This week, one of the largest school districts in the country – Los Angeles Unified School District – was the target of a ransomware attack, causing interruptions in critical systems and requiring more than half a million users to reset their passwords. The Associated Press reports that the attack was discovered late Saturday evening when “unusual activity” was detected. While the malware was ultimately stopped, “key network systems” had been infected, requiring password resets for all the District’s staff and students.
Per the AP:
While there was pressure to cancel school in Los Angeles on Tuesday, officials ultimately decided to stay open.
Had the activity not been discovered on Saturday night, [District Superintendent Alberto] Carvalho said there could have been “catastrophic” consequences.
“If we had lost the ability to run our school buses, over 40,000 of our students would not have been able to get to school, or it would have been a highly disrupted system,” he said.
Let that sink in for a minute. More than 600,000 users had to do a password reset in order to be able to access required educational resources. If each reset takes only three minutes, that’s more than 30,000 hours lost. And what if the school bus systems had gone offline? How would the lives of 40,000 students’ families and guardians have been impacted? Thousands of caregivers would have been late to or absent from their own jobs and other obligations. Thousands of students would miss a day’s instruction through no fault of their own, thousands more may have been exposed to personal safety risks if attending school was unexpectedly not an option for that day. Make no mistake: network security in a public school system has a direct and measurable impact on an entire community’s economy, health, and safety.
In light of the attack on LAUSD, the Consortium for School Networking (CoSN), State E-rate Coordinators Alliance (SECA), State Educational Technology Directors Association (SETDA), and Schools, Health & Libraries Broadband (SHLB) Coalition released a joint statement noting in part:
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have previously warned that educational networks are soft targets and vulnerable to cyber-criminal behavior, but the US government has not done enough to protect these networks from harm… [we] jointly call upon the Federal Communications Commission (FCC) to immediately modernize its definition of “firewalls” to allow E-rate funding to be used to safeguard school and library networks. We also urge the FCC to open a rule-making proceeding and take comment on the Petition filed by our organizations in February 2021 to adopt long-term solutions to this growing cybersecurity crisis.
We completely agree. The E-rate program is uniquely positioned to support not just schools and libraries, but the entire communities they serve by providing access to advanced network security services. Failure to help our schools and libraries with cybersecurity is not only measured in the technical realm with bandwidth, exploits, breaches, and downtime. It also carries a significant socioeconomic burden, and there are no signs that attacks are slowing any time soon. The time for the FCC to take action is now.