Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Look now.
A ransomware attack on the Los Angeles Unified School District should serve as a wake-up call about the continuing threat to the nation’s critical sectors from cyberattacks and the need for more aggressive, concerted action to protect them.
The breach at the nation’s second-largest school system, with more than 650,000 students and 75,000 employees, forced the shutdown of some of the district’s computer systems. The only good thing is that no immediate demands for money were made and the schools opened as planned on 6 September.
Ransomware attacks are on the rise
My first thought when I heard about the incident was: Here we go again. Ransomware attacks on public institutions such as schools, hospitals and municipalities have grown in recent years. And it is not just the number of these attacks, but their nature that is so disturbing. They feel particularly terrible because they cross the line from economic crime to disrupting the lives of ordinary Americans, or even putting lives at risk.
In April, the US Department of Health and Human Services issued a warning about an “exceptionally aggressive, financially motivated ransomware group” known as Hive that is attacking healthcare organizations. Hive has gone after dozens of hospitals and clinics, including an Ohio health system that had to suspend operations, reroute patients and switch to paper medical charts.
Intelligent Security Summit
Learn the critical role of AI and ML in cybersecurity and industry-specific case studies on December 8. Sign up for your free pass today.
Ransomware attacks on municipalities across the United States have been rampant for years. An attack on Baltimore in 2019, for example, locked city employees out of their email accounts and prevented residents from accessing websites to pay water bills, property taxes and parking tickets. In 2018, ransomware shut down most of Atlanta’s computer systems for five days, including some used to pay bills and access court records. Instead of delivering a $52,000 ransom, Atlanta chose to rebuild its IT infrastructure from scratch at a cost of tens of millions in taxpayer dollars.
Increasing targets for cybercrime
And now schools are moving up the list of cybercriminals’ favorite targets. Two days after the Los Angeles school district discovered it had been attacked, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that the mysterious Vice Society gang, which admitted responsibility for the breach, and other malicious groups are likely to continue their abuses.
“The consequences of these attacks have ranged from limited access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information about students and staff,” the agencies said in a statement. “The FBI, CISA and MS-ISAC anticipate that attacks may increase as the 2022/2023 school year begins and criminal ransomware groups see opportunities for successful attacks.”
What’s worse, every school district is at risk, according to the agencies. “School districts with limited cybersecurity capabilities and limited resources are often the most vulnerable,” the alert said, but “the opportunistic targeting often seen by cybercriminals can still put school districts with robust cybersecurity programs at risk.”
According to a study by cybersecurity research firm Comparitech, schools that have been hit by a ransomware attack lose an average of more than four days to downtime and spend nearly 30 days recovering. The total cost of these attacks is estimated at $3.56 billion.
The vulnerability of schools, hospitals and municipalities is a matter of great national concern, and we should all feel frustrated that incidents like the Los Angeles school attack continue to happen.
When it comes to ransomware, our most critical institutions seem stuck in a rinse-and-repeat cycle. It must be broken. But how?
US authorities are taking measures against cyber security
The federal government has weighed in with the K-12 Cybersecurity Act. Introduced by Sen. Gary Peters (D-Mich.) and signed into law Oct. 8 by President Biden, the measure directs CISA to study the cybersecurity risks facing K-12 schools and recommend guidelines to help schools increase their cybersecurity protections.
Meanwhile, in November 2021, the US Government Accountability Office (GAO) recommended that the Department of Education work with CISA to develop and maintain a new plan to address cybersecurity risks at K-12 schools.
The last plan “was developed and issued in 2010,” the GAO said, and “since then, the cybersecurity risks facing the subsector have changed substantially.”
While these are potentially helpful starts, I’d like to see more recognition that many school districts around the country have limited resources to commit to cyber defenses and need more help.
To that end, CISA and law enforcement should work urgently to provide school districts and other critical sectors with a simple but powerful weapon: a standardized plan to prevent and respond to attacks. The more specific the plan, the better.
CISA would be wise to engage cybersecurity experts from both internal and external entities to build a prescriptive playbook that municipal IT directors can simply take off the shelf and implement, sort of like a recipe that anyone can use to cook dinner.
The playbook should describe specific configuration settings around things like access control mechanisms, network devices, and end-user computer systems. It should specify what types of cybersecurity tools are best to deploy and how to configure them, and explicitly state what types of audit logs to collect, where to send them, and how best to deploy tools to analyze them to stay ahead of threat actors .
Gather resources to protect public institutions from cyber attacks
In the United States, there are about one million cybersecurity workers, but there were approximately 715,000 jobs that were not yet filled as of November 2021, according to a report by Emsi Burning Glass (now Lightcast), a market research company. In light of this, governments have an opportunity to pool their resources to provide cyber security as a service, as opposed to each individual IT service provider having to compete for this already scarce talent.
Governments will want to set up a defensive cyber security and threat intelligence service that all their local IT service providers can benefit from – effectively, cyber security as a service. This will help relieve local IT service providers from having to use their limited manpower and budgets to defend IT services, and instead allow governments to pool their limited cybersecurity talent and funding to provide a comprehensive service for all. It will also enable governments to see cyber attacks across a wide spectrum and craft defenses that can be applied across all locations uniformly so that repeat attacks cannot occur.
Currently, school systems and others are too often left to figure out these important matters on their own, which can lead to confusion, mistakes and reinventing the wheel.
However, with a detailed but easy-to-follow primary cybersecurity framework from the government’s top experts, no local entity would need to wing it when it comes to ransomware. They wanted something more like a car manual, a comprehensive set of approved procedures for preventing problems.
Bottom line: Our precious public institutions should be harder targets for cybercriminals to penetrate. The country should clamor for it and work harder to make it happen.
Michael Mestrovich is head of information security at zero trust data security company Rubric and former acting CISO at the Central Intelligence Agency.
Data Decision Makers
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people involved in data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices and the future of data and data technology, join us at DataDecisionMakers.
You may even consider contributing an article of your own!
Read more from DataDecisionMakers