work,” Levin said.
That’s not to mention that kind of insurance is very expensive.
“I do know districts that have forgone purchasing insurance because they could not qualify or afford it,” he said.
Ultimately, LAUSD appeared to have survived a major breach.
Classes resumed as scheduled Tuesday at the district — the second largest in the nation — following the weekend cyberattack on its information technology systems. The attack led to a federal investigation and instructions for teachers, staff and students to change their hundreds of thousands of district passwords.
The attackers used ransomware, LAUSD Superintendent Albert Carvalho said, but no confidential student information was breached, and there was no evidence that social security numbers or confidential health information was compromised.
He said the entity attacked the district’s facilities system, which contains information on payments made to contractors — much of which was already public information.
All told, Carvalho said “We are experiencing a fairly normal school day” in a morning news conference.
Still, by 9 a.m., the school’s attendance system was back online but schools were also taking attendance manually.
District officials said they immediately established a plan of action to provide protection in the future, “informed by top public and private sector technology and cyber security professionals.”
Levin said his advice to school districts is to take action before an incident occurs by putting in place better defenses, and good policy.
“This is definitely not something that you want to be figuring out after you’ve already realized that you’ve been compromised in an incident,” Levin said.