Louisiana Gov. John Bel Edwards declared a statewide emergency Wednesday following a series of cyberattacks that have disabled computer systems in three school districts in the northern part of the state. While the incidents appear to be limited to the three districts, Edwards said he made the declaration in part out of concern that the attacks could spread to other parts of local or state government.
“The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since,” Edwards said.
The specific nature of the cyberattacks, which are impacting IT infrastructure in schools in Morehouse, Ouachita and Sabine parishes, has not been revealed, though they appear to have started more than two weeks ago. An alert on the website of the Monroe City School System, in Ouachita Parish, states it experienced a “disruption” on July 8. The Sabine Parish schools said Wednesday that it was hit by an “electronic virus” on Sunday that has disabled some technology systems, including phones at the district’s central office. Digital phone systems are known to be vulnerable to ransomware attacks, though none of the attacks against the Louisiana schools have been publicly identified as using ransomware.
While the cyberattacks against the school districts had already been referred to state and federal investigators, Edwards’ emergency declaration frees up a host of additional resources to potentially mitigate the incidents. The attacks will now be investigated by cybersecurity experts from the Louisiana National Guard, Louisiana State Police and the state’s Office of Technology Services, as well as Louisiana State University. But as a formal emergency, the response will be led by the state Office of Homeland Security and Emergency Preparedness, often the lead agency in natural disasters like hurricanes.
It’s the first time in Louisiana’s history that a cyberattack is being addressed like a disaster, but there is precedent for this approach. Colorado became the first state to treat a cyberattack like a major disaster in March 2018 after its Department of Transportation was compromised by the ransomware virus known as SamSam. That declaration, by then-Gov. John Hickenlooper, came after more than a week of the Office of Information Technology struggling to repair nearly 2,000 infected devices with a small staff working long hours and subsisting on junk food.
Following Hickenlooper’s emergency declaration, oversight of the response to the cyberattack was given to the Colorado Office of Emergency Management, which adapted its natural-disaster playbook for an IT security situation, creating a unified command structure and bringing in the National Guard and support personnel from other states. Colorado’s response has since been held up as a model by the National Governors Association, which now advises states to develop response plans that put cyberattacks on the same level of severity as natural disasters or acts of physical terrorism.
In Louisiana, responsibility for drawing up an emergency response plan for cyberattacks falls on the Louisiana Cybersecurity Commission, a 15-member board comprised of state officials, private-sector executives and academics, that Edwards created in 2017.
“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat,” Edwards said Wednesday.