There’s no knowing when Warwick Schools could be the target of a cyber attack.
A seemingly normal email with embedded links or a PDF file could pop into the mailbox of any faculty member. A click by just one employee could render the entire school system vulnerable, shutting down operations and losing valuable information all at once.
Or maybe a phony email posing as Superintendent Philip Thornton is sent to a teacher or administrator, expressing that he is in an urgent situation. The request in the email is that the targeted employee purchases Amazon gift cards for him. Once those card numbers are sent back to the attacker, the money’s gone before the superintendent even knows someone was impersonating him.
Last July, Coventry schools were hit with an attack just a few weeks before the current academic year began. Reports said the school department paid around $200,000 worth of cryptocurrency to regain access to its systems. So, if a smaller school district can be targeted and infiltrated, Warwick could be an even bigger target.
Douglas Alexander, Director of Technology for Warwick Public Schools, said Warwick schools could be targeted because they are open by nature. Public schools have to be transparent in what they do, but it makes them easier targets. Alexander mentioned that attackers may target the city’s public schools because they know Warwick, the second most populated city in the state, can pay for any damages with their cyber insurance.
Alexander added that attackers targeting a school might have other intentions than to just demand finances. If a cyber breach occurs, information for both employees and students can be taken – something cyber insurance cannot get back once it’s out.
“People’s identities are worth money,” Alexander said. “And we have the identities and information for children.”
Seeks budget appropriation
Alexander has pushed for cyber security to be on the School Committee’s budget for the past two years. But the cost has made it one of the first items to be cut on both occasions. This year, he said, it has to be a priority.
Alexander presented his findings and suggestions to the School Committee last Tuesday but will now aim to put a detailed budget together to share at a private meeting in March. If the committee adds it to their overall budget, it will come before the City Council for approval.
“I think this year more than ever, we need to find a way to make sure it’s not cut again,” Superintendent Philip Thornton said.
Thornton said that the budget is expected to be finalized soon but may not hit the floor of the City Council until late May or early June.
According to Alexander, some schools with newer heat/ventilation/air conditioning (HVAC) units are controlled online. The new technology allows a custodian to adjust the temperature inside the building easily by using their phone or computer. But this advanced technology relies on cyber security. Alexander said that the attack at Coventry came during a July heat wave, and because they could not adjust the temperature of their HVAC system mold began to grow inside the schools. A technology infiltration resulted in hardware problems, so more money had to be used to repair Coventry schools before the first day of classes.
Warwick schools are not without any protection; it’s that they could use more. Alexander said some phishing emails have already targeted Warwick school employees and could put them in danger. To train employees to recognize this, he has conducted phishing tests to faculty and staff. He said they have dealt with the situation properly by bringing those suspicious emails to his attention.
According to Mayor Joseph J. Solomon, the city takes part in similar training techniques. A release from Press Secretary Emily Martineau said that Solomon has assembled a cybersecurity response team should a cyber attack occur.
“Additionally, the City of Warwick conducts cyber security training through an online training program, sponsored by the Rhode Island State Police and used throughout the state,” the release reads.
Alexander’s solution to this cyber threat, he proposed, is a multi-layered protection plan and an off-site data center for backup and business continuity. First, Alexander wants to build multiple virtual fences around the city’s public schools to increase detection of any ransomware that can combat it before it reaches students, faculty or staff.
“One solution isn’t going to catch it,” Alexander said. “You don’t just rely on one safety net.”
Multiple safety nets
The outermost layer in Alexander’s plan is a perimeter monitor to detect malicious messages. Then comes an intrusion detector that he said is like a motion detector in a building that sends a notification when a suspicious user is using their server. Inside of that layer, a PC antivirus would be installed on all school computers. Alexander was asked at the School Committee meeting on Tuesday which layer he would choose if he had to select only one. He said Cisco Umbrella, the perimeter monitor layer, would be his top pick.
“We ran a trial of Cisco Umbrella a couple years ago. We found crypto-miners…on our kids’ Chromebooks mining for crypto-currency,” Alexander said.
The data center Alexander mentioned would store all school information that would be activated if the primary servers needed to be shut down. Alexander noted that Brown University has an always-active backup center, but said Warwick would not need to pay to keep their backup running constantly. He said powering the data center up when needed and taking perhaps only one day to ramp up would be more an appropriate option.
Because the cost of cyber security is high, Alexander said that in the past it has not been deemed a necessity and was cut from the final budget. He said the cost can be brought down by becoming a member of the Ocean State Higher Education Economic Development and Administrative Network (OSHEAN). According to Alexander, the cost of Cisco Umbrella would drop by two-thirds if they purchased through OSHEAN. He estimated that the price would be somewhere around $15 or $16 per year for one employee, with a total nearing 1,100 full-time employees. That cost, he said, is almost nothing compared to what the damages could cost for just one attack.
“Paying $20, $30, $40 thousand a year versus paying $600,000 in ransom per incident seems like that’s a worthwhile cost.”