Three years after Congress established the Office of the National Cyber Director to address cybersecurity concerns. Today, ransomware attacks that block a user’s access to personal data unless a ransom is paid continue to be a priority for this office—and K-12 schools in the US are central among the targets of these attacks.
National Cyber Director Harry Coker describes the reasoning behind cyber attacks on K-12 schools as the schools being “target-rich and cyber-poor.”
Coker and other members of his office, alongside state and federal cybersecurity experts, met with New Mexico school superintendents and information technology staff at the New Mexico National Guard Office in Santa Fe on May 31 to share a common solution they believe all schools and districts should use—a public domain name service (PDNS) that prevents ransomware and other cyber attacks through preventing computer systems from connecting to malicious websites.
According to a January 2023 report from New Zealand anti-virus software company Emsisoft, ransomware attacks on school districts nearly doubled from 2021 to 2022—from 1,043 to 1,981 impacted schools in a year.
Notably, both Albuquerque Public Schools and Las Cruces Public Schools suffered ransomware attacks in 2019 and 2022, resulting in canceled school days in Albuquerque and a lack of internet access in Las Cruces schools.
Coker tells SFR such attacks can inflict significant damage. “They can get personal information on students, which can include their grades, medical information, their addresses—schools are a target-rich environment,” Coker says. “‘Cyber-poor’ means they are not as well-resourced as they need to be to defend themselves. Any common criminal or adversary goes after the weakest link.”
For this reason, he says, the Office of the National Cyber Director is working to make cybersecurity services more accessible to K-12 school districts, and make these efforts known to schools that need stronger cybersecurity but lack the funding to do so.
According to the Center for Internet Security’s community assessment responses in the 2022-2023 school year, 81% of K-12 school districts are chiefly concerned with “insufficient funding and inadequate cybersecurity resources,” so the federally funded Multi-State Information Sharing and Analysis Center (MS-ISAC) has developed a Protective Domain Name Service (PDNS) it offers to help limit exposure to malware, phishing, ransomeware and other cyber threats.
Brendan Montagne, MS-ISAC’s regional engagement manager, gave attendees a simple example of how their PDNS works when used by schools.
“If one of your users sees one of the phishing emails you get every day, and they think, ‘I’m just going to do my job today and try and work really quickly,’ and they click on that link, instead of going directly to that link first if it’s…that user is actually blocked from reaching that site,” Montagne says.
Montagne adds that the MS-ISAC regularly updates the list of domains blocked for the schools. He also adds that schools do not necessarily have to use MS-ISAC’s free program, as some state governments, regional education agencies and tech companies also offer PDNS to schools for free.
Santa Fe Public Schools is currently an MS-ISAC member and utilizes its PDNS services, among other safeguards, SFPS Superintendent Hilario “Larry” Chavez says in a written statement to SFR.
“I feel this is a concern for all superintendents and districts statewide,” Chavez writes. “With remote learning accelerating the use of technology, we must be on a continual journey of staying current and upgrading our systems and knowledge. We have training available for all staff and provide simulated phishing emails in order to ensure our end users are able to help prevent these types of attacks.”
Andrew Buschbom, a cybersecurity coordinator from the state Cybersecurity and Infrastructure Security Agency, adds that his agency can offer schools advice, training, assessments and inspections to handle cyber threats.
“You can’t reduce the risk to zero, but we can work on things,” Buschbom says. “This doesn’t happen overnight or in a month—this is years that it takes. And it’s a continuing process. You’re always revisiting your risks, managing that, trying to reduce it.”