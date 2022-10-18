Listen 3 min Comment on this story Comment Gift Article Share

Ransomware gangs are taking Americans to school. So far this year, hackers have taken hostage at least 1,735 schools in 27 districts; the massive Los Angeles Unified School District is their latest target. The tech industry can at least slow this scourge. But educators should not rely only on outside help to fix this problem for them.

Ransomware hackers breach computers, lock them up, steal sensitive data and demand money to release their hold on organizations’ critical systems. These criminals often attack schools because they are profitable targets. If all ransomware victims refused to pay, the attacks would stop. Indeed, paying up might be illegal: The Treasury Department released guidance last year noting that giving money to global criminal organizations can violate sanctions law.

The trouble is, saying no isn’t always easy. Los Angeles didn’t capitulate, and the criminals leaked a trove of data — a consequence that can prove more or less serious depending on the sensitivity of the stolen information. Just the first stage of a ransomware attack, when hackers lock up access to critical systems, can cripple any organization. Schools face the threat of extended disruptions in children’s education. Many schools are doing the math and discovering that paying a ransom costs less than hunkering down.

A broad payment ban is one solution. But some worry such a measure would be too harsh on struggling districts. There are many things to try first. Educational institutions can harden their defenses: Last year’s bipartisan infrastructure law authorized $1 billion to help local governments improve their cybersecurity capabilities — and public schools should be top candidates for fortification. Setting security standards such as mandatory multifactor authentication is a smart start, but few K-12 institutions are full of tech whizzes. They will need plenty of training and support. Offline backups of critical information are also key, so that if the criminals do breach sensitive systems, immediately ejecting them isn’t as essential as it would be otherwise.

Building capacity to oust ransomware attackers from the systems they have locked up is another important line of defense. The same bipartisan law created the Cyber Response and Recovery Fund to provide federal aid to breach victims. It has $20 million per year for five years that, if spent on helping schools after they have been hacked, could help liberate computer systems in institutions that failed to keep the proper backups and to observe good cybersecurity hygiene.

“Because we can,” said a representative of the ransomware gang that took down Los Angeles Unified School District, explaining the collective’s motivations to a Bloomberg News reporter. Schools’ task is to turn “can” to “can’t” — or, at least, to make success pay a whole lot less.

