Expert Reaction On Broward District Attacker Demanded $40Mil Ransom

The attack on Broward County Public Schools is yet another example of how ransomware gangs haven’t missed a beat in preying on the security vulnerabilities associated with remote learning. While there have been numerous attacks targeting education institutions over the last couple of weeks, this specific attack is unique in that its ransom demand was one of the highest ever. Given that every major attack sets a precedent for others to emulate, we’ll likely see other threat actors one-up each other  beyond what is currently making headlines. 

While never paying a ransom demand is certainly best practice, sometimes businesses don’t take the necessary precautions that would give them a way out. This includes conducting regular vulnerability and risk assessments, which helps companies understand their level of risk. Ideally, this will be done by automating scanning and remediation processes to reduce IT team fatigue and improve productivity. Additionally, IT security teams should take a backup of confidential data, ensuring their data remains protected and recoverable in times of crisis.

This particular threat actor group is woefully underinformed, and based on their ransomware assumptions, is likely not from the US.

US school districts may appear to some have large budgets, but almost all of those budgets are committed to ongoing expenses that are deeply and contractually committed. There’s little to no discretionary budget, and even core resources are underfunded.  Not all that long ago, my public school textbooks were covered in years’ worth of markings from other students, and were written decades ago, back in the 70s and 80s. 

That the threat actors asked for $40 million and said they’d done their research merely proved that they were grossly uninformed. Asking for such an amount and saying you’ve done the research shows that.

Demanding such high ransomware from a school district also shows the worst of criminal intent – especially at a time when schools are struggling to sustain education in the midst of the pandemic, while taking on the added missions of reaching those kids suffering from food insecurity and unsafe home lives. Every independent security researcher and legitimate hacker group out there is trying to prevent exactly this sort of problem.

This attack underscores why cybersecurity for our public schools and local governmental agencies Must be part of the Infrastructure bill now being debated. 

The commercial and industrial sectors are learning that if they don’t invest in cybersecurity, they ultimately don’t have a product. The same holds true for the public sector – if local and state governments don’t invest in cybersecurity, they can’t effectively offer services and protect citizens’ data. Ultimately it impedes their ability to serve democracy on even the most basic levels, including protecting our childrens’ futures and offering fair and honest elections.

School systems will remain top targets, both because they don’t have the funds or resources to put security first, and because the PII of children can be so lucrative.

Once threat actors get ahold of kids identities, they can take advantage and place victims’ lives and well-being at risk, both immediately and then down the road. The first clue a child might get that their identity has been stolen could be years down the road, when they’re turned down for college loans or credit. Kids have become automatic targets at young age.

Now more than ever, we’ve got to support school infrastructures, including development of urgently needed cybersecurity infrastructure.

It’s understood and is heartening that the massive infrastructure bill now being debated includes funding for cleaner and less plastic-laden water, safer transportation, the addressing of racial opportunity inequities, cleaner air and other urgent needs. The securing of kids’ identities is another critical element in securing our future, and that starts with establishing the cybersecurity infrastructure of our local school districts and local governmental cybersecurity.