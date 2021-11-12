Schools are a troubling frontier for cyber attacks
Cyber threats targeting K-12 schools have surged in recent years and the Education Department isn’t keeping up, a group of Democratic senators says.
Schools have been among the most prominent victims of ransomware attacks, which have drained funds, interrupted distance learning and compromised students’ and teachers’ personal information. But the Education Department’s main planning document for school threats is more than a decade old and deals mostly with physical threats.
Sen. Maggie Hassan (D-N.H.) and several colleagues want the department to update that document to account for the surge in cyber threats, according to a letter shared exclusively with The Cybersecurity 202.
“K-12 schools need additional support, as evidenced by the increasing number of successful cyberattacks on K-12 schools,” the letter states.
Potential steps
The senators also want the department to form two coordinating councils to share government information about digital threats and protections with schools. That would be a first step in making the government’s cyber cooperation with schools look more like it does in other sectors that face outsize threats, such as finance, energy and health care.
They want the department to look for a model in the elections sector, which stood up such councils in the wake of Russian interference in the 2016 election.
The letter cites a not-yet-public Government Accountability Office review that found government’s cyber assistance to schools was hurt by poor planning and that there was confusion about which agency should be taking the lead in the effort.
The report, which was requested by Hassan and Sens. Kyrsten Sinema (D-Ariz.) and Jacky Rosen (D-Nev.), was also shared with The Cybersecurity 202. The letter was written by Hassan, Sinema, Rosen and Sen. Chris Van Hollen (D-Md.).
Who's in charge?
The government response is dogged by confusion about which agency is supposed to be the the main cyber liaison to schools.
Education officials repeatedly told GAO that they lacked the authority to update the K-12 threat planning document and that the Cybersecurity and Infrastructure Security Agency was the government’s lead agency for K-12 cybersecurity. They said they hadn’t updated the plan because CISA never told them to.
The auditor disagreed, saying Education’s Office of Safe and Secure Schools should take the lead in updating the document and is required to do so every three years. The agency should turn to CISA for technical expertise about cybersecurity, GAO said.
Despite the disagreement, the Education Department agreed to consult with CISA on updating the long-out-of-date planning guidance.
Ransomware attacks
Cyberattacks against schools were already rising before the pandemic struck. But the damage they cause has been magnified by schools’ increased reliance on technology for distance learning.
- There were 62 publicly reported ransomware attacks against schools in 2019 compared with just 11 in 2018, according to the nonprofit group K-12 Security Information Exchange.
- There were 56 such attacks against schools in 2020 and 77 already this year, according to a database of publicly reported ransomware attacks maintained by cybersecurity researchers at the firm Recorded Future.
The problem may be bad planning more than inadequate cyber resources.
The GAO report rattles off a slew of cyber resources for K-12 schools offered by the Education Department, CISA and FBI, including sensors to detect hacks, cybersecurity training and guidance and regular assessments of schools’ cyber protections.
But schools are often unfamiliar with what the government is offering.
For example, less than one-fifth of school districts nationwide are members of the Multi-State Information Sharing and Analysis Center, a government and industry partnership that provides cyber help to schools and other state and local government entities.
A disturbing trend: The problem of government cyber resources not getting to the people and organizations that need them is a common theme in GAO reports. The watchdog has noted similar problems in recent years in the financial, electric, aviation and chemical facility sectors as well as in the retirement plan industry.
The keys
NSO’s incoming CEO stepped down before even starting the job
In a resignation letter, former telecom executive Isaac Benbenisti cited “the special circumstances that have arisen” in the wake of the Biden administration blacklisting the embattled spyware company. The letter was provided to Reuters’s Steven Scheer and Dan Williams. NSO co-founder Shalev Hulio will remain CEO “for the near future, due to the need for stability and continuity during this period,” according to a company statement published by the Guardian.
NSO had hinted that Benbenisti’s appointment marked a new direction for the company, which has faced a reputational crisis following reports that government clients routinely use its spyware to target journalists and activists. The company was planning to pivot to areas like analytics and defensive cybersecurity, according to a company statement. Benbenisti previously “said in a conversation that NSO is no longer a ‘naughty child’ but a company with global impact,” according to Israel’s Mako news.
Benbenisti’s resignation rounds out a bad week for NSO. A U.S. appeals court on Monday declined to halt a lawsuit brought by WhatsApp that could force NSO to disclose sensitive documents. Days earlier, the Biden administration blocked the company from using U.S. technology. That will make NSO's operations more difficult, though it’s not clear whether other countries will follow Washington’s lead. (Our colleague Miriam Berger contributed to this report.)
The bad news for NSO doesn’t stop there
A Palestinian government official said NSO’s Pegasus spyware was found on the phones of three senior Palestinian diplomats. A “professional Palestinian institution” inspected the phones, Assistant Foreign Minister Ahmed al-Deek told the Associated Press. The claims have not been independently verified by technical experts as most other claims about Pegasus have been.
Al-Deek accused Israel's government of hacking the diplomats. “Of course it’s the Israelis,” he told the New York Times. “They are the only ones that are capable and interested in doing that. And yes, we do accuse them of this attack.”
The claims come just days after researchers announced that six Palestinian activists were hacked with NSO spyware from July 2020 to April 2021. At least three of the activists were affiliated with rights organizations that Israel designated as terrorist groups in late October. An NSO spokeswoman declined to comment to the New York Times.
A sophisticated hacking group is targeting visitors to Hong Kong websites, researchers say
The hackers hid malware in sites belonging to a Hong Kong media outlet and pro-democracy group, Motherboard’s Lorenzo Franceschi-Bicchierai writes. The hacking was consistent with a government-backed hacking group but researchers don’t have enough evidence to definitively attribute it, Google Threat Analysis Group head Shane Huntley told Franceschi-Bicchierai. The hackers exploited a previously unknown bug in Apple systems, the researchers said.
Hong Kong was previously largely independent from China but has come increasingly under Beijing’s grasp. China imposed a national security law on Hong Kong in 2020, which gives Chinese authorities more power to send in troops and conduct surveillance and has been used to stifle dissent.
Apple fixed the vulnerability in an update released Sept. 23, according to the researchers.
Chat room
SANS Institute founder Alan Paller died this week, according to a statement from the organization, which is a top cybersecurity training company. Paller was most recently president of the National Cyber Scholarship Foundation. Cybersecurity practitioners and journalists shared memories of Paller and condolences. SANS Technology Institute Dean of Research Johannes Ullrich:
Rob Joyce, who leads the National Security Agency’s cybersecurity directorate:
Our colleague, Ellen Nakashima:
Daniel Chenok, executive director of the IBM Center for the Business of Government:
Cybersecurity journalist Brian Krebs:
Government scan
Global cyberspace
Cyber insecurity
Daybook
- CISA chief of staff Kiersten Todt speaks at a Charter of Trust event on critical infrastructure resilience on Monday at 11 a.m.
- The Aspen Institute’s Commission on Information Disorder launches its final set of recommendations for addressing misinformation and disinformation on Monday at 3 p.m.
- Homeland Security Secretary Alejandro Mayorkas testifies before the Senate Judiciary Committee on Tuesday at 10 a.m.
- The House Oversight and Reform Committee holds a hearing on ways to disrupt ransomware groups on Tuesday at 10 a.m.
- The House Homeland Security Committee hosts a hearing on the Department of Homeland Security’s role in combating ransomware on Wednesday at 10 a.m.
- National Cyber Director Chris Inglis, Deputy Assistant Secretary of Defense Mieke Eoyang, Member of the European Parliament Bart Groothuis and House Armed Services Committee cybersecurity subcommittee chairman Rep. Jim Langevin (D-R.I.) speak at the CyberNextDC conference on Thursday.
- CISA Director Jen Easterly; Gen. Paul M. Nakasone, who leads the National Security Agency and U.S. Cyber Command; Senate Homeland Security Committee Chairman Gary Peters (D-Mich.); and Federal Chief Information Security Officer Chris DeRusha speak at Palo Alto Networks’s Public Sector Ignite ‘21 conference on Thursday.
- Suresh Venkatasubramanian, the White House Office of Science and Technology Policy’s assistant director of science and justice, speaks at a New America event on an AI Bill of Rights on Thursday at 2 p.m.
Secure log off
I somehow even got Sinema wrong. Had to triple check it in today's newsletter. Thanks for reading. See you Monday.