Baltimore County schools cyberattack: a warning for the rest of us | COMMENTARY

Darryl L. Williams, Baltimore County Schools Superintendent, speaks at a press conference to update the public on Wednesday's ransomware attack.

The region’s school systems and other public agencies ought to learn a lesson from the Baltimore County School System — don’t take cybersecurity for granted. BCPS is the latest area institution to become the victim of a ransomware scheme that took its computer network hostage presumably to extort payment. The attack last week forced an education shutdown for several days for the school system’s nearly 115,000 students. Students were set to get back to learning Wednesday, have missed instructional time during a year when educating children is already challenging because of the pandemic.

School officials acknowledge the severity of what happened, describing it as a “catastrophic attack on our technology system.” But they should have been better prepared given increased incidents in general in recent years, and attacks on schools in particular, including in Fairfax County, Virginia. Education-related entities accounted for 63% of malware encounters in the last 30 days, according to Microsoft Security Intelligence. The FBI said this summer that cyber crimes had increased 400% since the pandemic as criminals took advantage of more people moving to online work, shopping and school. That should have put everybody on high alert.


But the results of a recent state audit show the school system didn’t take the threats as seriously as they could have. The report from the Office of Legislative Audits, released shortly after the Thanksgiving week attack, outlined “significant risks” within the BCPS computer network. The “monitoring of security activities over critical systems was not sufficient and its computer network was not properly secured,” the auditors wrote. The auditors also found that “intrusion detection prevention system coverage for untrusted traffic did not exist,” and students were allowed “unnecessary network-level access to administrative servers” within the school system’s data center and individual schools. In addition, the auditors also found that the school system didn’t adequately safeguard sensitive personal information.

We don’t know yet if the holes in the system are how the hackers gained entrance. Other factors such as human error can also play a role. For instance, an employee may click on a link in an email that allows an unscrupulous person access to the entire system. But more stringent safeguards certainly can’t hurt, and they will help prevent future attacks; addressing the weaknesses in the Baltimore County School System’s network should be made an immediate priority. Officials can start by following basic security measures, which it appears they haven’t been doing, according to the audit.


Security experts say cybersecurity has not been a priority at many school districts because of costs and other needs that take precedence. But if a school system can no longer function, none of that matters much. The ransomware attack disrupted everything from the district’s website and email system to its grading system.

School systems around the country have found themselves in similar predicaments, forced to cancel classes because of a cyberattack, along with local governments. They’re vulnerable because they tend to have older computer systems and weak security in place. When the city of Baltimore was hit by a ransomware attack in 2019, it had been warned that its computer network was “a natural target for hackers and path for more attacks on the system.”

That’s why school districts throughout the region must use Baltimore County’s troubles as an urgent reminder to immediately beef up their own cybersecurity measures, if they haven’t already, and implement regular training for staff on what they can do to prevent such attacks, such as spotting suspicious web links they may receive via email, or even something as basic as creating strong passwords. Some school districts have also hired companies to conduct fake attacks to find vulnerabilities. Don’t wait until you’re under attack to put up your defenses. Then it’ll be a bigger headache.

Baltimore County school officials must also be more forthcoming with information. They have revealed very few details about the nature of the attack and what was compromised, leaving teachers to speculate on social media that the system may have been a victim of ryuk ransomware. The school system has not confirmed that; it hasn’t confirmed much of anything and that is not helping the confidence of parents who are already feeling insecure about their children’s education during a pandemic. They have a right to know what’s going on, whether their child’s personal information has been accessed and what risks they may face. We get that there is an ongoing criminal investigation, but the lack of detail only adds to the anxiety of an already anxious year.

The Baltimore Sun editorial board — made up of Opinion Editor Tricia Bishop, Deputy Editor Andrea K. McDaniels and writer Peter Jensen — offers opinions and analysis on news and issues relevant to readers. It is separate from the newsroom.