Cyberattack on L.A. schools shows bolder action needed to stop ransomware

A ransomware attack on the Los Angeles Unified School District should serve as a wake-up call to the ongoing threat of cyberattacks to the country’s critical sectors and the need for more aggressive, concerted action to protect them.

The intrusion into the country’s second-largest school system, with more than 650,000 students and 75,000 employees, forced some of the district’s computer systems to be shut down. The only bright spot is that no immediate money request was made and the schools opened as planned on September 6th.

Ransomware attacks are on the rise

My first thought when I heard about the incident was: Here we go again. Ransomware attacks on public facilities such as schools, hospitals and municipalities have increased in recent years. And it’s not just the number of these attacks, but their nature that’s so troubling. They feel particularly egregious for crossing the line between white-collar crime and disrupting the lives of everyday Americans, or even putting lives at risk.

In April, the US Department of Health and Human Services issued a warning about an “extraordinarily aggressive, financially motivated ransomware group” called Hive targeting healthcare organizations. Hive has tracked dozens of hospitals and clinics, including an Ohio health system that had to cancel surgeries, redirect patients and switch to paper medical charts.

Ransomware attacks on municipalities in the United States have been widespread for years. For example, a 2019 attack on Baltimore locked city employees from their email accounts and prevented citizens from accessing websites to pay their water bills, property taxes, and parking tickets. In 2018, ransomware shut down most of Atlanta’s computer systems for five days, including some used to pay bills and access court records. Rather than pay a $52,000 ransom, Atlanta opted to build its IT infrastructure from scratch, costing taxpayers tens of millions of dollars.

Growing target of cybercrime

And now schools are moving up the list of top cybercriminal targets. Two days after the Los Angeles school district discovered it had been attacked, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued warnings that the mysterious Vice Society gangs, which have admitted responsibility for the breach, and other malicious groups are likely to continue their attacks.

“The impacts of these attacks ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information from students and staff,” the agencies’ warning said. “The FBI, CISA, and MS-ISAC believe that attacks may increase as the 2022-2023 school year begins and ransomware criminal groups see opportunities for successful attacks.”

What’s worse, every school district is at risk, according to the agencies. “School districts with limited cybersecurity capabilities and resources are often the most vulnerable,” the alert said, “but the opportunistic bias often seen in cybercriminals can still put school districts with robust cybersecurity programs at risk.”

According to a study by cybersecurity research firm Comparitech, schools hit by a ransomware attack lose on average more than four days to downtime and spend nearly 30 days recovering. The total cost of these attacks is estimated at $3.56 billion.

The vulnerability of schools, hospitals and communities is a matter of great national concern, and we should all be frustrated that incidents like the Los Angeles school attack keep happening.

When it comes to ransomware, our major institutions seem stuck in a flush-and-retry cycle. It has to be broken. But how?

The US government is taking cybersecurity measures

The federal government has looked into the K-12 Cybersecurity Act. Introduced by Sen. Gary Peters (D-Mich.) and signed by President Biden Oct. 8, the measure directs CISA to examine the cybersecurity risks for elementary and secondary schools and recommend policies to help schools meet their improve cybersecurity protection.

Meanwhile, in November 2021, the US Government Accountability Office (GAO) recommended that the Department of Education work with CISA to develop and maintain a new plan to address cybersecurity risks in K-12 schools.

The last such plan “was developed and released in 2010,” GAO said, and “since then, the cybersecurity risks facing the subsector have changed significantly.”

While these are potentially helpful approaches, I would like to see more recognition that many school districts across the country have limited cyber defense resources and need more help.

To that end, CISA and law enforcement should urgently work to provide school districts and other critical sectors with a simple yet powerful weapon: a standardized plan to prevent and respond to attacks. The more specific the plan, the better.

CISA would do well to hire cybersecurity professionals, both internal and external, to create a mandatory manual that municipal IT directors can simply pull off the shelf and implement, much like a recipe that anyone can use for dinner.

The playbook should detail specific configuration settings related to things like access control mechanisms, network devices, and end-user computer systems. It should identify the types of cybersecurity tools that are best deployed and configured, explicitly stating what types of audit logs to collect, where to send them, and how best to deploy tools to analyze them in order to stay one step ahead of threat actors be.

Pooling resources to protect public institutions from cyber attacks

There are about a million cybersecurity workers in the United States, but about 715,000 jobs remained as of November 2021, according to a report by Emsi Burning Glass (now Lightcast), a market research firm. With this in mind, governments have an opportunity to pool their resources to offer cybersecurity as a service, rather than each individual IT service provider having to compete for this already scarce talent.

Governments will want to set up a defensive cybersecurity and threat intelligence service that all of their local IT service providers can use—essentially, cybersecurity as a service. This would relieve local IT service providers from having to use their limited manpower and budgets to defend IT services, and instead allow governments to pool their limited cybersecurity talent and resources to provide a comprehensive service for all. It would also allow governments to see cyberattacks across a broad spectrum and develop countermeasures that could be applied uniformly to all locations to prevent repeat attacks.

At present, school systems and others are all too often left alone with these important questions, which can lead to confusion, mistakes, and reinvention of the wheel.

However, with a detailed but easy-to-follow primary cybersecurity framework from the government’s top experts, no local entity would have to fight back when it came to ransomware. You would have something like a car manual, a comprehensive collection of best practices for avoiding problems.

Conclusion: Our valuable public institutions should be harder for cybercriminals to penetrate. The country should be clamoring for it and working harder to make it happen.

Michael Mestrovich is Chief Information Security Officer at a Zero Trust data security company category and former Acting CISO at the Central Intelligence Agency.