Schools are vulnerable to breaches—and hackers know it

James Corns first got wind of a cybersecurity incident one evening in November 2020, when a live stream of the Baltimore County Board of Education was interrupted.

By 11 p.m. that night, after getting calls from staff across the Baltimore County Public Schools system about their laptops malfunctioning, Corns realized the school system faced a “full scale attack.”

An investigation later found that hackers had been in the school system’s networks for about two weeks, after what Corns, executive director of IT, described as an “operator error” let them in. It started when a staff member who received an Excel spreadsheet in an email was unable to access it and forwarded it to a contractor who could, opening the door to the attack. 

“It’s just a thing that happened,” Corns recounted at the Billington State and Local Cybersecurity Summit in Washington, D.C., this week, noting that it is hard to prepare against human error.

The consequences were enormous. Students lost three days of in-person instruction around the Thanksgiving break, and it took about a year to fully restore networks. “We had a lot of quick wins, but a lot of the work was long and arduous,” Corns said.

It cost the school system more than $9.5 million to recover from the cyberattack, upgrade their networks and migrate to a new platform, according to the Maryland Office of the Inspector General for Education.The office investigated the incident after receiving a complaint that the school system disregarded recommendations made in three separate reports by the Maryland Office of Legislative Audits urging it to bolster its cybersecurity.

While the ransomware attack was damaging to the Baltimore County Public Schools system, it shone a light on the operational changes that needed to be made, and some of the challenges that exist in guarding against such attacks. Corns said if he could “rewind” the clock, he would go back and ensure that the various departments had fully documented how to do their jobs. He would also have another email system in place—as the school system does now—to avoid any interruption in communications with the state.

Baltimore County is far from alone. Schools systems of every size are increasingly being targeted by hackers. School districts as large as Los Angeles have also suffered debilitating cyberattacks in recent years, with estimates suggesting the costs of attacks on academic institutions were upwards of $9 billion in 2022 alone. According to the cybersecurity firm Emsisoft, roughly 45 school districts were attacked in 2022, a number that more than doubled to 108 last year.

But getting cyber protections in place for K-12 schools to ward against these increasing attacks remains a challenge nationally, and it so concerns the federal government that the Federal Communications Commission is piloting a $200 million grant program for public schools and libraries to boost their cybersecurity.

Corns said the Baltimore County Public Schools system, like other school systems nationwide, has cybersecurity vulnerabilities that other governmental organizations do not struggle with. For example, he said, all 110,000 students are issued an email account starting at the age of 4 when they do not yet appreciate the vagaries of internet security.

“It’s very hard to keep a strong password for a student that is still learning to find the numbers on a keyboard,” Corns said.

New cybersecurity requirements can also fall foul of negotiations with the five labor organizations that represent employees in the school system, too. Getting employees to use their cellphones for multifactor authentication, or MFA, required union approval, said Corns, noting that the attack did help “grease the skids on that conversation.”

And while legislation requiring MFA for school employees is making its way through the Maryland General Assembly, knowing these vulnerabilities exist makes school systems very tempting for attackers.

“It’s what makes it such an easy target for the bad actors, because they know that we struggle with those types of conversations,” Corns said.

Every organization in the U.S. is a potential target for a ransomware attack, not just government, said Mike Woodward, team lead for cyber threat intelligence at the nonprofit Center for Internet Security. And threat actors are ever present, as even when groups end their activity, more pop up. “It’s almost like the hydra, where you cut off one head and two appear.”

Woodward argued that every organization must put in the work now to prepare for a possible cyberattack and patch vulnerabilities, or else they will be forced to pay more later after a successful attack. Having an incident response plan is key, as well as a strategy to communicate about any incident with leadership as well as the media. Tabletop exercises involving every department, not just those with a tech focus, also help make the threats more tangible.

“Us cyber folks are in it, day in and day out,” Woodward said. “But you need to get the attention of executives and decision-makers in order for them to understand the threat that is bearing down on the organization, and to identify the gaps.”