Just two weeks into the school year, the Rialto schools in California had to shut down virtual instruction for a week due to a malware attack.
Designed to disrupt or gain access to a school's network, the malware attack also forced the 25,500-student district to collect-and fix-thousands of school-issued digital devices. Staffers wore masks and gloves as they worked, to protect themselves from potential COVID-19 infection.
Cyberattacks on school districts are nothing new. In fact, there have been nearly a thousand such incidents since January of 2016, according to the K-12 Cybersecurity Research Center.
But, as schools nationwide are engaged in full-time remote instruction or a hybrid of in-person and virtual learning, such attacks are arguably even more disruptive, both to students' educational as well as social and emotional needs.
"I thought to myself, why would somebody do this to students? They are already going through so much," said Syeda Jafri, a spokeswoman for the Rialto district. She noted that many children in the district had lost a relative to the virus or had someone close to them get very sick. "COVID is disheartening enough for children. It's just one more layer of chaos that could have been eliminated."
What's more, with so many students taking classes only from home, a cyberattack can have an outsized impact on schooling.
"If a school experiences a cyber incident and even a significant one in normal times, you still have a teacher in the classroom with students," said Doug Levin, the founder and president of the K-12 Cybersecurity Resource Center. In that scenario, teachers "may not be able to follow their lesson plan, but can still do valuable things with that time. But if a cyber incident occurs in times of remote learning, the loss of that online access stops teaching and learning in its tracks."
Plus, cyberattacks compound what is already a tense and difficult time for schools. "Everybody is on edge and has very little tolerance for these sorts of disruptions," Levin said.
Not only are cyberattacks more troublesome at a time when virtual learning is at its peak, they appear to be on the rise since the beginning of this school year, said Levin, who has been tracking cyberattacks on schools since early 2016.
So far, there have been 220 attacks for the 2020 calendar year, compared with 348 for the full 2019 calendar year. But the start of the school year is bringing a wave of new disruptions, Levin said. "The cyber hackers are back at work," he said. "Since Aug. 1, I'm seeing a spike for sure."
This school year, Levin says, there have been, on average, two hacks a day. That's unusually high, even for the start of a school year, when hacks tend to spike, he added.
So how can school districts prepare for the possibility of an attack?
Levin suggested including not just IT staff, but the legal counsel and public relations department in creating a plan for how to handle a cyberattack. Districts should also know who their law enforcement contacts are, and consider having a cybersecurity firm on retainer that can help with recovery and forensics.
And he suggests that districts advocate for resources to help build up their IT capacity, team up with nonprofits for cyber security monitoring, and partner with other school systems.
Communicating clearly with parents, teachers, and the community is also key, said Patty Mazur, a spokeswoman for the 25,000 student Toledo school district in Ohio, which experienced an attack on Sept. 8, the first day of school. At the time, teachers were working from their classrooms in school buildings, while students were home, online.
The district recognized almost immediately that something was up.
"Around noon, we started hearing from schools that were losing their internet connection," said Mazur. Some teachers were able to continue instruction using hotspots, but many had to stop teaching.
The district quickly launched a forensic search of its computer system. The pause in learning was relatively short-lived, with classes fully back online about a day and half later. The district also contacted the FBI, which is looking into the attack, Mazur said.
"It was just one more challenge that COVID-19 has put in our paths for getting ready for the 2020-21 school year," Mazur said. Her advice to other districts: Put out crisp, accurate information on the problem for the public. "Stay on top of it, be upfront," and be sure that you have all the facts straight, so that you don't have to backtrack, she said.
In Connecticut, the 18,000-student Hartford Public Schools had planned to open on Sept. 8, for both in-person and online instruction. But the district suffered a malware attack that disrupted the system the district uses to communicate transportation routes with its bus company, Leslie Torres-Rodriguez, the district superintendent, told NBC Connecticut. The district's learning management system wasn't affected, she said. Hartford was able to resume classes the following day.
Sometimes, students are behind the attacks. That was the case in Miami-Dade, the nation's fourth largest district, which experienced a spate of technical glitches in its first week of instruction, beginning Aug. 31. A 16-year-old student used an online application to carry out the attacks and has been charged in connection with them, according to a statement from the 345,000-student district.
"It is disheartening that one of our own students has admitted to intentionally causing this kind of disruption," said Superintendent of Schools Alberto M. Carvalho in a statement.
And in Virginia, the state's largest system, Fairfax County Schools, was hacked this month. The attackers are asking for a ransom payment. They have threatened to disclose personal information, including student disciplinary records and grades, according to WRC-TV in Washington. The 187,000-student school system is working with law enforcement to resolve the problem.
Smaller districts haven't been immune from cyberattacks, either. The 7,000-student Haywood school district in North Carolina's Appalachian Mountains, had to pause its all-virtual instruction for a week, due to an attack that is now under federal investigation.
The superintendent, Bill Nolte, suggests that districts make sure their networks are in good shape before an attack happens, since that will make an attack easier to fix. And he urges districts to "call on every available resource"-local, state, and federal-to fix the problem.
"Things happen and the question is: how do you respond?" he asked.