White House Holds First-Ever Summit On the Ransomware Crisis Plaguing the Nation's Public Schools

The White House on Tuesday held its first-ever cybersecurity "summit" on the ransomware attacks plaguing U.S. schools, in which criminal hackers have dumped online sensitive student data, including medical records, psychiatric evaluations and even sexual assault reports. PBS reports: At least 48 districts have been hit by ransomware attacks this year -- already three more than in all of 2022, according to the cybersecurity firm Emsisoft. All but 10 had data stolen, the firm reported. Typically, Russian-speaking foreign-based gangs steal the data -- sometimes including the Social Security numbers and financial data of district staff -- before activating network-encrypting malware then threaten to dump it online unless paid in cryptocurrency. "Last school year, schools in Arizona, California, Washington, Massachusetts, West Virginia, Minnesota, New Hampshire and Michigan were all victims of major cyber attacks," the deputy national security advisor for cyber, Anne Neuberger, told the summit.

An October 2022 report from the Government Accountability Office, a federal watchdog agency, found that more than 1.2 million students were affected in 2020 alone -- with lost learning ranging from three days to three weeks. Nearly one in three U.S. districts had been breached by the end of 2021, according to a survey by the Center for Internet Security, a federally funded nonprofit. "Do not underestimate the ruthlessness of those who would do us harm," said Homeland Security Secretary Alejandro Mayorkas during the summit, noting that even reports on suicide attempts have been dumped online by criminal extortionists and urging educators to avail themselves of federal resources already available.

Among measures announced at the summit: The Cybersecurity and Infrastructure Security Agency will step up tailored security assessments for the K-12 sector while technology providers, including Amazon Web Services, Google and Cloudflare, are offering grants and other support. A pilot proposed by Federal Communications Commission Chair Jessica Rosenworcel -- yet to be voted on by the agency -- would make $200 million available over three years to strengthen cyber defense in schools and libraries.

Re:

[ShanghaiBill]

Drone strikes don't work if you don't have the GPS coordinates.

The solution is better security, not whack-a-mole against the perps.

There also needs to be an ironclad rule that the government never pays a ransom. If they can't make money off schools, they will seek softer targets.

Re:

[ShanghaiBill]

You think our intel services don't have the gps coordinates of any of them?

Perhaps a few of them, but I doubt finding ransomware hackers is an NSA priority.

But let's say you locate one on the 4th floor of an apartment building in Nairobi. Whatcha gonna do? Blow up the building?

Re:Solution: drone strikes

[ShanghaiBill]

Train a hundred thousand people to be top notch day-0 quality security experts to protect the schools, hospitals, etc?

Yes. There are many security threats. Ransomware is only one. So we need better training with or without your fantasy "hit squads".

There are 13,000 school districts in America. 48 were penetrated. So most are already doing ok.

Very few ransomware attacks are from "day-0" vulnerabilities. Most are from glaring security holes. There are plenty of low-hanging fruit for security training to address.

Re:

[bickerdyke]

There are 13,000 school districts in America. 48 were penetrated. So most are already doing ok.

That doesn't match the summary:

Nearly one in three U.S. districts had been breached by the end of 2021, according to a survey by the Center for Internet Security,

Re:

[iAmWaySmarterThanYou]

So we're going to find the money to hire and train 100k people to secure the schools' computer systems instead of treating these attacks like the act of war that they are?

When you're the defender you have to be perfect. Every time. The attacker only has to find one hole. Once.

If security was that easy then none of these mega corporations who spend tens of millions on security every quarter would get broken into. Yet they are.

Your idea is far more fantasy than mine.

Re:

[guruevi]

What a joke, the majority of healthcare cost doesn't go to providing healthcare, it goes to government insurance administration. About 50% of medical bills goes unpaid, and the state insurance only reimburses 70% of the actual cost they do cover. That is why healthcare is relatively expensive, you are subsidizing government waste.

Re:

[iAmWaySmarterThanYou]

Shit, hit submit too fast.

So you think we can secure tens of thousands of schools and businesses and hospitals and keep all of them up to date all the time? Really? Truly impossible.

Drones are cheaper and a sob who got blown up isn't launching any more attacks. How many of these assholes do you think are out there? A few dozen? A hundred? 500? Seriously, once the first few get blown up, most of the others will close shop. You don't have to kill then all. These people are cowards. Let's see them tr

fda rules need to allow os updates dates and vendo

[Joe_Dragon]

fda rules need to allow os updates dates and vendors need can't force remote tunnels

Re:

[Anonymous Coward]

Seriously, once the first few get blown up, most of the others will close shop.

As soon as you start droning ransomware hackers hiding out in Russia, you've basically declared war on a nuclear superpower.

Or were you planning on restricting the gov't to only droning American citizens on American soil [washingtonexaminer.com]?

Both of these seem like really stupid ideas to me.

Re:

[ShanghaiBill]

So you think we can secure tens of thousands of schools and businesses and hospitals and keep all of them up to date all the time?

We can do much better than now.

We don't need to fix every security hole. But enough to make it not worth the hackers' time to target schools. Combine that with an ironclad "no ransom" policy, and we've fixed 99% of the problem.

Drones are cheaper and a sob who got blown up isn't launching any more attacks.

We don't know where they are. Even if we did, they are in cities full of bystanders.

The best we could do is blow up a $25 Raspberry Pi with a $150K Hellfire while the operator is logged in remotely with SSH.

Seriously, once the first few get blown up, most of the others will close shop.

Unlikely. They will just add a few more hops to their TOR path.

It if far harde

Re:

[iAmWaySmarterThanYou]

How do you know we don't know where they are?

With nothing but fuzzy low grade security cameras they rounded up about 800 people from all over the country who were at jan 6.
They can trace bitcoin to real people.
They can break into your phone remotely with no sign of it to you.
They can listen in on foreign leaders on their government provided high security phones.

But they can't find a few assholes in Eastern Europe?

Seriously?

Re:

[tigersha]

> We don't know where they are. Even if we did, they are in cities full of bystanders.

Russian bystanders. Big loss

Re:

[bickerdyke]

Hmmm.. the last time a building in the US was blown up by another country, everyone screamed "TERRORISM!!!"

Re:

[iAmWaySmarterThanYou]

Yes? Is your point something about hypocrisy?

The global order is entirely about hypocrisy. It is based solely on the ability of one country to exert power and control over another.
All this fake moralizing is just another way to exert pressure. Not all forms of power are based on bullets and bombs.

It is expected and normal for a bigger country to scream about the same things they do to others every day.

And for the record, I am opposed to war and the MIC in general. There are just wars but I can't think

Re:

[Applehu Akbar]

The solution is better security, not whack-a-mole against the perps

But a sufficiently messy special ops erasure, with 4K video, will do a lot to dissuade other gangs.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[blue trane]

What if a better solution is just not judging ppl?

Re:

[sabbede]

Nah, just make retaliation-in-kind legal.

In the realm of networks they say

[Arethan]

A lesson to learn on display,
If you leave doors ajar,
Security won't go far,
Penetrated, your data might stray!

this one ended up better, imho

[Arethan]

In the realm where networks connect,
A risky path some select.
Through gaps in defense,
Intruders commence,
Penetration's price they collect!

Re:

[xeoron]

And if you have ipadOS/ChromeOS it keeps being, thus far, immune to these attacks in those environments. Does not mean it does not affect all the other systems, just that coping with recovery gets a lot easier when you can hand Chromebooks to staff until their windows devices are cleaned and various network services are back.

Try the obvious last of course

[ne0n]

There's no reason schools should have their records accessible from outside. Nor should they run Windows. Air gap those motherfuckers.

Re:

[guruevi]

There's no reason those schools should even have the records, period. They have proven they can't keep them safe. Back in the day, we didn't keep medical records in school, if you got sick, your parents were to pick you up or if it was real bad, an ambulance was called.

Re:

[blue trane]

Fuck school in the first place, amirite?

Re:

[muh_freeze_peach]

I'll give you 10 bucks if you can name a far-left belief without googling it.

Re:

[dsgrntlxmply]

Back in the day, there was a school nurse who kept paper records on students with specific conditions. Computerized records in my district kept a one character health code per student, and that code was printed in the class roster that the teacher kept in the classroom. Teachers also had a sheet that listed the meanings of the health codes. The two that I recall were seizure disorder and ulcerative colitis, both directly relevant for immediate safety and decency in a classroom setting. Early 70s, 911 no

Re:

[arglebargle_xiv]

And then someone's kid broke a fingernail at school and the parents hit the school with a $10M negligence lawsuit, after which things changed...

Re:

[geekmux]

There's no reason schools should have their records accessible from outside. Nor should they run Windows. Air gap those motherfuckers.

This.

And if your school is also still forcing students to carry around those old-fashioned things called books, then revert to them and prove why you're still carrying that corrupt book contract.

Re:

[AmiMoJo]

There goes remote learning. Would probably become an ADA issue.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sabbede]

There's no reason those systems can't be entirely separate. And as far as I know, they already are. Instruction/grading on a cloud system, student records on-prem.

Re:

[sabbede]

You mean that lesson they should have learned 40 years ago when War Games hit the theaters?

Why are school districts technology snowflakes?

[laughingskeptic]

Running one public school district should be pretty much the same as running another. Yet every school district has its own unique collection of software tools, processes and procedures. Where are the states? Or the ridiculous US Department of Education? Why are all of these districts on their own when it comes to buying and configuring technology? The way we go about this is completely nuts. We need School Tech as a Service (STaaS) to support our school districts.

STaaS must user windows for schools at $25/mo seat

[Joe_Dragon]

STaaS must user windows for schools at $25/mo seat

Re:

[Moryath]

Conservative states have been defunding and demanding schools "do more with less" for decades now. And the statewide infrastructure isn't any better.

Just look at Texas, the TEA still requires schools (especially charter schools) to upload reports through an ancient and crappily maintained interface that requires a user to be running Internet Explorer. It desperately needs replacing but that would require spending money and hiring actual professionals, which won't happen while crazy creationist cultists of

Re:

[Mspangler]

"Conservative states have been defunding and demanding schools "do more with less" for decades now. "

But the fine article says the list of victims includes California, Washington, Massachusetts, and Minnesota. None of those states are conservative. In fact I believe they are all one party socialist worker's paradises.

Your wrath seems to be badly misguided.

Re:

[muh_freeze_peach]

You [intentionally] left out Arizona and West Virginia. Minnesota is all red counties except for population centers. Michigan was listed as well, and they are another red county state with a blue population center.

Re:

[sabbede]

Citation please.

Re:

[Anonymous Coward]

Running one public school district should be pretty much the same as running another. Yet every school district has its own unique collection of software tools, processes and procedures. Where are the states? Or the ridiculous US Department of Education? Why are all of these districts on their own when it comes to buying and configuring technology? The way we go about this is completely nuts. We need School Tech as a Service (STaaS) to support our school districts.

Why do we need to have more than one political party? Why do we even have 50 individual States when we are a United States?

Careful what you ask for. Next thing you know your government will become the kind of entity they have been describing as "evil" for decades.

Ummm...

[drew_92123]

...how about all the dummies just stop putting computers with sensitive student data on the fucking internet like morons.

Solving the problem really that easy.

Re:

[blue trane]

What if we don't need no education, we don't need no thought control?

Re:

[kackle]

"No dark sarcasm, on the Slashdot..."

Re:

[kackle]

"Hackers leave them schools alone."

Why is anyone surprised.

[VonSkippy]

Most public schools have the lamest IT infrastructure pennies can buy. Stop funding the schools who buy consumer grade network equipment (not to name names, what the hell, UBIQUITI I'm talking about you) and hires the principles Nephew (who has subscribed to PC Magazine for the last 3 years) to be their district wide IT Director (Might have to pay more then $60K/year to get real qualified IT people).

some public schools dump IT work on other staff

[Joe_Dragon]

some public schools dump IT work on other staff to do an as an ADD on task

Sometimes old school is the best solution

[Kreigh]

Going old fashioned hardcopy records is still often the most secure solution, and it has many century's long track record of working. It even has the advantage of putting a human in the loop for every access to the data. Computers are not always the answer.

Somebody smells a payday

[bradley13]

First, ransomware gangs are scum. With that obvious statement out of the way: 28 school districts is a fraction of a percent of the school districts in the US. The problem is not that big. This is not something that should be discussed at the federal level at all, much less at the level of the President.

Second, and more importantly, there is zero reason why a ransomware attack should lead to lost learning time. Teachers can still teach.

Finally, we see the actual reason for this article: "Education tech experts...lamented that limited federal funds currently exist for them to tackle a scourge..." Someone is looking for pork. Schools work best, when they are run locally. Federal programs (like NCLB) have proven may times that federal involvement is counterproductive. But the feds are great at spending other people's money, and those "education tech experts" smell a payday.

Re:

[geekmux]

The problem is not that big. This is not something that should be discussed at the federal level at all, much less at the level of the President.

It was either this, or answer questions about Hunter, so...clickbait it is.

Todays word is "W"

[Mirnotoriety]

Todays word is "W" .. the root cause of the malware infestation, whose name must never be metioned /s

Don't pay

[ukoda]

In countries where governments control the money in schools and hospitals you find ransomware attacks are rare because governments will never pay, giving little reason to attack them. Why go to the effort if you know you will never get paid?

I realise it is different in the USA where schools and hospitals are basically privately run businesses and therefore paying up is seen by victims as the cheap option. I do wonder if making paying ransomware operators illegal, how much that would reduce the number o

Re:

[guruevi]

Why do you have to lie? There are plenty of articles about schools in the UK, Netherlands, Germany being attacked by ransomware and that is just this year's reports. I'm sure you didn't hear about the MOVEit breach and the number of European institutions that are on the list.

Just because you don't speak the language and thus don't see the news in your curated feeds, doesn't mean it doesn't happen. Infrastructure and funding for schools in Europe is probably even more atrocious than the US.

Re:

[ukoda]

Lie, what lies? Are those UK etc schools public or private? Name a single government run school in the UK, Netherlands, Germany who paid a non-trivial ransomware demand. I bet the ones that did were all private schools. The thing with trying to get money out of governments in countries with low corruption rates is it is near impossible for hackers. Here in New Zealand we have only had one hospital hacked. The hackers got nothing. Yes it took weeks to recover normal operations but no other public hospi

Re:

[guruevi]

Very few schools or hospitals in the US are paying either, hence they dump the data online in a desperate attempt to still extort the place. The University of Maastricht in Netherlands paid 30 bitcoins, a government institution, notable because they actually made a profit on the Bitcoins when police recovered them.

The primary problem is finding whether an institution paid the ransomware, because the criminals and the organizations keep it as quiet as possible. If you have cyberinsurance, in many cases, they

Re:

[ukoda]

Good reply, needs up rated as informative. No university here could pay, there is simply no procedure available to staff to pay non-tirval amounts. I wonder if in the University of Maastricht case if they allowed it as they were doing it as part of tracking the hackers and expected to recover the money?

You are probably right about automated attacks, but for big budget attacks you would need to manually workout how back ups were being handled and deal with that first, to stop them locking the hackers ou

Re:

[guruevi]

Speaking from experience, you’d be surprised to hear, MOST ORGANIZATIONS do not have proper backup and restore procedures. I would guess 30% don’t have them, 60-70% that have them never test them and well over 90% are unlikely to hit either or both of their RTO and RPO.

Yes, if you are targeting a high profile system as a foreign state entity, you don’t use ‘regular’ ransomware, but for most attacks it is just boring, even if they end up recovering from backup, you have still st

Re:

[sabbede]

No, most primary and secondary schools in the US are run by the local governments. And the high-profile breech cited at the beginning of the article was at the LA Unified School District, which is run by the city of Los Angeles.

But forget about making the ransom payments illegal, instead make it illegal for a government at any level to buy, hold or use any cryptocurrency, making pointless to target them. Unless someone wants to try and hop a flight from Moscow and collect cash in person.

Re:

[ukoda]

Sound idea. Why are schools being targeted in the USA if they are government run? Are they actually paying up sometimes?

Here in New Zealand I we have had one hospital attacked a while back. Not sure about schools, must be rare as I would normally remember if one had been attacked. In the case of the hospital it took several weeks to restore operation but the hackers got nothing for their effort. Not sure WTF they though would happen? There is no way for a hospital or school here to pay a hacker, as

ahh windows

[drinkypoo]

You can't solve this problem by continuing to use the absolutely lowest quality software.

incompetence

[groobly]

Public schools are a nest of incompetence. Ransomware exploits just one type of their incompetence.

While I support improving the security...

[sabbede]

I do not think it's something the Federal government, which does not have an extra $0.50 lying around let alone $200 mil, should be trying to take responsibility for.

Schools are a STATE matter, let the States fund a security push. It's their job, not DC's.

How to hire a hacker to track someone location

[Anastasia90]

Hacker with the best service "TECHSPYHACKERPRO" and the earlier you work with them the better your chances of escaping fake hackers and get your service done without stress. They have saved me countless times and same with my friends. He helped me recover my lost documents that belongs to the company i'm working for. Also helped me hack my partner phone, now i know my man is cheating but he is not aware of it cos it is done secretly. Contact them now if in need of any hacking service like deleting criminal