Investigating school district cybersecurity attacks

As school district cybersecurity threats are said to increase, the Iowa City Community School District finds new ways to stay protected.

School is back in session across the state, but districts across the country, including neighboring districts, fear class cancellations due to cybersecurity attacks. On July 4, the Cedar Rapids Community School District sent an email to parents and staff stating that the district had experienced a “cyber-security incident” the weekend prior. Summer athletics were put on pause for the week, the district hoping all systems would be restored as “quickly and securely as possible.” It was later revealed in an email from Superintendent Noreen Bush that the district paid a ransom in order to avoid compromised personal data from being released, however, the amount paid and to whom they paid it was not confirmed.
Almost a month later on Aug. 1, the Linn-Mar Community School District superintendent, Shannon Bisgard, announced “technical difficulties” with their computer system. Two days later on Aug. 3, the screenshot was leaked by an anonymous Linn-Mar staff member displaying a threatening message on a district computer. The message, provided by KCRG, read, “All your important documents, photos, [and] databases were stolen and encrypted. …The only method of recovering files is to purchase a unique private key.”
Although posing a major threat as an unknown amount of student and staff data could’ve been compromised, classes began on time at the end of August throughout both districts.
Cybersecurity incidents, instances where an attacker is involved, and data breaches, instances where data is compromised, within school districts are anticipated to increase across the United States as the 2022-2023 school year continues, the Cybersecurity and Infrastructure Security Agency revealed in a statement. The statement went on to explain that although schools with limited cybersecurity are often targeted the most, schools with more cybersecurity are still at risk. An increasing number of school district data breaches increase the risk of not only class cancellations but also compromised student data.
These incidents raised awareness with the Iowa City Community School District, including with Adam Kurth, the district’s Director of Technology and Innovation.

Whether it’s near or not, we immediately will take a closer look at any vulnerabilities that we have. Once we learn how they were compromised, we certainly make sure we can’t be compromised in the same way.

— Adam Kurth

Although both incidents occurred in neighboring districts, Kurth believes that they were not tied to geography. The proximity of these incidents naturally raised concern for the district, however, Kurth points out the true reality of cybersecurity incidents behind the headlines.
“We think of cybersecurity incidents as being semi infrequent, you hear about a big data breach in a school district, there might be one or two of those in a typical year in Iowa. The reality is we’re attacked all the time, we have phishing emails sent to our staff all the time, and by all the time I mean like thousands per day.”

ICCSD requires staff members to engage in training at the beginning of each school year regarding cybersecurity to protect their online interactions. In-depth training for specific staff members dealing with sensitive data is also carried out. The district has also recently launched a two-year program working with a third-party cybersecurity firm to conduct an analysis of policies, network and server systems, along with training protocols. Although Kurth doesn’t quite know what their recommendations will be, he explains that purpose of this program is, “to take a really deep dive into that and figure out what are our strengths, what are we doing well, what are the weaknesses, and what are the threats that we need to address.”
After the Cedar Rapids and Linn-Mar school districts were compromised, Kurth had a chance to collaborate with other districts and decide what crucial steps the state had to take in order to protect Iowa schools from cybersecurity threats and attacks.
ICCSD is a part of “The Urban Education Network”, an organization including 17 Iowa school districts. “We had kind of an emergency call to discuss whether we wanted any collective response and what we did is put together a mission statement and sent this to the state”, Kurth said. “We sent this to the governor’s offices, the legislature, the state department of education, and the [Chief Information Officer’s].”
The Urban Education Network mentioned three main objectives, the first being centralized resources for preparation and response to cybersecurity incidents. They also mentioned specific funding regarding cyber security. This objective is in response to the state’s announcement to increase funding for physical security. The organization’s final request was statewide policies and requirements, such as multi-factor authentication and penetration tests, where a company is hired to attempt to attack a district’s network from both inside and outside, two steps that ICCSD has taken to strengthen its cyber security.
Although Kurth states that policies and training are important to a district’s cyber security, he finds that knowing how to protect yourself online is an invaluable step to decreasing the risk of a serious cybersecurity incident. From implementing lessons about password security in classes as early as kindergarten to providing multi-factor authentication resources, the district is learning ways to teach students how to be safe online.
“I think that the most important, simple message, for people to hear is to simply be careful online and be suspicious online,” Kurth said. According to Kurth, when data is compromised by a hack, it’s not due to sophisticated software. “Usually it’s somebody who sends an email and then somebody who replies and says, ‘oh yeah here’s my social security number.’ It’s those things, those low-tech methods, that is usually how you get compromised.”