Schools Already Struggled With Cybersecurity. Then Came Covid-19
By Lily Hay Newman
A lack of dedicated funding and resources made it hard to keep data secure—and that was before classes moved almost entirely online. THIS TIME LAST year, Jaggar Henry was enjoying the summer like so many other teens. The 17-year-old had a job, was hanging out with friends on the weekends, and just generally spending a lot of time online. But then, at the end of July,
Henry combed his hair, donned a slightly oversized Oxford shirt, and appeared before his school district’s board in Polk County, Florida—one of the larger school districts in the US—to outline a slew of security flaws he had found in its digital systems. His presentation was the culmination of months of work and focused on software used by more than 100,000 students. Those vulnerabilities have been fixed, but Henry, who now works full time on education technology, says that his experience illustrates the challenges facing school districts across the United States—and a problem that’s grown more acute in the wake of Covid-19. The coronavirus pandemic has had major cybersecurity implications around the world. Tailored phishing attacks and contact-tracing scams prey on fear and uncertainty. Fraudsters are targeting economic relief and unemployment payments. The stakes are higher than ever for ransomware attacks that target health care providers and other critical infrastructure. For businesses, the transition to remote work has created new exposures and magnified existing ones.
School districts in the United States already had significant cybersecurity shortcomings. They often lack dedicated funding and skilled personnel to continuously vet and improve cybersecurity defenses. As a result, many schools make basic system setup errors or leave old vulnerabilities unpatched—essentially propping a door open for hackers and scammers. Schools and students also face potential exposure from third-party education technology firms that fail to adequately secure data in their platforms.
The pandemic amplified these risks, as school districts around the country transitioned to distance learning in the spring. Suddenly, millions of teachers and students relied on video chat software, lesson portals, digital message boards, and other online tools. If these systems are set up without proper authentication and controls, any of them can potentially become vectors for attack. And tools to access school networks remotely, including VPNs and Remote Desktop Protocol, can be abused by attackers to gain unauthorized access to sensitive systems. Last week, the Federal Bureau of Investigation issued a security alert about the threat of ransomware to schools amidst the Covid-19 crisis. “K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks,” the FBI warned, according to a ZDNet report.
In the past 30 days, more than 4.7 million malware incidents were detected in the education industry broadly worldwide, according to Microsoft’s Global Threat Activity tracker—more than 60 percent of all the corporate and institutional malware incidents reported during that time. The next most affected sector is what Microsoft calls “business and professional services,” with fewer than 1 million incidents. “Many schools are ill-equipped to securely migrate to a completely digital learning experience, so it comes as absolutely no surprise that these vulnerabilities are so prevalent,” says Henry. “School districts are scrambling, and threat actors know this.”
Henry says he first became interested in probing his own school’s digital systems after hearing how much they cost. Polk County is the seventh-largest school district in Florida, with more than 100,000 students, and in recent years it had been spending millions of dollars to develop an enrollment system called Delta and to contract for a new “Student Information System” from an outside vendor. The school board reportedly made the switch with security in mind. Henry first reported flaws in the school’s new SIS implementation in September 2018, though. The following March, he found data exposed in Delta. The application accessed students’ identifying information, like Social Security numbers, through an application programming interface. Henry realized that he could manipulate the API to spit out other students’ results simply by changing an internal reference ID number the app used to keep track of each student.
Another issue Henry found was in the way Polk County used Microsoft SharePoint platform, a collaboration and storage tool, to manage data. He noticed that students and teachers were lumped together in a Sharepoint “user group” and had all been granted the same access to files stored in the system. This meant that students could access anything on the Sharepoint, including each others’ data. One file was labeled as containing student usernames and passwords and was simply an unlocked, plaintext spreadsheet of student login credentials for school accounts.
Polk County Schools did not return a request for comment on Henry’s research. At the July 2019 meeting where Henry shared his findings, though, members of the school board appeared to support his work. “I’ve directed him multiple times to our IT staff,” Billy Townsend, the school board representative for Polk County’s District 1, said. “I think he’s done some very useful things, from what I understand. I think we should take seriously what he’s saying.” Henry also found and reported similar vulnerabilities in the systems of two private Florida universities last year. He says that making all of these discoveries while he was still a student motivated him to pursue a career in ed-tech cybersecurity.
“When I took a look, there was so much that was vulnerable—just a stupid amount of vulnerability,” Henry says. “It doesn’t feel good. When you participate in a capture-the-flag hacker competition or do a cool bug bounty, it feels good to find stuff, but you see these flaws in education systems and there’s nothing to be proud of as a researcher. You changed a number or you just looked! I’m not some genius. It’s just very obvious that nobody else is looking.” After some especially dramatic cyberattacks against schools in the fall, including multiple situations where districts had to cancel class because of ransomware attacks, researchers say that there started to be momentum toward making cybersecurity a priority in school systems around the country. But Doug Levin, founder of the consulting firm EdTech Strategies, which compiles data on K-12 cybersecurity incidents, says all of that ground to a halt when the Covid-19 pandemic hit.
“Suddenly everything shifted on a dime,” Levin says, recalling how schools raced to set up infrastructure for online learning en masse. “It went into that mode where everything is built with rubber bands and toothpicks. Get everyone working and learning remotely, distribute devices to students, connect to local printers, deal with forgotten passwords, whatever. People should be concerned about the technical decisions they were making. And even with a bit more time to plan for the fall, it’s all still very fluid.” There’s no single, comprehensive source of reporting on K-12 digital security incidents in the US. Levin created the Cyber Incident Map to track as many publicly disclosed attacks as possible—compiled from legal disclosures, news reports, and research findings. But the tracker likely undercounts actual total incidents by a significant margin, since so many are kept under wraps and never go public.
In the past three months, Levin has been surprised to see a decrease in the number of public accounts of K-12 cyber attacks, though they’re certainly not gone altogether. It’s unclear if this actually represents a downtick in the number of incidents or whether other factors are at play. Levin also points out that there may be a new digital infection spike in the fall when students, teachers, and administrators physically go back to school and plug their devices into hardwired networks for the first time in months. While the pandemic has fueled new exposures, it has also simply accelerated a digitization that was already in progress across K-12 education—a phenomenon seen in virtually every industry. Given the cracks that already existed in schools’ digital defenses, it’s more vital than ever to take precautions now.