The black hats are gunning for us. Where’s the sheriff?

The modern internet, connecting networks around the world, is only about 30 years old. Yet in that time, every facet of our lives has been changed by it.

While the internet has helped everything from hospitals and schools to government and infrastructure work more efficiently, it has also allowed every organization and every individual using the internet to be vulnerable to attack.

An attack on Albany city government in 2019 caused the loss, among other items, of more than a year and a half of police files — records that are necessary for trial. Late last year, Vermont’s largest medical system had to send away hundreds of cancer patients when its internet was attacked and took nearly a month to restore; such hospital systems can literally be a matter of life or death. And just last Friday, Colonial Pipeline, which transports nearly half of East Coast fuel, had to shut down after a cyber attack.

These are not distant events, hurting other people. Right here in our midst, the Guilderland Central School District was attacked on April 29. In-person classes for seventh- through 12th-graders were canceled for four days while the system was restored.

The school district is working with the FBI and the investigation is still ongoing, Superintendent Marie Wiles told The Enterprise this week, so she could not comment on specifics of the attack.

“We depend on the internet so much for school these days, it was really huge for them to be able to turn things around and get us back up and running as quickly as we did,” she said of the district’s technology team, which was helped by the Board of Cooperative Educational Services.

“It was kind of like March all over again,” said Wiles, referencing the abrupt closure of schools over a year ago to stem the spread of the coronavirus. Teachers then taught from home, just as they did in the days after the cyber attack.

The Guilderland schools had reopened in September, offering any students who chose to, to learn remotely at home.  Elementary students were offered in-person classes, seated six feet apart in classrooms, while Guilderland High School students follow a hybrid schedule, alternating in-person and remote classes.

After the attack, the district couldn’t project from the classrooms and school offices limped along, Wiles said, by using hotspots.

The Guilderland schools are not alone in being attacked. Since the onset of COVID-19 and the increase in remote learning in schools, “malicious activity with ransomware attacks against K-12 educational institutions” has risen sharply, according to the Cybersecurity and Infrastructure Security Agency (CISA), an independent federal agency under the oversight of the Department of Homeland Security.

“Malicious cyber actors are targeting school computer systems, slowing access, and rendering the systems inaccessible to basic functions, including remote learning,” says a fact sheet that CISA developed with the FBI for schools. “In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.”

Ransomware, explains CISA, is an ever-evolving form of malware designed to encrypt files, making them unusable. Malicious actors then require ransom payments to re-open the files.

“Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid,” says CISA.

While Wiles was unable to comment on whether the Guilderland schools had been told to pay a ransom when some of their systems were encrypted, she did email the school community in the midst of the shutdown, “At this time, we have not confirmed that any sensitive data was compromised, but we will update you as more information becomes available.”

Since March 2020, the CISA says, uninvited users have disrupted live-conferenced classroom settings by verbally harassing students, displaying pornography and violent images, and doxing meeting attendees. Doxing means to publicly identify or publish private information about someone.

Cyber actors likely view schools as targets of opportunity, according to a December report by the Joint Cybersecurity Advisory — coauthored by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center (MS-ISAC). 

According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57 percent of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28 percent of all reported ransomware incidents from January through July.

“Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services,” says the Joint Cybersecurity Advisory report. “The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack.

“In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on — and sharp usership growth in — these distance learning services and student data as lucrative targets.”

The FBI and CISA recommend schools review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors. The report provides lists of “best practices” for networks, for user awareness, for video-conferencing, for ed-tech implementation, and for malware defense.

This is all sound advice from the federal government but we question whether it is enough.

“The thing with these attacks,” Wiles told us this week, “is you up your protection to a new level and people who are interested in doing this, then up their level … It’s like an arms race back in the day.”

But, with this cyber arms race, there is no détente. There is no motivation for the malicious attackers to stop.

Nicole Perlroth, who has written about the global cyber arms race in her book, “This is How They Tell Me the World Ends,” published in February, suggests our federal government could designate ransomware, like terrorism, as a national security threat so that more intelligence resources would be used to fight it.

Countries, such as Russia, that are safe havens for ransomware gangs, she says, could be subject to sanctions or travel restrictions, thereby pressuring those countries to arrest the ransomware criminals who live there. Further, Perlroth recommends that government agencies and private companies that are hit with ransomware attacks be required to publicly disclose the attacks.

The United States Treasury Department, she recommends, could prohibit victims from paying ransoms — usually in Bitcoin — and tracing the criminals would be easier if know-your-customer rules were used by the banking industry and laws preventing money-laundering were used in cryptocurrency exchanges.

Finally, because victims often don’t know who to turn to when they are targeted, Perlroth recommends setting up a hotline they could easily call. Victims of ransomware are currently advised to report attacks immediately to CISA at, a local FBI Field Office, or Secret Service Field Office.

We support these recommendations and hope the recent revelations of attacks on American companies from China and Russia move our federal government to act swiftly to protect us.

In the meantime, we can act locally in our homes or workplaces to follow the guidance offered by CISA. Strong passwords with several steps for authentication would help prevent cyber attacks. And organizations should regularly back up copies of their records so they won’t feel like they have to pay to get their own information.

CISA provides a plethora of online materials — from tip sheets to webinars — to prevent attacks. “Data breaches do not typically happen when a cybercriminal has hacked into an organization’s infrastructure,” notes one recommendation. “Many data breaches can be traced back to a single security vulnerability, phishing attempt, or instance of accidental exposure. Be wary of unusual sources, do not click on unknown links, and delete suspicious messages immediately.”

Phishing schemes, another tipsheet explains, are used by cybercriminals to lure users to click on a link or open an attachment that infects their computers, creating vulnerability to attacks. Phishing emails may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual.

Wiles, the Guilderland schools superintendent, said that staff, before the cyber attack, had already been trained not to click on unknown emails. “We actually test people where our tech department will send out a fake thing that will tempt you to click on it ...,” she said. “You should never open a link sent to you by someone you’re not 100-percent sure you know.”

Wiles concluded with some good advice for all of us: “You really need to pay attention.”

More Editorials

The Altamont Enterprise is focused on hyper-local, high-quality journalism. We produce free election guides, curate readers' opinion pieces, and engage with important local issues. Subscriptions open full access to our work and make it possible.