The Wednesday before Thanksgiving began with a flurry of urgent text messages and emails among Maryland educational technology chiefs.
Within 10 minutes of hearing that a ransomware attack had immobilized Baltimore County Public Schools overnight, technology staffers with Carroll and Harford counties’ school systems were texting one another.
The Anne Arundel County system’s information technology team swiftly blocked incoming emails from Baltimore County school employees and instructed staff to avoid sending messages to the neighboring school system.
And Maryland’s Chief Information Security Officer Chip Stewart said his cellphone buzzed throughout the morning with questions from public school IT chiefs from around the state. They wanted to know what they could do to ensure the same thing wouldn’t happen to them.
“An incident like this becomes a case study,” said Bob Mosier, a spokesman for Anne Arundel County schools. “Those ‘what about us’ conversations have been plentiful in the last week.”
Experts say cyber attacks on public school systems are on the rise around the country. Just days after the Baltimore County attack, schools in Huntsville, Alabama, were also shut down by a ransomware incident.
In the last six years, state audits routinely have identified cybersecurity vulnerabilities in most of Maryland’s 24 school systems.
School systems in Maryland are generally reviewed by the Office of Legislative Audits once every six years. Auditors share their findings with school officials months before the reports are published and use general terms so as not to put school systems further at risk.
Among the findings, auditors found in 2018 that Baltimore City public schools had stored sensitive, personally identifiable information without adequate safeguards, and the network’s intrusion prevention system had substantial gaps. A city schools spokesman said this week that the district had addressed the issues identified in the audit.
In 2019, auditors identified 32 publicly accessible servers for Anne Arundel schools improperly located within the internal network, with no buffer to prevent hackers from accessing the entire system. Mosier said problems identified in the audit have since been rectified.
Harford County schools’ intrusion detection prevention system was not properly protecting its network, according to a 2015 audit. All of the audit’s findings were appropriately addressed, a spokeswoman said this week.
Howard County public schools’ computer network was not adequately secured, auditors found in 2016. All issues have been addressed per the recommendations and technology security best practices, Superintendent Michael Martirano said.
And four problems outlined in an audit of Carroll County public schools in 2018 were either corrected or in the process of being updated while the audit was still underway, said technology chief Gary Davis.
The Maryland State Department of Education was itself found to have improperly stored the names and Social Security numbers of 1.4 million students and 233,000 teachers, according to a 2019 audit.
“MSDE has taken corrective actions to address the 2019 legislative audit findings in partnership with the state’s Department of Information Technology,” said Lora Rakowski, a spokeswoman for the department.
These audit findings in Maryland are not unusual for school systems, said Douglas Levin, founder of the K-12 Cybersecurity Resource Center.
He pointed to reports throughout the country where state auditors have documented poor protection of sensitive personal data, lax password management, lack of information recovery plans, and other problems.
School systems are increasingly distributing laptops to students and using technology for back-office functions, from bus routing software to Medicaid billing systems, Levin said.
And the COVID-19 pandemic has driven many school systems to hold classes online since March.
“There’s a lot of competition for the money spent in education, and it’s all valid.”— Gary Davis, Carroll County schools' technology chief
Even with this dramatic shift, cybersecurity has not been a priority for the education sector, Levin said. Leaders are making decisions without “a security mindset,” and school systems lack the resources and support they need to adequately manage security risk. And many districts are not required to meet any cybersecurity guidelines.
Maryland auditors use criteria spelled out in the state’s IT security manual, developed by the Department of Information Technology’s Office of Security Management, when evaluating school district IT practices.
Both public school systems and local governments are “low-hanging fruit” for hackers, Levin said. They may be running old IT systems with small staffs — and they are providing essential services.
In smaller school systems like Carroll County’s, technology departments are often competing for funding with other important programs, Davis said.
The technology chief said it’s like having three or four rooms to paint, but only one can of paint.
“There’s a lot of competition for the money spent in education, and it’s all valid,” Davis said. “I think school systems do the best they can to prioritize [funding], but there’s just a limit.”
Davis sees the Baltimore County ransomware attack as a wake-up call for elected leaders in other jurisdictions. Departments like his require a lot of resources to guard against such threats, he said.
Cybersecurity has historically been considered a technology issue, but there’s also a legal and policy component to it, said Markus Rauschecker, the director of the University of Maryland’s Center for Health and Homeland Security cybersecurity program and a member of the Maryland Cybersecurity Council. The council was established in 2015 to provide policy recommendations to the Maryland legislature.
There’s a question in the field of cybersecurity about the extent to which a government should mandate certain best practices for itself and for the private sector, Rauschecker said.
For example, some experts would consider it bad public policy to pay a ransom to hackers because it would likely encourage them to continue using ransomware in the future, he said.
In the case of the ransomware attack against Baltimore City government last year, the city stood firm against paying attackers, but it paid more to fix the problem than the ransom would have cost.
The Evening Sun
Some lawmakers have proposed legislation that would make it easier to prosecute before extortion has occurred. State Sen. Susan Lee, a Montgomery County Democrat, plans to reintroduce a bill that would make possession of ransomware with malicious intent a crime in Maryland.
By no means is the law the only solution, Rauschecker said.
Stewart, the state chief information security officer, said networks and systems are under “constant attack,” so government organizations should work to make themselves difficult targets.
His department maintains a statewide action plan for how to proceed once a ransomware attack has taken place. And the Baltimore County school system had its own action plan in place prior to the attack, he said.
Should a hacker penetrate one layer of protection, a system should have mechanisms in place that make it difficult to move even further into the core of the network, he said.
Ultimately, the “first and last line of defense” is people, Stewart said, meaning anyone with access to school system networks should undergo regular user training to identify potential cybersecurity threats.
“I suspect that many people believe that it can’t happen to them,” Stewart said. “The bad guys only have to get it right one time. We can never miss.”