Op-Ed: Cyberattack on Los Angeles Schools Could Happen Anywhere

Education technology enhances classroom learning. It also risks exposing up to 53 million K-12 students nationwide to costly disruption. As the Los Angeles Unified School District experienced last month, learning and basic school functions can come to a halt if systems aren’t properly secured.

As school districts add technology, they increase the risk of ransomware attacks. Products such as Google laptops, assignment apps and writing tools – some of which were already in use in more than half of classrooms in 2017 – introduced a wealth of confidential student information in the K-12 schools technology ecosystem, in addition to staff and contractor data. The pandemic has accelerated the use of virtual learning tools which have increased the vulnerability of schools, and there has been an increase in the frequency and complexity of attacks.

Affluent and low-income communities are targeted. A 2020 report found that although large districts and those serving wealthier communities were most likely to experience a cybersecurity incident, districts with a higher proportion of poor students were also likely to be affected. perhaps because hackers know that these districts receive federal funding to bridge the digital divide.

In the recent case of Los Angeles, hackers launched a ransomware attack over Labor Day weekend, following the “back to school” strategy and holiday attacks that target times of stress when , against FBI advice, administrators may be more likely to pay a ransom to restore systems and recover data.

LA schools refused to pay a ransom, and the hackers responded by posting the district’s data to the dark web on October 1. a “limited” number of contracted facility workers. The attack also caused some disruption on the first days of school.

These cybersecurity threats aren’t caused by hackers alone: ​​old equipment, reliance on third-party technology contractors, inexperienced staff, and failure to follow basic security protocols can lead to breaches. Legacy technology in many schools – the outdated IT infrastructure, including hardware, other devices, and software – often cannot support modern security needs.

Unfortunately, the same IT professionals hired to protect computer systems end up causing at least 75% of data breach incidents in K-12 public school districts, according to data from the past several years. This is partly due to a shortage of expert staff who can effectively vet and monitor vendors to ensure they are properly managing risk and reducing school vulnerabilities. According to Rotem Iram, CEO and co-founder of At-Bay, a cybersecurity insurance provider in California, the districts’ reliance on a bunch of different technology vendors means that something, somewhere, is always broken. And hackers know this is the case in schools.

There were at least 166 cyber incidents identified in 2021 affecting 162 schools in 38 states, according to a report. Why haven’t our schools adopted better cybersecurity?

In their rush to install digital teaching tools, most districts skipped the more tedious task of installing robust cybersecurity systems and protocols. Few practice basic cybersecurity hygiene, such as two-factor authentication. In these information-rich environments, simple protocols can make a huge difference in protecting students’ personal information.

When it comes to district technology, several barriers stand in the way of upgrades: budget cuts and limited funding, a lack of vision among school district leaders, and the need for school board approvals and negotiations. unions, according to an industry brief by Ultimate Kronos Group, a workforce management software company. When UKG experienced a massive hack in December that affected thousands of employers, it illustrated the extent of the risks K-12 districts face in relying on vendors.

Efforts are underway to protect school data. This year, President Biden signed into law the State and Local Cybersecurity Improvement Act, authorizing $1 billion in grants to state, local, and tribal government entities — including school districts — to address cybersecurity threats and cybersecurity risks. computer system. The step follows last year’s K-12 Cybersecurity Act tasking the Department of Homeland Security with reviewing cybersecurity threats to schools and issuing recommendations.

In addition to these funds and recommendations from the federal government, an incentive program could help, particularly through insurance policies. It is difficult for an institution to qualify for cyber insurance without having strong security systems in place. The public education sector is considered a very high risk industry for cyber insurance, according to Iram: “Security analyzes often reveal that the education sector has low resilience to exposure to cyber risks”. And the premiums are high.

But it’s worth the investment to avoid or minimize debilitating business losses; many policies offer free or discounted pre-loss risk mitigation services and resources, including legal counsel, public relations specialists and computer forensics experts. The federal government can use this tool by offering financial support for cybersecurity assurance, but only to districts that align their systems with best practices.

The heavy toll of ransomware attacks on our schools’ finances, time, and privacy makes it clear that unprepared districts are a recipe for disaster. It demands support from the government, the tech industry, and even the cybersecurity and insurance industry to address it.

Heidi Boghosian is a lawyer and author of “”I Have Nothing to Hide” and 20 Other Surveillance & Privacy Myths”.

Comments are closed.