Cyberattack on LA schools shows bolder action needed to stop ransomware

A ransomware attack on the Los Angeles Unified School District should serve as a wake-up call to the continued threat of cyber attacks on critical sectors across the country and the need for more aggressive concerted action to protect them.

The breakdown of the nation’s second-largest school system, with more than 650,000 students and 75,000 employees, forced the shutdown of some of the district’s computer systems. The only positive is that no immediate requests for money were made and the schools opened as planned on September 6.

Ransomware attacks are on the rise

My first thought when I heard about the incident was: Here we go again. Ransomware attacks against public institutions such as schools, hospitals and municipalities have increased in recent years. And it is not just the number of these attacks but their nature that is so disturbing. They feel particularly egregious because they cross the line of economic crime to disrupt the lives of ordinary Americans, and even put lives on the line.

In April, the US Department of Health and Human Services issued a warning about an “unusually aggressive and financially motivated ransomware group” known as Hive attacking healthcare organizations. Hive has sued dozens of hospitals and clinics, including an Ohio health system that had to cancel surgeries, divert patients and switch to paper medical records.

Ransomware attacks on municipalities across the United States have been rampant for years. An attack on Baltimore in 2019, for example, locked city employees out of their email accounts and blocked citizens from accessing websites to pay water bills, property taxes and parking tickets. . In 2018, ransomware shut down most computer systems in Atlanta for five days, including some used to pay bills and access court records. Instead of paying a $52,000 ransom, Atlanta chose to rebuild its IT infrastructure from scratch at a cost of tens of millions of taxpayer dollars.

Growing target of cybercrime

And now schools are up the list of cybercriminals’ favorite targets. Two days after the Los Angeles School District discovered it had been attacked, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that the mysterious Vice Society gang, which admitted responsibility for the breach, and other malicious groups are likely to continue their assaults.

“The impacts of these attacks range from restricted access to networks and data, delayed exams, canceled school days, unauthorized access and theft of personal information about students and staff,” indicates agency alert. “The FBI, CISA, and MS-ISAC anticipate that attacks may increase as the 2022/2023 school year begins and ransomware criminal groups perceive opportunities for successful attacks.”

Worse, every school district is at risk, the agencies say. “School districts with limited cybersecurity capabilities and limited resources are often the most vulnerable,” the alert states, but “opportunistic targeting often seen with cybercriminals can still put school districts with robust cybersecurity programs at risk.” “.

According to a study by cybersecurity research firm Comparitech, schools that were hit by a ransomware attack lost an average of more than four days in downtime and spent nearly 30 days recovering. The overall cost of these attacks is estimated at $3.56 billion.

The vulnerability of schools, hospitals and municipalities is a matter of great national concern, and we should all feel frustrated that incidents like the attack on Los Angeles schools continue to occur.

When it comes to ransomware, our most crucial institutions seem stuck in a cycle of rinse and repeat. It must be broken. But how?

The US government is taking action on cybersecurity

The federal government weighed in with the K-12 Cybersecurity Act. Introduced by Sen. Gary Peters (D-Mich.) and signed on Oct. 8 by President Biden, the measure directs CISA to study cybersecurity risks facing elementary and secondary schools and recommend guidelines to help schools strengthen their cybersecurity protection.

Meanwhile, in November 2021, the United States Government Accountability Office (GAO) recommended that the Department of Education work with CISA to develop and maintain a new cybersecurity risk management plan for K-schools. 12.

The last such plan “was developed and published in 2010,” the GAO said, and “since then, the cybersecurity risks facing the subsector have changed significantly.”

While these are potentially helpful beginnings, I would like to see more recognition that many school districts across the country have limited resources to devote to cyber defense and need more help.

To that end, CISA and law enforcement should work to urgently provide school districts and other critical sectors with a simple yet powerful weapon: a standardized attack prevention and response plan. The more specific the plan, the better.

CISA would be wise to engage cybersecurity experts from internal and external entities to create a prescriptive playbook that city CIOs can simply pull off the shelf and implement, much like a recipe anyone can use. to cook dinner.

The playbook should detail specific configuration settings for things like access control mechanisms, network devices, and end-user computer systems. It should specify which types of cybersecurity tools are best to deploy and how to configure them, and explicitly state what types of audit logs to collect, where to send them, and how best to deploy tools to analyze them in order to stay one step ahead of threat actors.

Pool resources to protect public establishments from cyberattacks

In the United States, there are around one million cybersecurity workers, but around 715,000 jobs remained to be filled in November 2021, according to a report by Emsi Burning Glass (now Lightcast), a market research company. . In light of this, governments have an opportunity to pool their resources to deliver cybersecurity as a service, instead of each individual IT service provider having to compete for this already scarce talent.

Governments will want to establish a defensive cybersecurity and threat intelligence service that all of their local IT service providers can take advantage of – in effect, cybersecurity as a service. This would help relieve local IT service providers from having to use their limited manpower and budgets to defend IT services, and instead allow governments to pool their limited cybersecurity talents and funding. to provide a full service for all. It would also allow governments to see cyberattacks across a broad spectrum and design defenses that could be applied to all localities evenly so that repeat attacks could not occur.

Currently, school systems and others are too often left to resolve these important issues on their own, which can lead to confusion, mistakes, and the reinvention of the wheel.

With a detailed yet easy-to-follow core cybersecurity framework from top government experts, however, no local entity would have to go the wrong way when it comes to ransomware. They would have something closer to a car manual, a comprehensive set of approved practices for preventing problems.

Conclusion: Our valuable public institutions should be harder targets for cybercriminals to penetrate. The country should demand this and work harder to make it happen.

Michael Mestrovich is Chief Information Security Officer at Zero Trust Data Security Company rubric and former acting CISO at the Central Intelligence Agency.