Cybersecurity for K-12 school IT systems is important during ordinary times, but these are not ordinary times. As the COVID-19 pandemic forced many schools across the globe to adopt online/distance learning, it is more important than ever for their IT managers to ensure network security and uptime. Online education is difficult enough without the chaos caused by cyberattacks, especially attacks that disrupt teaching and learning. Pre-pandemic cyberattacks on school systems were not uncommon, but they have increased in the past year. In December 2020 several US federal government agencies issued a Joint Cybersecurity Advisory, to warn that threat actors have increased their targeting of K-12 school systems to steal data or disrupt online learning via ransomware, malware, video conference hacking, and distributed denial of service (DDoS) attacks.
In the past year there were several incidents of DDoS attacks on school systems in the US, that overwhelmed networks with traffic to force them offline or slow them down. Recently, Miami Today News reported that the Miami-Dade school system may sue its Internet Service Provider for failure to block the DDoS attacks that plagued the schools for the first week of the 2020 fall semester. The school suspected the cause was a DDoS attack, and thought they had DDoS protection; the school system’s Chief Auditor claims that the ISP, Comcast, was under contract to provide DDoS protection all along. According to Miami Today News, “It wasn’t until the morning of Sept. 1 that Comcast determined that the district was, in fact, the victim of DDoS attacks and that the district was not configured by Comcast for automatic [protection] as contracted.” Online outages lasted for a week until Comcast engineers and the district set up an “always on” system blocking DDoS attacks.” The hard lesson here for school systems is that they should make certain, and not assume, that they have always-on, automated, real-time DDoS mitigation. Responding to the crisis takes time and money, and disrupts operations, but lack of clarity about what kind of protection you do or do not have can make the post-incident resolution more time-consuming and expensive, especially if it involves litigation.
This incident also serves as a reminder to ISPs that they 1) can protect their downstream customers from DDoS attacks and 2) should abide by their service level agreements (SLAs) to provide that protection. Although incidents such as this may be unusual, and litigation may be even more rare, ISPs can suffer damage to brand reputation for failure to meet their SLAs. The pressure for ISPs to perform is greater than ever, because the pandemic has made service availability crucial to remote workforces and education systems alike that depend upon the Internet to conduct business.
It’s worth noting that a 16-year-old was charged with executing the DDoS attacks, and used an online service to execute the attacks; neither fact is surprising, since students are often the threat actors to launch attacks against their own school district or university, and DDoS-for-hire services are easy to find, and inexpensive to use.
Even as normal academic life resumes, school systems are still vulnerable to DDoS and other forms of cyberattacks, given that threat actors have an arsenal of sophisticated weapons which they are increasingly using to target victims in nearly every sector and industry.