Cyber ​​attack on LA schools shows that more action is needed to stop ransomware

A ransomware attack on the Los Angeles Unified School District should serve as a wake-up call to the continued threat to the nation’s critical sectors from cyber-attacks and the need for more aggressive, coordinated action to protect them.

The fracture of the nation second largest school system, with more than 650,000 students and 75,000 employees, forced the closure of some of the district’s computer systems. The only silver lining is that no immediate demand for money was made and the schools opened as scheduled on Sept. 6.

Ransomware attacks are on the rise

My first thought when I heard about the incident was, here we go again. Ransomware attacks on public institutions such as schools, hospitals and municipalities have been increasing in recent years. And it is not just the number of these attacks, but their nature that is so disturbing. They feel particularly egregious for crossing the line from economic crime to disrupting the lives of ordinary Americans, or even putting lives on the line.

In April, the U.S. Department of Health and Human Services issued a warning about an “exceptionally aggressive, financially motivated ransomware group” known as Hive, targeting healthcare organizations. Hive has chased dozens of hospitals and clinics, including an Ohio health system that had to cancel surgeries, reroute patients and switch to paper medical records.

Ransomware attacks on municipalities in the United States have been rampant for years. For example, a 2019 attack on Baltimore left city employees unable to access their email accounts and citizens unable to access websites to pay their water bills, property taxes and parking fines. Anno 2018 ransomware closed down most of Atlanta’s computer systems for five days, including some used to pay bills and access court documents. Instead of paying a $52,000 ransom, Atlanta chose to rebuild its IT infrastructure from scratch, which would cost tens of millions of taxpayers’ dollars.

Growing target for cybercrime

And now schools are moving up the list of cybercriminals’ favorite targets. Two days after the Los Angeles school district learned it had been attacked, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that the mysterious Vice Society gang, which has admitted responsibility for the breach, and other malicious groups are likely to continue their attacks.

“The consequences of these attacks ranged from restricted access to networks and data, postponed exams, canceled school days, and unauthorized access to and theft of personal information about students and staff,” the agencies’ warning said. “The FBI, CISA and MS-ISAC expect attacks to increase as the 2022/2023 school year begins and criminal ransomware groups see opportunities for successful attacks.”

What’s worse, according to the bureaus, every school district is at risk. “School districts with limited cybersecurity capabilities and limited resources are often the most vulnerable,” the warning said, but “the opportunistic attacks commonly seen by cybercriminals can still compromise school districts with robust cybersecurity programs.”

According to an study according to cybersecurity research firm Comparitech, schools affected by a ransomware attack lose an average of more than four days in downtime and spend nearly 30 days in recovery. The total cost of these attacks is estimated at $3.56 billion.

The vulnerability of schools, hospitals, and communities is a matter of great national concern, and we should all feel frustrated that incidents like the Los Angeles school bombing continue to occur.

When it comes to ransomware, our most crucial settings seem to be stuck in a rinse and repeat cycle. It must be broken. But how?

US government takes action on cybersecurity

The federal government has weighed in on the K-12 Cybersecurity Act. Introduced by Sen. Gary Peters (D-Mich.) and signed into law by President Biden on Oct. 8, the measure directs CISA to study the cybersecurity risks facing elementary and middle schools and recommend guidelines to help schools strengthen their cybersecurity.

Meanwhile, in November 2021, the US Government Accountability Office (GAO) recommended that the Department of Education is working with CISA to develop and maintain a new plan for addressing cybersecurity risks in K-12 schools.

The last such plan “was developed and issued in 2010,” the GAO said, and “since then, the cybersecurity risks facing the subsector have changed significantly.”

While these are potentially useful starts, I’d like to see more recognition that many school districts across the country have limited resources for cyber defense and need more help.

To that end, CISA and law enforcement must work urgently to provide school districts and other critical industries with a simple yet powerful weapon: a standardized plan for preventing and responding to attacks. The more specific the plan, the better.

CISA would be wise to enlist cybersecurity experts from both internal and external entities to put together a prescriptive playbook that municipal IT directors can easily pull out and implement, sort of like a recipe anyone can use to to cook.

The playbook should describe specific configuration settings around things like access controls, network devices, and end-user computer systems. It should specify the types of cybersecurity tools to best deploy and how to configure them, and explicitly state what types of audit logs to collect, where to send them, and how best to use tools to analyze them to determine the to stay ahead of threat actors.

Pooling resources to protect public institutions from cyber-attacks

There are about one million cybersecurity workers in the United States, but according to a report by emsi Burning Glass (now Light cast), a market research company. In light of this, governments have the option to pool their resources to provide cybersecurity as a service, rather than each individual IT service provider having to compete for this already scarce talent.

Governments will want to establish a defensive cybersecurity and threat intelligence service that all their local IT service providers can benefit from – essentially cybersecurity as a service. This would help local IT service providers not have to use their limited manpower and budgets to defend IT services, and instead allow governments to pool their limited cybersecurity talent and funding to provide a comprehensive service for all. It would also enable governments to see cyber-attacks across a broad spectrum and develop defenses that can be applied uniformly to all places so that repeated attacks cannot happen.

Currently, school systems and others are too often left to figure out these important things for themselves, which can lead to confusion, errors and reinventing the wheel.

However, with a detailed yet easy-to-follow primary cybersecurity framework from top government experts, no local entity has to do it when it comes to ransomware. They would have something more like a car manual, a comprehensive set of approved practices to avoid problems.

In short, our precious public institutions should be a harder target for cybercriminals to penetrate. The country should be crying out for that and working harder to make it so.

Michael Mestrovich is chief information security officer at zero trust data security company rubric and former acting CISO at the Central Intelligence Agency.