Senators press CISA to do more to stop K-12 ransomware
Senators asked the new head of the Cybersecurity and Infrastructure Security Agency on Wednesday what more the agency can do to help public school systems across the country to defend themselves from digital threats like ransomware, which has disrupted virtual learning environments, seized up educational IT resources and — in some places — even delayed or canceled classes.
Pressed by Sen. Maggie Hassan, D-N.H., that the federal government “has a responsibility to help protect our communities from these threats,” Brandon Wales, the agency’s acting director, acknowledged that the extortion malware that’s run rampant across state and local networks, hospitals and businesses is an urgent issue.
“Ransomware is quickly becoming a national emergency,” Wales said during his opening statement during a hearing on state and local cybersecurity matters that also touched on the health sector, CISA’s protection of efforts like the Operation Warp Speed vaccine development program and, briefly, election security. The hearing was also the first for Wales, a career Department of Homeland Security official who became CISA’s acting director following the Nov. 17 ouster of Chris Krebs, who was fired by President Donald Trump after the agency repeatedly batted down conspiracy theories claiming Trump’s electoral defeat was the result of fraud.
‘We have a responsibility to help’
Other than brief line of questioning from Sen. Rand Paul, R-Ky., the chairman of the Senate Homeland Security subcommittee on federal spending — during which Wales said “our election security mission continues” — the hearing mostly focused on the ransomware threat to state and local entities, and how great CISA’s role should be in protecting those agencies, especially schools.
“CISA works with all sectors,” Wales told Hassan. “We have a responsibility to help them.”
And though Wales said that “every system owner bears responsibility for what happens on their networks,” he said that CISA tries to share as much information as possible with members of the critical infrastructure groups that it’s charged with protecting.
“It is important that states have as much of our cybersecurity knowledge as possible to safeguard critical systems,” Wales said, noting the agency’s publication of “Cyber Essentials” guides and CISA-funded malicious domain blocking and reporting service that’s administered by the Multi-State Information Sharing and Analysis Center.
Recent ransomware incidents in school systems have had deleterious real-world effects, including the delay of the start of the school year in Hartford, Connecticut, and the cancelation of several days of classes in the past week in Baltimore County, Maryland. Data stolen in an attack against the school system in Fairfax County, Virginia, was published online after administrators refused to pay a demand.
During a later panel, Leslie Torres-Rodriguez, Hartford’s superintendent of schools, said the attack against her system locked officials out of their financial management software for 17 days and required the restoration of more than 10,000 devices used by teachers, students and staff.
At CISA, Wales said there’s been a heightened focus on issues facing schools since the pandemic took hold and forced education systems to become largely virtual operations.
“We have expanded the focus on K-12 from the beginning of the pandemic to help schools on how they can improve cybersecurity for their distance learning,” Wales told Sen. Jacky Rosen, D-Nev. “We need to arm them with the same resources, same information that are offered at no cost to states.”
Still, Wales said, good cyber defenses flow downstream, making it incumbent on states to assist the smaller, local entities.
“If states, cities push that information out even to their smaller school districts, this is the kind of information that’s powerful,” Wales said. “Ransomware operators are looking to make money quickly. If you’ve done the bare minimum, there’s a good chance ransomware actors are going to move on from you.”
Speaking during the second panel, New Hampshire Chief Information Officer Denis Goulet said the rise in cyberattacks against K-12 organizations creates an opportunity to implement a “whole-of-state” approach toward IT security, in which the resources of the state government are leveraged in response to a local crisis.
“If you have a small-staffed school, you can’t throw sophisticated stuff at them,” Goulet said. He said his office has been working with the MS-ISAC on figuring out how to scale its programs designed for state governments to the smallest local levels.
School districts do account for about 20 percent of the MS-ISAC’s membership, which recently eclipsed 10,000 organizations, Wales said during his testimony. But that represents a fraction of K-12 systems nationwide, which number more than 13,000.