In May of 2023, the New Haven Public School system was the victim of a cyber-attack that ultimately cost the district $6 million in stolen funds. It was one of at least two attacks in 2023, which resulted in financial losses, compromised data and systems, and money spent on investigations, fixes, and mitigation otherwise intended to serve Connecticut students.
The impact is felt here in Connecticut communities, and the issue is national in scope. This past year saw at least 108 K-12 school districts hit by ransomware, as well as at least 72 colleges and universities. That number is more than double what it was in 2022 and only represents the most disruptive type of attack. In the six years between 2016-2022, there were more than 1,600 attacks spanning the most common types: ransomware, phishing, and Distributed Denial of Service.
Cyber attacks come in a variety of forms. In New Haven, a hacker gained access to the email account of the district’s Chief Operating Officer (COO). The hacker then used this access to impersonate the COO and district vendors to request money transfers, $5.9 million of which was intended for the district’s bus vendor.
In other cases, districts have fallen victim to ransomware, an increasing threat to schools and hospitals, which maintain large amounts of sensitive data. In this type of attack, hackers access a school’s computer system (sometimes through email) and deploy a program that searches for personal information – names, addresses, social security numbers, and a host of other sensitive data – and encrypts it. The district is then locked out of its systems and the attackers try to profit in two ways. They can take the sensitive data they’ve stolen and use it to commit identity fraud, or they can ransom it, demanding the district pay for its safe return. In some cases, the hackers threaten to post the data online where it can be abused by bad actors at the expense of students, parents, administrators, and a school district’s bottom line.
Hartford schools had to postpone the first day of classes in 2020 when an attack froze their systems. In 2022, State Attorney General William Tong weighed in, when an attack at a service provider named FinalSite took down the websites of thousands of school districts nationwide.
In November 2023, Manchester Public Schools lost $180,000 when a district vendor was hacked and school leadership sent three electronic payments to a fraudulent account. Both the police and the school’s insurance company are currently investigating.
In addition to the financial and privacy concerns, there are also less tangible impacts. Ransomware attacks on their own can lead to between three days and three weeks of learning loss depending on the severity.
In August, White House officials announced a new emphasis on securing Kindergarten through 12th-grade schools. This included the announcement of a national-level coordinating council to share information and best practices between school districts nationwide. It also included the release of new resources and the inclusion of low or no-cost services for school districts from several major businesses like Amazon, Cloudflare, Google, and others, funded by taxpayer dollars at the federal level.
But resources and guidelines can only go so far in a sector that some say, is understaffed and facing mounting challenges in an increasingly complex digital world.
Among those speaking up about the challenges of a digital world is Jeff Brown, Chief Information Security Officer (CISO) for the State of Connecticut. “I think one of the biggest challenges is IT is not part of [schools] core mission,” he says “They’re there to educate. They’re there to use IT. They’re not necessarily there to manage IT. And the challenge, I think, is that they don’t necessarily have the skills, the focus, are the people to get a lot of things done that need to be done because they’re so focused on just making sure that they’re getting education done, which is a full-time job by itself.”
Cybersecurity has been Brown’s job for 27 years now. He spent much of that career working for financial institutions like Merrill Lynch, CitiGroup, and Goldman Sachs, but four years ago he became the first CISO for the state. Brown says that while many things have changed in that time – like the type of attacks and the people doing them – others have not, like the effort it can take to convince school leadership that cybersecurity is something to be taken seriously.
“It’s more trouble. It takes more time. It takes a little bit more money. All of the above,” he says. “So, somebody has to think that it’s important enough that we’re going to spend time, money, and people on trying to make that stuff happen.”
Brown says that in his experience there is an understandable, if ill-advised, belief that these kinds of attacks happen to other people, not to you, though this has improved over the years. This can make it difficult to convince those with the purse strings to invest more money in software or staff to harden systems against attacks that haven’t happened yet and may never happen. The reality, he adds, is that hackers are more likely to target schools at random, finding a vulnerable server and attacking, then figuring out who it belongs to later. The target, then, is impersonal, and based on ease of access.
“One of the problems is that schools and universities do still tend to be easy targets,” Brown says. “They just don’t have the IT resources trying to get the security controls in place, and they’re trying to balance. I think that it is one of the most challenging environments to be in.”
Convincing leadership, Superintendents, and School Boards, to take things seriously isn’t the only challenge, however. Once the problem is identified, it takes time and resources needed to get a school district up to speed. In a society that is increasingly dependent on technology, and a school environment that is increasingly using the internet for basic tasks, every single person in the district represents a possible security vulnerability, and some people might have more trouble than others protecting their systems.
“We’re talking in acronyms. We might as well be speaking Arabic,” says Brown, when considering how difficult it can be to bring everyone up to speed. “We have to make sure that we’re getting the message across right and that it’s actually resonating with people, and that they’re actually going to take action.”
“It really does, in my mind, come down to administrative leadership as to what the priorities are and if educating your end users as to what they should be clicking on is a priority,” says Ryan Kocsondy, Director of the Connecticut Education Network (CEN). “You’ve got to educate people on what they’re looking at, what to look for, and, if they’re questioning it, they should probably go with their gut and maybe not click on that or report it.”
CEN provides internet and technological services to public organizations statewide. They focus on schools, colleges and universities, libraries, town offices, state government, and some public non-profits and for-profit entities. Nearly all – or 98% — of Connecticut’s public school districts utilize CEN as their internet service provider, which makes protecting those networks a high priority for the organization.
“Every organization is competing for priorities one way or another,” says Kocsondy. “Things will wax and wane through the years, but cybersecurity is high on the list for most, if not all.”
The problem is, CEN isn’t a primary cybersecurity service for schools, in most cases, there isn’t one. The organization provides some moderate protections as part of its normal service and then provides resources for IT professionals at the district level to cover the gap in security. These resources can be used, or not, by a district to fit its needs, and some of them are provided at a cost to those districts. Kocsondy says they try to provide things free of charge whenever possible.
“An example of what we would consider an essential cybersecurity is DDoS monitoring mitigation protection.,” he says.
DDoS — or Distributed Denial of Service — refers to a type of cyber-attack where a hacker floods a website or server with a massive wave of traffic. With so many requests fighting for attention and unable to respond to them all, the system freezes. It’s a simple type of attack that can cause a massive headache for an organization that relies on its computers to function. CEN provides services to schools that help get their systems back online and stop these attacks when they happen.
“We provide that as part of our delivery at no additional cost, and we mitigate or alleviate anywhere from 400 to 1,000 in a calendar year that are targeting somebody in our infrastructure,” says Kocsondy. “That’s a problem that, if you didn’t have that kind of protection, it could be very, problematic, costly, disruptive, all of the above.”
DDoS attacks are only a small part of a much larger – and constantly shifting – problem. Phishing – where a hacker places malware into a link in an email that seems legitimate – is a major tactic attackers will use to gain access to a system, and it is difficult to stop every person in a district from clicking on every suspicious link. And ransomware has become an increasingly common attack that hackers will use to steal information for profit or to extort a district for money. Ultimately, protection from all of the possible threats is the responsibility of the districts themselves.
“The state doesn’t really have the authority to say, you must do this, you must do that,” says Brown. “What we can do in some cases, is make things available.”
While making resources available or connecting districts to services and professionals who can help is a role that CEN takes on as part of its mission, they can’t force schools to implement any specific tools.
“We encourage everybody to join the multistate ISAC (or Information Sharing and Analysis Center),” says Brown. “That’s a federal group that has a lot of free things that people can do. We want to make sure that everybody’s at least aware of the free things that they can do to help their security.”
The state cannot, says Brown, “parachute in” when a school suffers a breach and fix all the problems. They are generally limited to helping the district find the help it needs, be it CEN resources or referrals to other providers
“We’re just providing resources saying, if you’re going to just do anything, just at least do these three things, please,” adds Kocsondy. “But also, getting folks in touch with the right resources or the right people, so that they can kinda do it.”
But, Kocsondy says, there are some things they can do in a dire situation that might help get a district out of trouble, as long as they ask.
“If there’s something that people don’t know enough about. If we have something in the CEN service portfolio that’s effective for somebody to get them out of a crisis, we’d give it to them, no cost, no questions asked, for three months.”
If those resources turn out to be effective, the district could opt to purchase the service once they are back in control. But, Kocsondy adds, they’re not going to recommend services to people that they might not need just to make money.
“We’re not pushing things on people,” he says. “If it’s available, they hopefully know we would just make it available to them.”
Kocsondy says that the best thing a district can have is a plan. One that is practiced and understood by all involved.
“When there are attacks or issues, somewhat of a common response is to find the IT professional and have that person fix whatever’s going on,” he says. “But in some cases, if you’ve only got one or a few, they’re going to need help.”
That help can come from everyone in a district knowing what their role is in case of an attack on the district systems. Kocsondy says districts should think of cybersecurity like any other disaster they might prepare for and prioritize it the same way.
“Plans are important to have in place for if and when those things happen,” he says. “Ideally, they’re practiced, and ideally the administration of the organization understands, the same way you would practice a fire drill, what’s everybody’s role and who’s doing what.”
Republish our articles for free, online or in print, under a Creative Commons license.
