Check out all the on-demand sessions from the Intelligent Security Summit here.
A ransomware attack on the Los Angeles Unified School District should serve as a wake-up call about the persistent threat to the nation’s critical sectors from cyberattacks and the need for more aggressive, concerted action to protect them.
The breach of the nation’s second-largest school system, with more than 650,000 students and 75,000 employees, forced the shutdown of some of the district’s computer systems. The only silver lining is that no immediate demand for money was made and schools opened as scheduled on Sept. 6.
Ransomware attacks on the increase
My first thought when I heard about the incident was: Here we go again. Ransomware attacks on public institutions like schools, hospitals and municipalities have been growing in recent years. And it’s not just the number of these attacks but their nature that is so disturbing. They feel especially egregious because they cross the line from economic crime to disrupting the lives of everyday Americans, or even putting lives at stake.
In April, the U.S. Department of Health and Human Services issued a warning about an “exceptionally aggressive, financially-motivated ransomware group” known as Hive that attacks healthcare organizations. Hive has gone after dozens of hospitals and clinics, including a health system in Ohio that had to cancel surgeries, divert patients and shift to paper medical charts.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
Ransomware attacks on municipalities across the United States have been running rampant for years. A 2019 attack on Baltimore, for example, locked city employees out of their email accounts and prevented citizens from accessing websites to pay their water bills, property taxes and parking tickets. In 2018, ransomware shut down most of Atlanta’s computer systems for five days, including some used to pay bills and access court records. Instead of delivering a $52,000 ransom, Atlanta chose to rebuild its IT infrastructure from scratch at a cost of tens of millions of taxpayer dollars.
Growing cybercrime target
And now schools are moving up the list of cybercriminals’ favorite targets. Two days after the Los Angeles school district discovered that it had been attacked, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that the mysterious Vice Society gang, which admitted responsibility for the breach, and other malicious groups are likely to continue their assaults.
“Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff,” the agencies’ alert said. “The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks.”
What’s worse, every school district is in jeopardy, according to the agencies. “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable,” the alert said, but “the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk.”
According to a study by cybersecurity research firm Comparitech, schools that have been hit by a ransomware attack lose on average more than four days to downtime and spend nearly 30 days recovering. The overall cost of these attacks is estimated at $3.56 billion.
The vulnerability of schools, hospitals and municipalities is a matter of great national concern, and we should all feel frustrated that incidents like the Los Angeles schools attack keep happening.
When it comes to ransomware, our most crucial institutions seem stuck in a rinse-and-repeat cycle. It needs to be broken. But how?
U.S. government taking action on cybersecurity
The federal government has weighed in with the K-12 Cybersecurity Act. Introduced by Sen. Gary Peters (D-Mich.) and signed last Oct. 8 by President Biden, the measure directs CISA to study the cybersecurity risks facing elementary and secondary schools and recommend guidelines to help schools beef up their cybersecurity protection.
Meanwhile, in November 2021, the U.S. Government Accountability Office (GAO) recommended that the Department of Education work with CISA to develop and maintain a new plan for addressing cybersecurity risks at K-12 schools.
The last such plan “was developed and issued in 2010,” the GAO said, and “since then, the cybersecurity risks facing the subsector have substantially changed.”
While these are potentially helpful starts, I’d like to see more acknowledgment that many school districts around the country have limited resources to put toward cyber-defense and need more help.
To that end, CISA and law enforcement should urgently work toward providing school districts and other critical sectors with a simple but powerful weapon: a standardized plan for preventing and responding to attacks. The more specific the plan the better.
CISA would be wise to engage cybersecurity experts from both internal and external entities to build a prescriptive playbook that municipal IT directors can simply take off the shelf and implement, somewhat like a recipe that anyone can use to make dinner.
The playbook should detail specific configuration settings around things like access control mechanisms, network devices and end-user computing systems. It should specify the types of cybersecurity tools best to deploy and how to configure them, and explicitly state the types of audit logs to collect, where to send them and how best to deploy tools to analyze them to stay ahead of the threat actors.
Pooling resources to protect public institutions from cyberattacks
In the United States, there are about one million cybersecurity workers, but there were approximately 715,000 jobs yet to be filled as of November 2021, according to a report by Emsi Burning Glass (now Lightcast), a market research company. In light of this, governments have an opportunity to pool their resources to provide cybersecurity as a service, as opposed to each individual IT service provider having to compete for this already-scarce talent.
Governments will want to set up a defensive cybersecurity and threat intelligence service that all of their local IT service providers can take advantage of — effectively, cybersecurity as a service. This would help relieve local IT service providers from having to use their limited manpower and budgets to defend IT services, and instead allow governments to pool their limited cybersecurity talent and funding to provide a comprehensive service for all. It would also enable governments to see cyberattacks across a broad spectrum and craft defenses that could be applied to all localities uniformly so that repeat attacks can’t occur.
Currently, school systems and others are too often left to figure out these important matters on their own, which can lead to confusion, mistakes and wheel-reinventing.
With a detailed but easy-to-follow primary cybersecurity framework from the government’s top experts, however, no local entity would have to wing it when it comes to ransomware. They would have something more akin to a car manual, a comprehensive set of approved practices for preventing problems.
Bottom line: Our precious public institutions should be harder targets for cybercriminals to penetrate. The country should be clamoring for that and working harder to make it so.
Michael Mestrovich is chief information security officer at zero trust data security company Rubrik and former acting CISO at the Central Intelligence Agency.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!